git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

spdx_common: Fix invalid SPDX downloadLocation for Rust crates

Fixes [YOCTO #15909]

SPDX validation was failing due to the use of `crate://crates.io/...` as the
`downloadLocation`, which is not a valid SPDX URL as per the 2.2 specification.

This patch updates `fetch_data_to_uri()` in `spdx_common.py` to detect when the
fetcher type is "crate" and instead use the `url` attribute, which contains a
valid HTTP(S) URL in the expected format, e.g.:

https://crates.io/api/v1/crates/<name>/<version>/download

This aligns the SPDX metadata for Rust crates with the specification and avoids
validation errors in tools consuming SPDX documents.

Tested with the `python3-bcrypt` recipe and verified that the
generated `spdx.json` contains a valid `software_downloadLocation`.

Reference: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15909

Signed-off-by: Jayasurya Maganuru <Maganuru.Jayasurya@Windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

author	Jayasurya Maganuru <Maganuru.Jayasurya@Windriver.com>
	Mon, 20 Oct 2025 07:22:28 +0000 (00:22 -0700)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Mon, 27 Oct 2025 11:37:38 +0000 (11:37 +0000)
commit	7cadbd1a22e18847d03b5baa902f5581d3e0aafa
tree	2f4d03ae3cde849806e338c1f50647bca8f906eb	tree \| snapshot
parent	0294c265a1f662e2b68b3a462da113cfa835485b	commit \| diff