* [PATCH] create-spdx-2.2: Add support for custom Annotations
@ 2023-02-13 19:54 Saul Wold
2023-02-13 20:03 ` Joshua Watt
0 siblings, 1 reply; 4+ messages in thread
From: Saul Wold @ 2023-02-13 19:54 UTC (permalink / raw)
To: openembedded-core, JPEWhacker
This change adds a new variable to track which recipe variables
are added as SPDX Annotations.
Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
The recipe spdx json will contain an annotation stanza that looks
something like this:
"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},
Signed-off-by: Saul Wold <saul.wold@windriver.com>
---
meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..e1bbf646ff9 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
return sources
-
python do_create_spdx() {
from datetime import datetime, timezone
import oe.sbom
@@ -479,6 +480,10 @@ python do_create_spdx() {
if description:
recipe.description = description
+ if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+ for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
+ recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
# Some CVEs may be patched during the build process without incrementing the version number,
# so querying for CVEs based on the CPE id can lead to false positives. To account for this,
# save the CVEs fixed by patches to source information field in the SPDX.
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] create-spdx-2.2: Add support for custom Annotations
2023-02-13 19:54 [PATCH] create-spdx-2.2: Add support for custom Annotations Saul Wold
@ 2023-02-13 20:03 ` Joshua Watt
2023-02-14 16:52 ` Saul Wold (local)
0 siblings, 1 reply; 4+ messages in thread
From: Joshua Watt @ 2023-02-13 20:03 UTC (permalink / raw)
To: Saul Wold; +Cc: openembedded-core
On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com> wrote:
>
> This change adds a new variable to track which recipe variables
> are added as SPDX Annotations.
>
> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
nit: CUSTOM
>
> The recipe spdx json will contain an annotation stanza that looks
> something like this:
>
> "annotations": [
> {
> "annotationDate": "2023-02-13T19:44:20Z",
> "annotationType": "OTHER",
> "annotator": "Tool: oe-spdx-creator - 1.0",
> "comment": "CUSTOM_VARIABLE=some value or string"
> },
>
> Signed-off-by: Saul Wold <saul.wold@windriver.com>
> ---
> meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
> index f0513af083b..e1bbf646ff9 100644
> --- a/meta/classes/create-spdx-2.2.bbclass
> +++ b/meta/classes/create-spdx-2.2.bbclass
> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>
> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>
> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
> +
> SPDX_ORG ??= "OpenEmbedded ()"
> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>
> return sources
>
> -
> python do_create_spdx() {
> from datetime import datetime, timezone
> import oe.sbom
> @@ -479,6 +480,10 @@ python do_create_spdx() {
> if description:
> recipe.description = description
>
> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
> + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
> + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
> +
Seems reasonable. If we need more configuration options, I think we
can add it later with flags, e.g.
MY_VAR = "foo"
MY_VAR[spdx-annotator] = "Me!"
SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"
Aslo, in the future if users want package annotations, we can probably do:
SPDX_CUSTOM_ANNOTATION_VARS:${PN}
> # Some CVEs may be patched during the build process without incrementing the version number,
> # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
> # save the CVEs fixed by patches to source information field in the SPDX.
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] create-spdx-2.2: Add support for custom Annotations
2023-02-13 20:03 ` Joshua Watt
@ 2023-02-14 16:52 ` Saul Wold (local)
2023-02-14 16:58 ` Joshua Watt
0 siblings, 1 reply; 4+ messages in thread
From: Saul Wold (local) @ 2023-02-14 16:52 UTC (permalink / raw)
To: Joshua Watt; +Cc: openembedded-core
On 2/13/23 12:03, Joshua Watt wrote:
> On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com> wrote:
>>
>> This change adds a new variable to track which recipe variables
>> are added as SPDX Annotations.
>>
>> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
>
> nit: CUSTOM
>
v2 will come shortly (I will try to address the flags)
>>
>> The recipe spdx json will contain an annotation stanza that looks
>> something like this:
>>
>> "annotations": [
>> {
>> "annotationDate": "2023-02-13T19:44:20Z",
>> "annotationType": "OTHER",
>> "annotator": "Tool: oe-spdx-creator - 1.0",
>> "comment": "CUSTOM_VARIABLE=some value or string"
>> },
>>
>> Signed-off-by: Saul Wold <saul.wold@windriver.com>
>> ---
>> meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
>> index f0513af083b..e1bbf646ff9 100644
>> --- a/meta/classes/create-spdx-2.2.bbclass
>> +++ b/meta/classes/create-spdx-2.2.bbclass
>> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>>
>> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>>
>> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
>> +
>> SPDX_ORG ??= "OpenEmbedded ()"
>> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
>> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
>> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>>
>> return sources
>>
>> -
>> python do_create_spdx() {
>> from datetime import datetime, timezone
>> import oe.sbom
>> @@ -479,6 +480,10 @@ python do_create_spdx() {
>> if description:
>> recipe.description = description
>>
>> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
>> + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
>> + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
>> +
>
> Seems reasonable. If we need more configuration options, I think we
> can add it later with flags, e.g.
>
> MY_VAR = "foo"
> MY_VAR[spdx-annotator] = "Me!"
> SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"
>
What did you think the output should be here? ie what does the comment
line contain?
Today the annotation would contain:
"comment": "MY_VAR=foo"
What should the comment line contain if a flag or multiple flags exists?
Or the CUSTOM_ANNOTATION code only looks for one flag [spdx-annotator]?
"comment": "Me!=foo"
Thoughts?
> Aslo, in the future if users want package annotations, we can probably do:
>
> SPDX_CUSTOM_ANNOTATION_VARS:${PN}
>
Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN}
I tested this and it appears to work, along with the :append:pn-${PN} style.
Sau!
>
>> # Some CVEs may be patched during the build process without incrementing the version number,
>> # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
>> # save the CVEs fixed by patches to source information field in the SPDX.
>> --
>> 2.25.1
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] create-spdx-2.2: Add support for custom Annotations
2023-02-14 16:52 ` Saul Wold (local)
@ 2023-02-14 16:58 ` Joshua Watt
0 siblings, 0 replies; 4+ messages in thread
From: Joshua Watt @ 2023-02-14 16:58 UTC (permalink / raw)
To: Saul Wold (local); +Cc: openembedded-core
On 2/14/23 10:52, Saul Wold (local) wrote:
>
>
> On 2/13/23 12:03, Joshua Watt wrote:
>> On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com>
>> wrote:
>>>
>>> This change adds a new variable to track which recipe variables
>>> are added as SPDX Annotations.
>>>
>>> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
>>
>> nit: CUSTOM
>>
> v2 will come shortly (I will try to address the flags)
Sorry, I wasn't trying to say we needed to do that today; that was for
posterity. I'm fine with omitting the flags and adding them in later if
necessary; I don't have crystal ball to tell whats needed today, so it
might be best to wait until we know.
>>>
>>> The recipe spdx json will contain an annotation stanza that looks
>>> something like this:
>>>
>>> "annotations": [
>>> {
>>> "annotationDate": "2023-02-13T19:44:20Z",
>>> "annotationType": "OTHER",
>>> "annotator": "Tool: oe-spdx-creator - 1.0",
>>> "comment": "CUSTOM_VARIABLE=some value or string"
>>> },
>>>
>>> Signed-off-by: Saul Wold <saul.wold@windriver.com>
>>> ---
>>> meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
>>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/meta/classes/create-spdx-2.2.bbclass
>>> b/meta/classes/create-spdx-2.2.bbclass
>>> index f0513af083b..e1bbf646ff9 100644
>>> --- a/meta/classes/create-spdx-2.2.bbclass
>>> +++ b/meta/classes/create-spdx-2.2.bbclass
>>> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>>>
>>> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>>>
>>> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
>>> +
>>> SPDX_ORG ??= "OpenEmbedded ()"
>>> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
>>> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX
>>> packages created from \
>>> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>>>
>>> return sources
>>>
>>> -
>>> python do_create_spdx() {
>>> from datetime import datetime, timezone
>>> import oe.sbom
>>> @@ -479,6 +480,10 @@ python do_create_spdx() {
>>> if description:
>>> recipe.description = description
>>>
>>> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
>>> + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
>>> + recipe.annotations.append(create_annotation(d, var +
>>> "=" + d.getVar(var)))
>>> +
>>
>> Seems reasonable. If we need more configuration options, I think we
>> can add it later with flags, e.g.
>>
>> MY_VAR = "foo"
>> MY_VAR[spdx-annotator] = "Me!"
>> SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"
>>
> What did you think the output should be here? ie what does the comment
> line contain?
> Today the annotation would contain:
>
> "comment": "MY_VAR=foo"
>
> What should the comment line contain if a flag or multiple flags
> exists? Or the CUSTOM_ANNOTATION code only looks for one flag
> [spdx-annotator]?
>
> "comment": "Me!=foo"
>
> Thoughts?
>
>> Aslo, in the future if users want package annotations, we can
>> probably do:
>>
>> SPDX_CUSTOM_ANNOTATION_VARS:${PN}
>>
> Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN}
>
> I tested this and it appears to work, along with the :append:pn-${PN}
> style.
>
> Sau!
>>
>>> # Some CVEs may be patched during the build process without
>>> incrementing the version number,
>>> # so querying for CVEs based on the CPE id can lead to false
>>> positives. To account for this,
>>> # save the CVEs fixed by patches to source information field
>>> in the SPDX.
>>> --
>>> 2.25.1
>>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-14 16:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-13 19:54 [PATCH] create-spdx-2.2: Add support for custom Annotations Saul Wold
2023-02-13 20:03 ` Joshua Watt
2023-02-14 16:52 ` Saul Wold (local)
2023-02-14 16:58 ` Joshua Watt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.