diff options
| author |   Joshua Watt <JPEWhacker@gmail.com> | 2022-01-27 16:48:52 -0600 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-02-07 10:07:38 +0000 |
| commit | ca48349501e0ec93dc2448d064e1567fca390bf5 (patch) | |
| tree | 767acace21ecc01039abae0a258d104919a05307 /meta/classes/create-spdx.bbclass | |
| parent | 668445252fa96bd00ecdef1f610707a132eb35fc (diff) | |
| download | openembedded-core-contrib-ca48349501e0ec93dc2448d064e1567fca390bf5.tar.gz | |
classes/create-spdx: Add packageSupplier field
Per NIST SBoM recommendations, include the Package Supplier field for
all SPDX packages that are created. This field should generally be set
to the person or organization that is performing the build, since they
would be considered the "supplier" of the SPDX packages.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/create-spdx.bbclass')
| -rw-r--r-- | meta/classes/create-spdx.bbclass | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass index eb9535069a..eaf92c1773 100644 --- a/meta/classes/create-spdx.bbclass +++ b/meta/classes/create-spdx.bbclass @@ -29,6 +29,11 @@ SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc" SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" SPDX_ORG ??= "OpenEmbedded ()" +SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" +SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ + this recipe. For SPDX documents create using this class during the build, this \ + is the contact information for the person or organization who is doing the \ + build." do_image_complete[depends] = "virtual/kernel:do_create_spdx" @@ -425,6 +430,7 @@ python do_create_spdx() { recipe.name = d.getVar("PN") recipe.versionInfo = d.getVar("PV") recipe.SPDXID = oe.sbom.get_recipe_spdxid(d) + recipe.packageSupplier = d.getVar("SPDX_SUPPLIER") if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d): recipe.annotations.append(create_annotation(d, "isNative")) @@ -534,6 +540,7 @@ python do_create_spdx() { spdx_package.name = pkg_name spdx_package.versionInfo = d.getVar("PV") spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses) + spdx_package.packageSupplier = d.getVar("SPDX_SUPPLIER") package_doc.packages.append(spdx_package) @@ -826,6 +833,7 @@ python image_combine_spdx() { image.name = d.getVar("PN") image.versionInfo = d.getVar("PV") image.SPDXID = oe.sbom.get_image_spdxid(image_name) + image.packageSupplier = d.getVar("SPDX_SUPPLIER") doc.packages.append(image) |