From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: <stondo@gmail.com>, <openembedded-core@lists.openembedded.org>
Cc: <stefano.tondo.ext@siemens.com>, <adrian.freihofer@siemens.com>,
<Peter.Marko@siemens.com>, <jpewhacker@gmail.com>,
<Ross.Burton@arm.com>
Subject: Re: [OE-core] [PATCH v2 04/18] spdx30: Add version extraction from SRCREV for Git source components
Date: Sun, 22 Feb 2026 14:34:45 +0100 [thread overview]
Message-ID: <DGLJ32AURGEJ.2E3625OVEY3H1@bootlin.com> (raw)
In-Reply-To: <20260221051006.335141-5-stondo@gmail.com>
On Sat Feb 21, 2026 at 6:09 AM CET, Stefano Tondo via lists.openembedded.org wrote:
> From: Stefano Tondo <stefano.tondo.ext@siemens.com>
>
> Extract version information for Git-based source components in SPDX 3.0
> SBOMs to improve SBOM completeness and enable better supply chain tracking.
>
> Problem:
> Git repositories fetched as SRC_URI entries currently appear in SBOMs
> without version information (software_packageVersion is null). This makes
> it difficult to track which specific revision of a dependency was used,
> reducing SBOM usefulness for security and compliance tracking.
>
> Solution:
> - Extract SRCREV for Git sources and use it as packageVersion
> - Use fd.revision attribute (the resolved Git commit)
> - Fallback to SRCREV variable if fd.revision not available
> - Use first 12 characters as version (standard Git short hash)
> - Generate pkg:github PURLs for GitHub repositories (official PURL type)
> - Add comprehensive debug logging for troubleshooting
>
> Impact:
> - Git source components now have version information
> - GitHub repositories get proper PURLs (pkg:github/owner/repo@commit)
> - Enables tracking specific commit dependencies in SBOMs
>
> Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
> ---
Hi Stefano,
Thanks for your patch.
It looks like several selftests are failing on the autobuilder with this
series, possibly because of this commit.
We have the following errors:
2026-02-21 15:08:11,906 - oe-selftest - INFO - devtool.DevtoolUpgradeTests.test_devtool_finish_upgrade_origlayer (subunit.RemotedTestCase)
2026-02-21 15:08:11,907 - oe-selftest - INFO - ... FAIL
...
2026-02-21 15:08:11,907 - oe-selftest - INFO - 1: 21/52 212/672 (96.59s) (0 failed) (devtool.DevtoolUpgradeTests.test_devtool_finish_upgrade_origlayer)
2026-02-21 15:08:11,907 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py", line 2236, in test_devtool_finish_upgrade_origlayer
recipe, oldrecipefile, recipedir, olddir, newversion, patchfn, backportedpatchfn = self._setup_test_devtool_finish_upgrade()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py", line 2216, in _setup_test_devtool_finish_upgrade
result = runCmd('devtool upgrade %s %s -V %s' % (recipe, tempdir, newversion))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/utils/commands.py", line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % (command, result.status, exc_output))
/usr/lib/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method
warnings.warn("TestResult has no addDuration method",
AssertionError: Command 'devtool upgrade devtool-upgrade-test1 /tmp/devtoolqaskjpeqye -V 1.6.0' returned non-zero exit status 1:
...
2026-02-21 15:09:47,787 - oe-selftest - INFO - devtool.DevtoolUpgradeTests.test_devtool_finish_upgrade_otherlayer (subunit.RemotedTestCase)
2026-02-21 15:09:47,788 - oe-selftest - INFO - ... FAIL
...
2026-02-21 15:10:37,499 - oe-selftest - INFO - devtool.DevtoolUpgradeTests.test_devtool_rename (subunit.RemotedTestCase)
2026-02-21 15:10:37,500 - oe-selftest - INFO - ... FAIL
...
2026-02-21 15:12:11,843 - oe-selftest - INFO - devtool.DevtoolUpgradeTests.test_devtool_upgrade (subunit.RemotedTestCase)
2026-02-21 15:12:11,843 - oe-selftest - INFO - ... FAIL
...
We have 29 test fails in total, I will let you look at the logs for the
whole list.
https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3368
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3250
https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3128
Can you have a look at these issues?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-02-22 13:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 5:09 [PATCH v2 00/18] spdx30: SBOM enrichment, lifecycle scope, and documentation Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 01/18] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 02/18] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 03/18] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 04/18] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-22 13:34 ` Mathieu Dubois-Briand [this message]
2026-02-21 5:09 ` [PATCH v2 05/18] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 06/18] sbom30: Fix object deduplication to preserve complete data Stefano Tondo
2026-02-21 16:45 ` Joshua Watt
2026-02-21 5:09 ` [PATCH v2 07/18] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 08/18] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 09/18] spdx30: Add image root metadata package with describes relationship Stefano Tondo
2026-02-21 16:47 ` Joshua Watt
2026-02-21 5:09 ` [PATCH v2 10/18] spdx30_tasks: Fix non-deterministic BUILDNAME in image package version Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 11/18] spdx30: Add rootfs version and dependency scope classification Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 12/18] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 13/18] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 14/18] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 15/18] spdx-common: Declare SPDX_FORCE_*_SCOPE override variables Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 16/18] oeqa/selftest: Add test for lifecycle scope classification Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 17/18] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 18/18] spdx-common: Clarify documentation and make SPDX_LICENSES extensible Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGLJ32AURGEJ.2E3625OVEY3H1@bootlin.com \
--to=mathieu.dubois-briand@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
--cc=stondo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox