From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: JPEWhacker@gmail.com, Stefano Tondo <stefano.tondo.ext@siemens.com>
Subject: [OE-core][PATCH v9 1/7] spdx30: Add configurable file exclusion pattern support
Date: Thu, 12 Mar 2026 16:38:39 +0100 [thread overview]
Message-ID: <20260312153845.164369-2-stondo@gmail.com> (raw)
In-Reply-To: <20260312153845.164369-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Add SPDX_FILE_EXCLUDE_PATTERNS variable that allows filtering files from
SPDX output by regex matching. The variable accepts a space-separated
list of Python regular expressions; files whose paths match any pattern
(via re.search) are excluded.
When empty (the default), no filtering is applied and all files are
included, preserving existing behavior.
This enables users to reduce SBOM size by excluding files that are not
relevant for compliance (e.g., test files, object files, patches).
Excluded files are tracked in a set returned from add_package_files()
and passed to get_package_sources_from_debug(), which uses the set for
precise cross-checking rather than re-evaluating patterns.
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/classes/spdx-common.bbclass | 7 ++++++
meta/lib/oe/spdx30_tasks.py | 38 +++++++++++++++++++++++++-------
2 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 3110230c9e..5cba52eedc 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -54,6 +54,13 @@ SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \
SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
+SPDX_FILE_EXCLUDE_PATTERNS ??= ""
+SPDX_FILE_EXCLUDE_PATTERNS[doc] = "Space-separated list of Python regular \
+ expressions to exclude files from SPDX output. Files whose paths match \
+ any pattern (via re.search) will be filtered out. Defaults to empty \
+ (no filtering). Example: \
+ SPDX_FILE_EXCLUDE_PATTERNS = '\\.patch$ \\.diff$ /test/ \\.pyc$ \\.o$'"
+
python () {
from oe.cve_check import extend_cve_status
extend_cve_status(d)
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 99f2892dfb..bc02b319c8 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -13,6 +13,7 @@ import oe.spdx30
import oe.spdx_common
import oe.sdk
import os
+import re
from contextlib import contextmanager
from datetime import datetime, timezone
@@ -154,13 +155,17 @@ def add_package_files(
file_counter = 1
if not os.path.exists(topdir):
bb.note(f"Skip {topdir}")
- return spdx_files
+ return spdx_files, set()
check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
if check_compiled_sources:
compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
+ # File exclusion filtering
+ exclude_patterns = [re.compile(p) for p in (d.getVar("SPDX_FILE_EXCLUDE_PATTERNS") or "").split()]
+ excluded_files = set()
+
for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
dirs[:] = [d for d in dirs if d not in ignore_dirs]
if subdir == str(topdir):
@@ -174,6 +179,13 @@ def add_package_files(
continue
filename = str(filepath.relative_to(topdir))
+
+ # Apply file exclusion filtering
+ if exclude_patterns:
+ if any(p.search(filename) for p in exclude_patterns):
+ excluded_files.add(filename)
+ continue
+
file_purposes = get_purposes(filepath)
# Check if file is compiled
@@ -213,12 +225,15 @@ def add_package_files(
bb.debug(1, "Added %d files to %s" % (len(spdx_files), objset.doc._id))
- return spdx_files
+ return spdx_files, excluded_files
def get_package_sources_from_debug(
- d, package, package_files, sources, source_hash_cache
+ d, package, package_files, sources, source_hash_cache, excluded_files=None
):
+ if excluded_files is None:
+ excluded_files = set()
+
def file_path_match(file_path, pkg_file):
if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
return True
@@ -251,6 +266,12 @@ def get_package_sources_from_debug(
continue
if not any(file_path_match(file_path, pkg_file) for pkg_file in package_files):
+ if file_path.lstrip("/") in excluded_files:
+ bb.debug(
+ 1,
+ f"Skipping debug source lookup for excluded file {file_path} in {package}",
+ )
+ continue
bb.fatal(
"No package file found for %s in %s; SPDX found: %s"
% (str(file_path), package, " ".join(p.name for p in package_files))
@@ -559,7 +580,7 @@ def create_spdx(d):
bb.debug(1, "Adding source files to SPDX")
oe.spdx_common.get_patched_src(d)
- files = add_package_files(
+ files, _ = add_package_files(
d,
build_objset,
spdx_workdir,
@@ -775,7 +796,7 @@ def create_spdx(d):
)
bb.debug(1, "Adding package files to SPDX for package %s" % pkg_name)
- package_files = add_package_files(
+ package_files, excluded_files = add_package_files(
d,
pkg_objset,
pkgdest / package,
@@ -798,7 +819,8 @@ def create_spdx(d):
if include_sources:
debug_sources = get_package_sources_from_debug(
- d, package, package_files, dep_sources, source_hash_cache
+ d, package, package_files, dep_sources, source_hash_cache,
+ excluded_files=excluded_files,
)
debug_source_ids |= set(
oe.sbom30.get_element_link_id(d) for d in debug_sources
@@ -810,7 +832,7 @@ def create_spdx(d):
if include_sources:
bb.debug(1, "Adding sysroot files to SPDX")
- sysroot_files = add_package_files(
+ sysroot_files, _ = add_package_files(
d,
build_objset,
d.expand("${COMPONENTS_DIR}/${PACKAGE_ARCH}/${PN}"),
@@ -1196,7 +1218,7 @@ def create_image_spdx(d):
image_filename = image["filename"]
image_path = image_deploy_dir / image_filename
if os.path.isdir(image_path):
- a = add_package_files(
+ a, _ = add_package_files(
d,
objset,
image_path,
--
2.53.0
next prev parent reply other threads:[~2026-03-12 15:38 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 16:01 [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-03 8:42 ` [OE-core] " Mathieu Dubois-Briand
2026-03-03 10:27 ` Tondo, Stefano
2026-03-02 16:01 ` [PATCH v5 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-02 16:15 ` [OE-core] [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Antonin Godard
2026-03-03 8:20 ` Tondo, Stefano
2026-03-04 17:05 ` [PATCH v6 " Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-07 21:53 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-07 22:32 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-06 6:32 ` [PATCH v6 00/10] spdx30: SBOM enrichment and documentation Mathieu Dubois-Briand
2026-03-06 13:59 ` [OE-core][PATCH v7 " Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-07 21:55 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-07 22:15 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-07 22:42 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-07 22:48 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-07 22:51 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-07 22:01 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-07 22:03 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-09 13:28 ` [OE-core][PATCH v8 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-11 20:29 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-11 20:31 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-11 20:34 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-11 22:49 ` Joshua Watt
2026-03-11 22:51 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-11 20:40 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-11 20:44 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-11 20:42 ` Joshua Watt
2026-03-12 15:38 ` [OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-12 15:38 ` stondo [this message]
2026-03-12 15:38 ` [OE-core][PATCH v9 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-19 10:25 ` Richard Purdie
2026-03-12 15:38 ` [OE-core][PATCH v9 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-13 6:14 ` Mathieu Dubois-Briand
2026-03-13 8:30 ` Tondo, Stefano
2026-03-12 15:38 ` [OE-core][PATCH v9 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 17:13 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements Richard Purdie
2026-03-20 17:22 ` [OE-core][PATCH v9 " Mathieu Dubois-Briand
2026-03-20 17:24 ` Mathieu Dubois-Briand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312153845.164369-2-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=JPEWhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox