Hi Daniel, I'm working on something similar and have shared what I have so far, https://lists.openembedded.org/g/openembedded-core/topic/rfc_patch_0_1_spdx_add/116223136.
Could you please take a look? Best regards, Fabio On 11/5/25 14:54, Daniel Wagenknecht via lists.openembedded.org wrote: > Hello, > > I've looked through the generated SPDX files for a project recently. > I' m specifically interested in the downloadLocation property that is > set for entries in SRC_URI in recipe scope SPDX files, as our list of > upstream sources we need to monitor for security information is based > off those values. > > We'd like to extend the generated SPDX to also cover files from meta- > layers, that are provided via file:// entries in SRC_URI. The files > provided via this mechanism are mostly configuration files, systemd > services, initscripts and the likes, so one could argue that they > are not relevant dependencies and thus do not need to be traced in > SPDX, but we'd prefer to properly trace them in the SPDX documents. > > Are there any thoughts on this, prior discussion that I've not found in > the mailinglist archive or external resources on how such files should > be treated in SPDX in general? > > I'm considering implementing this as outlined: > - for file:// entries in SRC_URI determine which layer provides the > file (via bb.fetch2.local.localpath()) > - check if the layer is modified via oe.buildcfg.is_layer_modified() > -> modified -> abort > - retrieve the layers URL. This is more involved since what > oe.buildcfg.get_metadata_git_remotes() returns might not be the URL > that should be specified in the downloadLocation > My approach would be to introduce a per-layer variable that specifies > it's public URL. > -> no public URL for the layer found -> abort > - create a SPDXRef-Download-recipename-X entry for the file with the > downloadLocation set to the layers url with commit and subpath of the > file in the repository specified > > If the layer is modified or a public URL for that layer is not > specified the downloadLocation would yield a NOASSERTION value. > > I'd be glad to get some feedback on those ideas! > > Sincerely > Daniel Wagenknecht > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226132): https://lists.openembedded.org/g/openembedded-core/message/226132 Mute This Topic: https://lists.openembedded.org/mt/116135395/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
