* [PATCH v2 0/1] Add support for custom annotations in SPDX
@ 2023-02-14 17:21 Saul Wold
2023-02-14 17:21 ` [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations Saul Wold
0 siblings, 1 reply; 3+ messages in thread
From: Saul Wold @ 2023-02-14 17:21 UTC (permalink / raw)
To: openembedded-core, JPEWhacker
V2 fixes commit message and adds additional check for empty
custom_var.
Additional testing with SPDX_CUSTOM_ANNOTATION_VARS:pn-${PN} and
SPDX_CUSTOM_ANNOTATION_VARS:append:pn-${PN} confirmed to work
as expected.
We will leave the variable flag handling for a future extension
of this code as needed.
Saul Wold (1):
create-spdx-2.2: Add support for custom Annotations
meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--
2.25.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations
2023-02-14 17:21 [PATCH v2 0/1] Add support for custom annotations in SPDX Saul Wold
@ 2023-02-14 17:21 ` Saul Wold
2023-02-15 10:33 ` [OE-core] " Alexandre Belloni
0 siblings, 1 reply; 3+ messages in thread
From: Saul Wold @ 2023-02-14 17:21 UTC (permalink / raw)
To: openembedded-core, JPEWhacker
This change adds a new variable to track which recipe variables
are added as SPDX Annotations.
Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>
The recipe spdx json will contain an annotation stanza that looks
something like this:
"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},
Signed-off-by: Saul Wold <saul.wold@windriver.com>
---
meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..bdc2e2c91e7 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
return sources
-
python do_create_spdx() {
from datetime import datetime, timezone
import oe.sbom
@@ -479,6 +480,11 @@ python do_create_spdx() {
if description:
recipe.description = description
+ if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+ for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split():
+ if d.getVar(var):
+ recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
# Some CVEs may be patched during the build process without incrementing the version number,
# so querying for CVEs based on the CPE id can lead to false positives. To account for this,
# save the CVEs fixed by patches to source information field in the SPDX.
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations
2023-02-14 17:21 ` [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations Saul Wold
@ 2023-02-15 10:33 ` Alexandre Belloni
0 siblings, 0 replies; 3+ messages in thread
From: Alexandre Belloni @ 2023-02-15 10:33 UTC (permalink / raw)
To: Saul Wold; +Cc: openembedded-core, JPEWhacker
V1 got merged, can you rebase ? :)
On 14/02/2023 09:21:56-0800, Saul Wold wrote:
> This change adds a new variable to track which recipe variables
> are added as SPDX Annotations.
>
> Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>
>
> The recipe spdx json will contain an annotation stanza that looks
> something like this:
>
> "annotations": [
> {
> "annotationDate": "2023-02-13T19:44:20Z",
> "annotationType": "OTHER",
> "annotator": "Tool: oe-spdx-creator - 1.0",
> "comment": "CUSTOM_VARIABLE=some value or string"
> },
>
> Signed-off-by: Saul Wold <saul.wold@windriver.com>
> ---
> meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
> index f0513af083b..bdc2e2c91e7 100644
> --- a/meta/classes/create-spdx-2.2.bbclass
> +++ b/meta/classes/create-spdx-2.2.bbclass
> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>
> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>
> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
> +
> SPDX_ORG ??= "OpenEmbedded ()"
> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>
> return sources
>
> -
> python do_create_spdx() {
> from datetime import datetime, timezone
> import oe.sbom
> @@ -479,6 +480,11 @@ python do_create_spdx() {
> if description:
> recipe.description = description
>
> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
> + for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split():
> + if d.getVar(var):
> + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
> +
> # Some CVEs may be patched during the build process without incrementing the version number,
> # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
> # save the CVEs fixed by patches to source information field in the SPDX.
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177167): https://lists.openembedded.org/g/openembedded-core/message/177167
> Mute This Topic: https://lists.openembedded.org/mt/96964900/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-15 10:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-14 17:21 [PATCH v2 0/1] Add support for custom annotations in SPDX Saul Wold
2023-02-14 17:21 ` [PATCH v2 1/1] create-spdx-2.2: Add support for custom Annotations Saul Wold
2023-02-15 10:33 ` [OE-core] " Alexandre Belloni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.