From: Stefano Tondo <[email protected]> This series enhances the SPDX 3.0 SBOM generation with improvements focused on Package URL (PURL) coverage, source metadata enrichment, and compliance tooling integration.
Key changes: - Configurable file filtering to reduce SBOM size - Supplier metadata support for image and SDK SBOMs - Ecosystem-specific PURL generation (Cargo, Go, PyPI, NPM, etc.) - Git source version extraction and GitHub PURL generation - External references (VCS, distribution, homepage) for source packages - Image root metadata package with describes/contains relationships - Rootfs version and dependency scope classification (runtime/build/test) - Object deduplication fix preserving complete metadata - CPE 2.3 special character escaping for SBOM validators - Two selftest cases for download_location and version extraction Total: 6 files changed, 687 insertions(+), 12 deletions(-) Stefano Tondo (14): spdx30: Add configurable file filtering support spdx30: Add supplier support for image and SDK SBOMs spdx30: Add ecosystem-specific PURL generation spdx30: Add version extraction from SRCREV for Git source components spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting sbom30: Fix object deduplication to preserve complete data spdx30: Enrich source downloads with external refs and PURLs spdx30: Include recipe base PURL in package external identifiers spdx30: Add image root metadata package with describes relationship spdx30_tasks: Fix non-deterministic BUILDNAME in image package version spdx30: Add rootfs version and dependency scope classification oeqa/selftest: Add test for download_location defensive handling spdx.py: Add test for version extraction patterns cve_check: Escape special characters in CPE 2.3 formatted strings meta/classes/create-spdx-3.0.bbclass | 20 ++ meta/classes/spdx-common.bbclass | 37 ++ meta/lib/oe/cve_check.py | 37 +- meta/lib/oe/sbom30.py | 47 ++- meta/lib/oe/spdx30_tasks.py | 483 ++++++++++++++++++++++++++- meta/lib/oeqa/selftest/cases/spdx.py | 75 +++++ 6 files changed, 687 insertions(+), 12 deletions(-) -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231556): https://lists.openembedded.org/g/openembedded-core/message/231556 Mute This Topic: https://lists.openembedded.org/mt/117922372/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
