From: Joshua Watt Date: Mon, 7 Oct 2024 16:24:15 +0000 (-0600) Subject: spdx30: Link license and build by alias X-Git-Tag: yocto-5.2~1590 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0fcdc72a7c8fca86a874d1b04298fe9e500c796;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git spdx30: Link license and build by alias The license information and Build created by do_create_spdx are changed to be referenced by their link alias instead of the actual SPDX ID. This fixes a case where do_create_package_spdx would pull these from mismatching sstate, and then the SPDX IDs would be unresolved when assembling the final document Signed-off-by: Joshua Watt Signed-off-by: Richard Purdie --- diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index 7b4f78cc718..27ab5e45ac1 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -305,24 +305,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): def add_aliases(self): for o in self.foreach_type(oe.spdx30.Element): - if not o._id or o._id.startswith("_:"): - continue - - alias_ext = get_alias(o) - if alias_ext is None: - unihash = self.d.getVar("BB_UNIHASH") - namespace = self.get_namespace() - if unihash not in o._id: - bb.warn(f"Unihash {unihash} not found in {o._id}") - elif namespace not in o._id: - bb.warn(f"Namespace {namespace} not found in {o._id}") - else: - alias_ext = set_alias( - o, - o._id.replace(unihash, "UNIHASH").replace( - namespace, self.d.getVar("PN") - ), - ) + self.set_element_alias(o) def remove_internal_extensions(self): def remove(o): @@ -345,6 +328,26 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): str(uuid.uuid5(namespace_uuid, pn)), ) + def set_element_alias(self, e): + if not e._id or e._id.startswith("_:"): + return + + alias_ext = get_alias(e) + if alias_ext is None: + unihash = self.d.getVar("BB_UNIHASH") + namespace = self.get_namespace() + if unihash not in e._id: + bb.warn(f"Unihash {unihash} not found in {e._id}") + elif namespace not in e._id: + bb.warn(f"Namespace {namespace} not found in {e._id}") + else: + alias_ext = set_alias( + e, + e._id.replace(unihash, "UNIHASH").replace( + namespace, self.d.getVar("PN") + ), + ) + def new_spdxid(self, *suffix, include_unihash=True): items = [self.get_namespace()] if include_unihash: @@ -557,7 +560,9 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): scope=scope, ) - def new_license_expression(self, license_expression, license_data, license_text_map={}): + def new_license_expression( + self, license_expression, license_data, license_text_map={} + ): license_list_version = license_data["licenseListVersion"] # SPDX 3 requires that the license list version be a semver # MAJOR.MINOR.MICRO, but the actual license version might be diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index d0dd40877e2..e0b656d81f1 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -119,9 +119,11 @@ def add_license_expression(d, objset, license_expression, license_data): ) spdx_license_expression = " ".join(convert(l) for l in lic_split) - return objset.new_license_expression( + o = objset.new_license_expression( spdx_license_expression, license_data, license_text_map ) + objset.set_element_alias(o) + return o def add_package_files( @@ -462,6 +464,8 @@ def create_spdx(d): build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN")) build = build_objset.new_task_build("recipe", "recipe") + build_objset.set_element_alias(build) + build_objset.doc.rootElement.append(build) build_objset.set_is_native(is_native) @@ -603,7 +607,7 @@ def create_spdx(d): set_var_field("DESCRIPTION", spdx_package, "description", package=package) pkg_objset.new_scoped_relationship( - [build._id], + [oe.sbom30.get_element_link_id(build)], oe.spdx30.RelationshipType.hasOutput, oe.spdx30.LifecycleScopeType.build, [spdx_package], @@ -650,7 +654,7 @@ def create_spdx(d): pkg_objset.new_relationship( [spdx_package], oe.spdx30.RelationshipType.hasConcludedLicense, - [package_spdx_license._id], + [oe.sbom30.get_element_link_id(package_spdx_license)], ) # NOTE: CVE Elements live in the recipe collection