public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed
* [PATCH 0/1] spdx30: Runtime dependency detection from package manifests
@ 2026-02-21  4:25 Stefano Tondo
  0 siblings, 0 replies; 2+ messages in thread
From: Stefano Tondo @ 2026-02-21  4:25 UTC (permalink / raw)
  To: openembedded-core
  Cc: stefano.tondo.ext, adrian.freihofer, Peter.Marko, jpewhacker,
	Ross.Burton

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This patch adds lifecycle scope classification for SPDX 3.0 dependency
relationships by reading runtime dependencies from package manifests.

Currently, SPDX 3.0 dependency relationships lack lifecycle scope
classification - all dependencies appear the same regardless of whether
they are build-time or runtime. This patch reads the package manager's
manifest files to determine which dependencies are actually needed at
runtime, enabling proper LifecycleScopeType annotation.

Key changes:
- Read runtime dependencies from package manifests (dpkg, rpm, ipk)
- Classify dependencies as runtime or build scope in SPDX relationships
- Add oe-selftest coverage for lifecycle scope classification
- Properly handle implicit shared library dependencies (e.g., glibc)

This enables downstream tools to distinguish build-time from runtime
dependencies for vulnerability analysis and compliance assessment.

Stefano Tondo (1):
  spdx30: Read runtime dependencies from package manifests

 meta/classes/spdx-common.bbclass     |  53 +++++++++----
 meta/lib/oe/spdx30_tasks.py          | 112 ++++++++++++++++++++++++++-
 meta/lib/oeqa/selftest/cases/spdx.py |  78 +++++++++++++++++++
 3 files changed, 227 insertions(+), 16 deletions(-)

-- 
2.53.0



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH 0/1] spdx30: Runtime dependency detection from package manifests
@ 2026-02-21  4:53 Stefano Tondo
  0 siblings, 0 replies; 2+ messages in thread
From: Stefano Tondo @ 2026-02-21  4:53 UTC (permalink / raw)
  To: openembedded-core
  Cc: stefano.tondo.ext, adrian.freihofer, Peter.Marko, jpewhacker,
	Ross.Burton

Hi,

Please disregard this series. It has conflicts with [PATCH 00/14]
"spdx30: Enhance PURL generation and SBOM metadata for SPDX 3.0.1"
and inadvertently removes SPDX_CONCLUDED_LICENSE.

I will resubmit as v2, properly rebased on top of the PURL series.

Sorry for the noise.

Regards,
Stefano Tondo

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-21  4:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-21  4:53 [PATCH 0/1] spdx30: Runtime dependency detection from package manifests Stefano Tondo
  -- strict thread matches above, loose matches on Subject: below --
2026-02-21  4:25 Stefano Tondo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox