From: Stefano Tondo <[email protected]> Add automatic Package URL (PURL) generation according to the Yocto PURL specification to enable package identification in vulnerability databases and improve NTIA SBOM compliance.
Field added: - software_packageUrl: Auto-generates Package URLs per Yocto PURL spec Format: pkg:yocto/<LAYERNAME>/<BPN>@<PV> See: https://github.com/package-url/purl-spec/pull/372 PURL Implementation: - Type: yocto (official PURL type for Yocto recipes, per PR #372) - Namespace: Layer name from FILE_LAYERNAME variable - Name: BPN (base package name with prefixes/suffixes removed) - Version: PV (package version from recipe) - Normalization: Lowercase per PURL spec New BitBake variable: - SPDX_PACKAGE_URL: Override auto-generated PURL The Yocto PURL type specification (purl-spec PR #372) has been approved by the PURL maintainers and is ready for implementation. This follows the agreed format from JPEWdev (Joshua Watt) and petermarko. Signed-off-by: Stefano Tondo <[email protected]> --- meta/lib/oe/spdx30_tasks.py | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index f731a709e3..86430c7008 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -474,6 +474,36 @@ def create_spdx(d): if val: setattr(obj, name, val) + def generate_purl(d, package=None): + """ + Generate Package URL (purl) for a package according to Yocto PURL spec. + Format: pkg:yocto/<LAYERNAME>/<BPN>@<PV> + + See: https://github.com/package-url/purl-spec/pull/372 + """ + bpn = d.getVar("BPN") + pv = d.getVar("PV") + + # Get layer name using FILE_LAYERNAME + # This is the correct variable that contains the layer name from BBFILE_COLLECTIONS + # (BBFILE_COLLECTIONS itself is not available outside of layer.conf) + layer = d.getVar("FILE_LAYERNAME") + + if not layer: + layer = "core" # Default to core if layer detection fails + + # For sub-packages, use BPN (base package name) + # Per spec: BPN has prefixes/suffixes removed + name = bpn + + # Normalize name per PURL spec (lowercase only) + # Note: Underscores are not allowed in recipe names + name = name.lower() + + purl = f"pkg:yocto/{layer}/{name}@{pv}" + + return purl + license_data = oe.spdx_common.load_spdx_license_data(d) deploydir = Path(d.getVar("SPDXDEPLOY")) @@ -646,6 +676,10 @@ def create_spdx(d): "software_packageUrl", package=package ) + else: + # Auto-generate PURL if not manually specified + auto_purl = generate_purl(d, package) + spdx_package.software_packageUrl = auto_purl pkg_objset.new_scoped_relationship( [oe.sbom30.get_element_link_id(build)], -- 2.52.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229021): https://lists.openembedded.org/g/openembedded-core/message/229021 Mute This Topic: https://lists.openembedded.org/mt/117138938/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
