* Re: [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance
@ 2026-02-21 5:16 Stefano Tondo
0 siblings, 0 replies; 2+ messages in thread
From: Stefano Tondo @ 2026-02-21 5:16 UTC (permalink / raw)
To: openembedded-core
Cc: stefano.tondo.ext, adrian.freihofer, Peter.Marko, jpewhacker,
Ross.Burton
This series is superseded by the unified v2 submission:
[PATCH v2 00/18] spdx30: SBOM enrichment, lifecycle scope, and documentation
which consolidates all three separate series into a single series
for easier review. No functional changes from v1.
Please disregard this series.
Stefano
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance
@ 2026-02-21 4:24 Stefano Tondo
0 siblings, 0 replies; 2+ messages in thread
From: Stefano Tondo @ 2026-02-21 4:24 UTC (permalink / raw)
To: openembedded-core
Cc: stefano.tondo.ext, adrian.freihofer, Peter.Marko, jpewhacker,
Ross.Burton
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
This series enhances the SPDX 3.0 SBOM generation with improvements
focused on Package URL (PURL) coverage, source metadata enrichment,
and compliance tooling integration.
Key changes:
- Configurable file filtering to reduce SBOM size
- Supplier metadata support for image and SDK SBOMs
- Ecosystem-specific PURL generation (Cargo, Go, PyPI, NPM, etc.)
- Git source version extraction and GitHub PURL generation
- External references (VCS, distribution, homepage) for source packages
- Image root metadata package with describes/contains relationships
- Rootfs version and dependency scope classification (runtime/build/test)
- Object deduplication fix preserving complete metadata
- CPE 2.3 special character escaping for SBOM validators
- Two selftest cases for download_location and version extraction
Total: 6 files changed, 687 insertions(+), 12 deletions(-)
Stefano Tondo (14):
spdx30: Add configurable file filtering support
spdx30: Add supplier support for image and SDK SBOMs
spdx30: Add ecosystem-specific PURL generation
spdx30: Add version extraction from SRCREV for Git source components
spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
sbom30: Fix object deduplication to preserve complete data
spdx30: Enrich source downloads with external refs and PURLs
spdx30: Include recipe base PURL in package external identifiers
spdx30: Add image root metadata package with describes relationship
spdx30_tasks: Fix non-deterministic BUILDNAME in image package version
spdx30: Add rootfs version and dependency scope classification
oeqa/selftest: Add test for download_location defensive handling
spdx.py: Add test for version extraction patterns
cve_check: Escape special characters in CPE 2.3 formatted strings
meta/classes/create-spdx-3.0.bbclass | 20 ++
meta/classes/spdx-common.bbclass | 37 ++
meta/lib/oe/cve_check.py | 37 +-
meta/lib/oe/sbom30.py | 47 ++-
meta/lib/oe/spdx30_tasks.py | 483 ++++++++++++++++++++++++++-
meta/lib/oeqa/selftest/cases/spdx.py | 75 +++++
6 files changed, 687 insertions(+), 12 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-21 5:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-21 5:16 [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance Stefano Tondo
-- strict thread matches above, loose matches on Subject: below --
2026-02-21 4:24 Stefano Tondo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox