spdx30: Link license and build by alias

The license information and Build created by do_create_spdx are changed
to be referenced by their link alias instead of the actual SPDX ID. This
fixes a case where do_create_package_spdx would pull these from
mismatching sstate, and then the SPDX IDs would be unresolved when
assembling the final document

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 7b4f78cc71802e1551c30cb22564b32cb850e1b4..27ab5e45ac136faa218288b523a1050240ba0e15 100644 (file)
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -305,24 +305,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
 
     def add_aliases(self):
         for o in self.foreach_type(oe.spdx30.Element):
-            if not o._id or o._id.startswith("_:"):
-                continue
-
-            alias_ext = get_alias(o)
-            if alias_ext is None:
-                unihash = self.d.getVar("BB_UNIHASH")
-                namespace = self.get_namespace()
-                if unihash not in o._id:
-                    bb.warn(f"Unihash {unihash} not found in {o._id}")
-                elif namespace not in o._id:
-                    bb.warn(f"Namespace {namespace} not found in {o._id}")
-                else:
-                    alias_ext = set_alias(
-                        o,
-                        o._id.replace(unihash, "UNIHASH").replace(
-                            namespace, self.d.getVar("PN")
-                        ),
-                    )
+            self.set_element_alias(o)
 
     def remove_internal_extensions(self):
         def remove(o):
@@ -345,6 +328,26 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             str(uuid.uuid5(namespace_uuid, pn)),
         )
 
+    def set_element_alias(self, e):
+        if not e._id or e._id.startswith("_:"):
+            return
+
+        alias_ext = get_alias(e)
+        if alias_ext is None:
+            unihash = self.d.getVar("BB_UNIHASH")
+            namespace = self.get_namespace()
+            if unihash not in e._id:
+                bb.warn(f"Unihash {unihash} not found in {e._id}")
+            elif namespace not in e._id:
+                bb.warn(f"Namespace {namespace} not found in {e._id}")
+            else:
+                alias_ext = set_alias(
+                    e,
+                    e._id.replace(unihash, "UNIHASH").replace(
+                        namespace, self.d.getVar("PN")
+                    ),
+                )
+
     def new_spdxid(self, *suffix, include_unihash=True):
         items = [self.get_namespace()]
         if include_unihash:
@@ -557,7 +560,9 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             scope=scope,
         )
 
-    def new_license_expression(self, license_expression, license_data, license_text_map={}):
+    def new_license_expression(
+        self, license_expression, license_data, license_text_map={}
+    ):
         license_list_version = license_data["licenseListVersion"]
         # SPDX 3 requires that the license list version be a semver
         # MAJOR.MINOR.MICRO, but the actual license version might be

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index d0dd40877e296777286a78c84c2ba0d343900c68..e0b656d81f13effa147cae4ae86decd18c469daa 100644 (file)
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -119,9 +119,11 @@ def add_license_expression(d, objset, license_expression, license_data):
     )
     spdx_license_expression = " ".join(convert(l) for l in lic_split)
 
-    return objset.new_license_expression(
+    o = objset.new_license_expression(
         spdx_license_expression, license_data, license_text_map
     )
+    objset.set_element_alias(o)
+    return o
 
 
 def add_package_files(
@@ -462,6 +464,8 @@ def create_spdx(d):
     build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN"))
 
     build = build_objset.new_task_build("recipe", "recipe")
+    build_objset.set_element_alias(build)
+
     build_objset.doc.rootElement.append(build)
 
     build_objset.set_is_native(is_native)
@@ -603,7 +607,7 @@ def create_spdx(d):
             set_var_field("DESCRIPTION", spdx_package, "description", package=package)
 
             pkg_objset.new_scoped_relationship(
-                [build._id],
+                [oe.sbom30.get_element_link_id(build)],
                 oe.spdx30.RelationshipType.hasOutput,
                 oe.spdx30.LifecycleScopeType.build,
                 [spdx_package],
@@ -650,7 +654,7 @@ def create_spdx(d):
             pkg_objset.new_relationship(
                 [spdx_package],
                 oe.spdx30.RelationshipType.hasConcludedLicense,
-                [package_spdx_license._id],
+                [oe.sbom30.get_element_link_id(package_spdx_license)],
             )
 
             # NOTE: CVE Elements live in the recipe collection