From 10669f6f615058293671fb16454601580b7b34e9 Mon Sep 17 00:00:00 2001
From: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
Date: Wed, 22 Oct 2025 10:06:49 +0100
Subject: [PATCH] create-spdx-3.0: add SPDX_LICENSES to SPDX3_DEP_FILES

If we have changes on SPDX_LICENSES content we ended up building invalid sstate-cache archives.
The default value for the SPDX_LICENSES is the file meta/files/spdx-licenses.json but this file
don't use the bitbake fetcher and because of this their checksum is not validated.
So we need to add this file to the build dependency chain of the SPDX.

For example, currently we have bump from 3.24.0 to 3.27.0 on master-next for the file
meta/files/spdx-licenses.json. Since the file content is not taken into account, we end
up creating invalid sstate-cache artifacts on the autobuilder on master-next builds.
This created sstate-cache artifacts will also be available to master branch users
that are using the upstream sstate-cache mirror.

If someone is using the public mirror but still following the master branch
they will encounter something like the following error which this change aims to resolve.

| ERROR: initramfs-rootfs-image-1.0-r0 do_create_image_sbom_spdx: http://spdxdocs.org/openembedded-alias/by-doc-hash/57301e8063a8bf25308226271627db2b78675cda9f648c5c6c14a2b9c18f48dc/zlib/UNIHASH/license/3_27_0/Zlib not found in /work/build/tmp/deploy/spdx/3.0.1/armv8a/by-spdxid-hash/57/57301e8063a8bf25308226271627db2b78675cda9f648c5c6c14a2b9c18f48dc.spdx.json

Signed-off-by: Jose Quaresma <jose.quaresma@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/create-spdx-3.0.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 3a8a97eca4..a6d2d44e34 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -136,6 +136,7 @@ oe.spdx30_tasks.collect_dep_objsets[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCH
 SPDX3_DEP_FILES = "\
     ${COREBASE}/meta/lib/oe/sbom30.py:True \
     ${COREBASE}/meta/lib/oe/spdx30.py:True \
+    ${SPDX_LICENSES}:True \
     "
 
 python do_create_spdx() {
-- 
2.47.3