Le jeu. 8 janv. 2026 à 16:30, Joshua Watt via lists.openembedded.org <[email protected]> a écrit :
> Adds code to add PURLs to packages based on the PURL specification for > Yocto packages [1]. > > The SPDX_PACKAGE_URL variable is renamed SPDX_PACKAGE_URLS to make it > clear that it can now be a list of PURLs. SPDX_PACKAGE_URL is retained, > but marked as deprecated. > Hello Joshua, Does it make sense to backport this to the stable branches that have create-spdx-3.0.bbclass ? or at least scarthgap? My reasoning is that the same rationale that led to create-spdx-3.0.bbclass backported in scarthgap would also apply to PURLs. (I've checked, the patch does apply with a simple merge) What do you think? [1]: > https://github.com/package-url/purl-spec/blob/main/types-doc/yocto-definition.md > > Signed-off-by: Joshua Watt <[email protected]> > --- > meta/classes/create-spdx-3.0.bbclass | 11 ++++++++- > meta/lib/oe/__init__.py | 2 +- > meta/lib/oe/purl.py | 34 ++++++++++++++++++++++++++++ > meta/lib/oe/spdx30_tasks.py | 21 ++++++++++++----- > 4 files changed, 60 insertions(+), 8 deletions(-) > create mode 100644 meta/lib/oe/purl.py > > diff --git a/meta/classes/create-spdx-3.0.bbclass > b/meta/classes/create-spdx-3.0.bbclass > index 96c0b9722b..d4575d61c4 100644 > --- a/meta/classes/create-spdx-3.0.bbclass > +++ b/meta/classes/create-spdx-3.0.bbclass > @@ -131,7 +131,16 @@ SPDX_PACKAGE_VERSION[doc] = "The version of a > package, software_packageVersion \ > SPDX_PACKAGE_URL ??= "" > SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to > record \ > the package URL string (in accordance with the Package URL specification) > for \ > -a software Package." > +a software Package. DEPRECATED - use SPDX_PACKAGE_URLS instead" > + > +SPDX_PACKAGE_URLS ?= "${SPDX_PACKAGE_URL} ${@oe.purl.get_base_purl(d)}" > +SPDX_PACKAGE_URLS[doc] = "A space separated list of Package URLs (purls) > for \ > + the software Package. The first item in this list will be listed as > the \ > + packageUrl property of the packages, and all purls (including the > first \ > + one) will be listed as external references. The default value is an > auto \ > + generated pkg:yocto purl based on the recipe name, version, and layer > name. \ > + Override this variable to replace the default, otherwise append or > prepend \ > + to add additional purls." > > IMAGE_CLASSES:append = " create-spdx-image-3.0" > SDK_CLASSES += "create-spdx-sdk-3.0" > diff --git a/meta/lib/oe/__init__.py b/meta/lib/oe/__init__.py > index 9e4134c483..13d887a4aa 100644 > --- a/meta/lib/oe/__init__.py > +++ b/meta/lib/oe/__init__.py > @@ -12,4 +12,4 @@ __path__ = extend_path(__path__, __name__) > BBIMPORTS = ["qa", "data", "path", "utils", "types", "package", > "packagedata", \ > "packagegroup", "sstatesig", "lsb", "cachedpath", "license", > "qemu", \ > "reproducible", "rust", "buildcfg", "go", "spdx30_tasks", > "spdx_common", \ > - "cve_check", "tune", "classextend"] > + "cve_check", "tune", "classextend", "purl"] > diff --git a/meta/lib/oe/purl.py b/meta/lib/oe/purl.py > new file mode 100644 > index 0000000000..2f92a23596 > --- /dev/null > +++ b/meta/lib/oe/purl.py > @@ -0,0 +1,34 @@ > +# > +# Copyright OpenEmbedded Contributors > +# > +# SPDX-License-Identifier: GPL-2.0-only > +# > + > +import urllib.parse > + > +PREFIX = "pkg:yocto" > + > + > +def quote(s): > + """ > + Returns the percent encoded version of the string, suitable for > including > + in a PURL field > + """ > + return urllib.parse.quote(s, safe="") > + > + > +def get_base_purl(d): > + """ > + Returns the base PURL for the current recipe (that is, the PURL > without any > + additional qualifiers) > + """ > + layername = d.getVar("FILE_LAYERNAME") > + bpn = d.getVar("BPN") > + pv = d.getVar("PV") > + > + name = f"{quote(bpn.lower())}@{quote(pv)}" > + > + if layername: > + return f"{PREFIX}/{quote(layername.lower())}/{name}" > + > + return f"{PREFIX}/{name}" > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index f731a709e3..01e7dcbbc6 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -639,12 +639,21 @@ def create_spdx(d): > set_var_field("SUMMARY", spdx_package, "summary", > package=package) > set_var_field("DESCRIPTION", spdx_package, "description", > package=package) > > - if d.getVar("SPDX_PACKAGE_URL:%s" % package) or > d.getVar("SPDX_PACKAGE_URL"): > - set_var_field( > - "SPDX_PACKAGE_URL", > - spdx_package, > - "software_packageUrl", > - package=package > + purls = ( > + d.getVar("SPDX_PACKAGE_URLS:%s" % package) > + or d.getVar("SPDX_PACKAGE_URLS") > + or "" > + ).split() > + > + if purls: > + spdx_package.software_packageUrl = purls[0] > + > + for p in sorted(set(purls)): > + spdx_package.externalIdentifier.append( > + oe.spdx30.ExternalIdentifier( > + > externalIdentifierType=oe.spdx30.ExternalIdentifierType.packageUrl, > + identifier=p, > + ) > ) > > pkg_objset.new_scoped_relationship( > -- > 2.52.0 > > > > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229550): https://lists.openembedded.org/g/openembedded-core/message/229550 Mute This Topic: https://lists.openembedded.org/mt/117153845/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
