From: Hongxu Jia Date: Mon, 28 Apr 2025 05:57:17 +0000 (+0800) Subject: spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c8e6953a0b6f59ffca994c440069db39e60b12d2;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] in SPDX 3.0 SBOM, support to override with package name SPDX_PACKAGE_URL: Currently, the format of purl is not defined in Yocto, set empty for now until we have a comprehensive plan for what Yocto purls look like. But users could customize their own purl by setting var-SPDX_PACKAGE_URL [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ Signed-off-by: Hongxu Jia Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 044517d9f72..c0a5436ad68 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}" SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ in software_Package" +SPDX_PACKAGE_URL ??= "" +SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \ +the package URL string (in accordance with the Package URL specification) for \ +a software Package." + IMAGE_CLASSES:append = " create-spdx-image-3.0" SDK_CLASSES += "create-spdx-sdk-3.0" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ba965821f86..61d7ba45e3e 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -631,6 +631,14 @@ def create_spdx(d): set_var_field("SUMMARY", spdx_package, "summary", package=package) set_var_field("DESCRIPTION", spdx_package, "description", package=package) + if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"): + set_var_field( + "SPDX_PACKAGE_URL", + spdx_package, + "software_packageUrl", + package=package + ) + pkg_objset.new_scoped_relationship( [oe.sbom30.get_element_link_id(build)], oe.spdx30.RelationshipType.hasOutput,