All of lore.kernel.org
 help / color / mirror / Atom feed
* [OE-core][PATCH] classes/create-spdx: Add packageSupplier field
@ 2022-01-27 22:48 Joshua Watt
  0 siblings, 0 replies; only message in thread
From: Joshua Watt @ 2022-01-27 22:48 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Per NIST SBoM recommendations, include the Package Supplier field for
all SPDX packages that are created. This field should generally be set
to the person or organization that is performing the build, since they
would be considered the "supplier" of the SPDX packages.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/classes/create-spdx.bbclass | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index eb9535069a..eaf92c1773 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -29,6 +29,11 @@ SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
 SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
 
 SPDX_ORG ??= "OpenEmbedded ()"
+SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
+SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
+    this recipe. For SPDX documents create using this class during the build, this \
+    is the contact information for the person or organization who is doing the \
+    build."
 
 do_image_complete[depends] = "virtual/kernel:do_create_spdx"
 
@@ -425,6 +430,7 @@ python do_create_spdx() {
     recipe.name = d.getVar("PN")
     recipe.versionInfo = d.getVar("PV")
     recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+    recipe.packageSupplier = d.getVar("SPDX_SUPPLIER")
     if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
         recipe.annotations.append(create_annotation(d, "isNative"))
 
@@ -534,6 +540,7 @@ python do_create_spdx() {
             spdx_package.name = pkg_name
             spdx_package.versionInfo = d.getVar("PV")
             spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
+            spdx_package.packageSupplier = d.getVar("SPDX_SUPPLIER")
 
             package_doc.packages.append(spdx_package)
 
@@ -826,6 +833,7 @@ python image_combine_spdx() {
     image.name = d.getVar("PN")
     image.versionInfo = d.getVar("PV")
     image.SPDXID = oe.sbom.get_image_spdxid(image_name)
+    image.packageSupplier = d.getVar("SPDX_SUPPLIER")
 
     doc.packages.append(image)
 
-- 
2.33.0



^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-01-27 22:48 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-27 22:48 [OE-core][PATCH] classes/create-spdx: Add packageSupplier field Joshua Watt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.