Can create-spdx handle multiple components per recipe

Can create-spdx handle multiple components per recipe

[Joseph Reynolds]

Team,

Thanks again for continuing to improve Yocto/OE.

I have a question about the capabilities of the create-spdx.bbclass.  I 
understand it will can an sBOM entry for each recipe.

Can create-spdx.bbclass handle multiple components per recipe?  For 
example, my bitbake recipe produces a web application which packages 
many HTML components.  I would like to have the recipe included in the 
SBOM together with the components which are packaged into the web 
application files.  Is there a way to do that?

Specifically, the OpenBMC web application uses various NPM compoents to 
provide it functionality in the end-user's browser.
Recipe: 
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/webui/webui-vue_git.bb 

Project source: https://github.com/openbmc/webui-vue/
NPM packages are specified here: 
https://github.com/openbmc/webui-vue/blob/master/package-lock.json
Package-lock docs: 
https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json

I want my SBOM to include the webui-vue application together with each 
of the NPM packages it uses.
  How can I do that?

Sincerely,
Joseph Reynolds

Re: [OE-core] Can create-spdx handle multiple components per recipe

[Joshua Watt]

Joseph,

Currently create-spdx will only report on the recipe itself and the
packages it produces. It's been a long standing TODO to make reporting
of sub-components like NPM packages and rust crates better, but we
haven't gotten there yet, partially because I'm not very familiar with
these technologies. If you have some experience, it would be great to
get some input on how to best handle these things.

One of the biggest problems is that often these technologies do
"sneaky" downloads of packages that we don't know about in the recipe,
and thus can't really report on. We largely fixed this in rust by
making user enumerate the crates they use in SRC_URI (with some
tooling to help automatically generate the list), but it looks from
the recipe you've linked to, this is what is happening in webui-vue.
Because of this its going to be extra hard to report on any
components, since we simply aren't aware they exist (at the recipe
level).



On Tue, Feb 14, 2023 at 2:27 PM Joseph Reynolds <jrey@linux.ibm.com> wrote:
>
> Team,
>
> Thanks again for continuing to improve Yocto/OE.
>
> I have a question about the capabilities of the create-spdx.bbclass.  I
> understand it will can an sBOM entry for each recipe.
>
> Can create-spdx.bbclass handle multiple components per recipe?  For
> example, my bitbake recipe produces a web application which packages
> many HTML components.  I would like to have the recipe included in the
> SBOM together with the components which are packaged into the web
> application files.  Is there a way to do that?
>
> Specifically, the OpenBMC web application uses various NPM compoents to
> provide it functionality in the end-user's browser.
> Recipe:
> https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/webui/webui-vue_git.bb
>
> Project source: https://github.com/openbmc/webui-vue/
> NPM packages are specified here:
> https://github.com/openbmc/webui-vue/blob/master/package-lock.json
> Package-lock docs:
> https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json
>
> I want my SBOM to include the webui-vue application together with each
> of the NPM packages it uses.
  How can I do that?
>
> Sincerely,
> Joseph Reynolds
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177174): https://lists.openembedded.org/g/openembedded-core/message/177174
> Mute This Topic: https://lists.openembedded.org/mt/96969479/3616693
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [JPEWhacker@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: Can create-spdx handle multiple components per recipe

[Joseph Reynolds]

[-- Attachment #1: Type: text/plain, Size: 896 bytes --]

Thanks for confirming.  I wouldn't expect OE to be able to have any knowledge of "sneaky" downloads of additional packages.

I have an idea to enhance create-spdx.bbclass so sneaky recipes can fess-up and tell create-spdx about any additional packages they downloaded.   If you could implement something like the following, it would help me.  If not, I'll just have to combine the OE-produced SBOM with my own custom-produced SBOMs.  The idea is:

Idea: Enhance create-spdx.bbclass so a recipe can add multiple additional SBOM entries.  For example, if recipeX is sneaky and downloads componentY without bitbake or OE knowing about it, then the recipe will have some way to tell create-spdx that it downloaded componentY at versionZ and also give its license information.

If I had this, then I think we could enhance our webui-vue recipe to use this to report all the NPM packages.

[-- Attachment #2: Type: text/html, Size: 944 bytes --]