1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#
# Copyright OpenEmbedded Contributors
#
# SPDX-License-Identifier: GPL-2.0-only
#
SPDX_VERSION ??= ""
DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
# The product name that the CVE database uses. Defaults to BPN, but may need to
# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
SPDXDEPLOY = "${SPDXDIR}/deploy"
SPDXWORK = "${SPDXDIR}/work"
SPDXIMAGEWORK = "${SPDXDIR}/image-work"
SPDXSDKWORK = "${SPDXDIR}/sdk-work"
SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
SPDXDEPS = "${SPDXDIR}/deps.json"
SPDX_TOOL_NAME ??= "oe-spdx-creator"
SPDX_TOOL_VERSION ??= "1.0"
SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
SPDX_INCLUDE_SOURCES ??= "0"
SPDX_ARCHIVE_SOURCES ??= "0"
SPDX_ARCHIVE_PACKAGED ??= "0"
SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
SPDX_PRETTY ??= "0"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
SPDX_CUSTOM_ANNOTATION_VARS ??= ""
SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
def create_spdx_source_deps(d):
import oe.spdx_common
deps = []
if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
pn = d.getVar('PN')
# do_unpack is a hack for now; we only need it to get the
# dependencies do_unpack already has so we can extract the source
# ourselves
if oe.spdx_common.has_task(d, "do_unpack"):
deps.append("%s:do_unpack" % pn)
if oe.spdx_common.is_work_shared_spdx(d) and \
oe.spdx_common.process_sources(d):
# For kernel source code
if oe.spdx_common.has_task(d, "do_shared_workdir"):
deps.append("%s:do_shared_workdir" % pn)
elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
deps.append("virtual/kernel:do_shared_workdir")
# For gcc-source-${PV} source code
if oe.spdx_common.has_task(d, "do_preconfigure"):
deps.append("%s:do_preconfigure" % pn)
elif oe.spdx_common.has_task(d, "do_patch"):
deps.append("%s:do_patch" % pn)
# For gcc-cross-x86_64 source code
elif oe.spdx_common.has_task(d, "do_configure"):
deps.append("%s:do_configure" % pn)
return " ".join(deps)
python do_collect_spdx_deps() {
# This task calculates the build time dependencies of the recipe, and is
# required because while a task can deptask on itself, those dependencies
# do not show up in BB_TASKDEPDATA. To work around that, this task does the
# deptask on do_create_spdx and writes out the dependencies it finds, then
# do_create_spdx reads in the found dependencies when writing the actual
# SPDX document
import json
import oe.spdx_common
from pathlib import Path
spdx_deps_file = Path(d.getVar("SPDXDEPS"))
deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
with spdx_deps_file.open("w") as f:
json.dump(deps, f)
}
# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
addtask do_collect_spdx_deps after do_unpack
do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
do_collect_spdx_deps[deptask] = "do_create_spdx"
do_collect_spdx_deps[dirs] = "${SPDXDIR}"
oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"
|
