[PATCH v2 0/1] Add support for custom annotations in SPDX

[PATCH v2 0/1] Add support for custom annotations in SPDX

[Saul Wold]

V2 fixes commit message and adds additional check for empty
custom_var.

Additional testing with SPDX_CUSTOM_ANNOTATION_VARS:pn-${PN} and
SPDX_CUSTOM_ANNOTATION_VARS:append:pn-${PN} confirmed to work
as expected.

We will leave the variable flag handling for a future extension
of this code as needed.

Saul Wold (1):
  create-spdx-2.2: Add support for custom Annotations

 meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

-- 
2.25.1

[PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations

[Saul Wold]

This change adds a new variable to track which recipe variables
are added as SPDX Annotations.

Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>

The recipe spdx json will contain an annotation stanza that looks
something like this:

     "annotations": [
        {
          "annotationDate": "2023-02-13T19:44:20Z",
          "annotationType": "OTHER",
          "annotator": "Tool: oe-spdx-creator - 1.0",
          "comment": "CUSTOM_VARIABLE=some value or string"
        },

Signed-off-by: Saul Wold <saul.wold@windriver.com>
---
 meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..bdc2e2c91e7 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
 
 SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
 
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
 SPDX_ORG ??= "OpenEmbedded ()"
 SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
 SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
 
     return sources
 
-
 python do_create_spdx() {
     from datetime import datetime, timezone
     import oe.sbom
@@ -479,6 +480,11 @@ python do_create_spdx() {
     if description:
         recipe.description = description
 
+    if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+        for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split():
+            if d.getVar(var):
+                recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
     # Some CVEs may be patched during the build process without incrementing the version number,
     # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
     # save the CVEs fixed by patches to source information field in the SPDX.
-- 
2.25.1

Re: [OE-core] [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations

[Alexandre Belloni]

V1 got merged, can you rebase ? :)

On 14/02/2023 09:21:56-0800, Saul Wold wrote:
> This change adds a new variable to track which recipe variables
> are added as SPDX Annotations.
> 
> Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>
> 
> The recipe spdx json will contain an annotation stanza that looks
> something like this:
> 
>      "annotations": [
>         {
>           "annotationDate": "2023-02-13T19:44:20Z",
>           "annotationType": "OTHER",
>           "annotator": "Tool: oe-spdx-creator - 1.0",
>           "comment": "CUSTOM_VARIABLE=some value or string"
>         },
> 
> Signed-off-by: Saul Wold <saul.wold@windriver.com>
> ---
>  meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
> index f0513af083b..bdc2e2c91e7 100644
> --- a/meta/classes/create-spdx-2.2.bbclass
> +++ b/meta/classes/create-spdx-2.2.bbclass
> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>  
>  SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>  
> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
> +
>  SPDX_ORG ??= "OpenEmbedded ()"
>  SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
>  SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>  
>      return sources
>  
> -
>  python do_create_spdx() {
>      from datetime import datetime, timezone
>      import oe.sbom
> @@ -479,6 +480,11 @@ python do_create_spdx() {
>      if description:
>          recipe.description = description
>  
> +    if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
> +        for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split():
> +            if d.getVar(var):
> +                recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
> +
>      # Some CVEs may be patched during the build process without incrementing the version number,
>      # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
>      # save the CVEs fixed by patches to source information field in the SPDX.
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177167): https://lists.openembedded.org/g/openembedded-core/message/177167
> Mute This Topic: https://lists.openembedded.org/mt/96964900/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com