create-spdx-2.2: Add support for custom Annotations

author Saul Wold <Saul.Wold@windriver.com>

Mon, 13 Feb 2023 19:54:13 +0000 (11:54 -0800)

committer Richard Purdie <richard.purdie@linuxfoundation.org>

Wed, 15 Feb 2023 10:20:44 +0000 (10:20 +0000)
author Saul Wold <Saul.Wold@windriver.com>
Mon, 13 Feb 2023 19:54:13 +0000 (11:54 -0800)
committer Richard Purdie <richard.purdie@linuxfoundation.org>
Wed, 15 Feb 2023 10:20:44 +0000 (10:20 +0000)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass

index 9aede86870ccd73fa6bec810da6eeed8e34ed853..28a42e009f63134b4f1899f91315c0ad393dbc84 100644 (file)
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -32,6 +32,8 @@ SPDX_PRETTY ??= "0"
  
  SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
  
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
  SPDX_ORG ??= "OpenEmbedded ()"
  SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
  SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -404,7 +406,6 @@ def collect_dep_sources(d, dep_recipes):
  
      return sources
  
-
  python do_create_spdx() {
      from datetime import datetime, timezone
      import oe.sbom
@@ -481,6 +482,10 @@ python do_create_spdx() {
      if description:
          recipe.description = description
  
+    if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+        for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
+            recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
      # Some CVEs may be patched during the build process without incrementing the version number,
      # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
      # save the CVEs fixed by patches to source information field in the SPDX.
author	Saul Wold <Saul.Wold@windriver.com>
	Mon, 13 Feb 2023 19:54:13 +0000 (11:54 -0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Wed, 15 Feb 2023 10:20:44 +0000 (10:20 +0000)