From: Stefano Tondo <[email protected]> This patch adds lifecycle scope classification for SPDX 3.0 dependency relationships by reading runtime dependencies from package manifests.
Currently, SPDX 3.0 dependency relationships lack lifecycle scope classification - all dependencies appear the same regardless of whether they are build-time or runtime. This patch reads the package manager's manifest files to determine which dependencies are actually needed at runtime, enabling proper LifecycleScopeType annotation. Key changes: - Read runtime dependencies from package manifests (dpkg, rpm, ipk) - Classify dependencies as runtime or build scope in SPDX relationships - Add oe-selftest coverage for lifecycle scope classification - Properly handle implicit shared library dependencies (e.g., glibc) This enables downstream tools to distinguish build-time from runtime dependencies for vulnerability analysis and compliance assessment. Stefano Tondo (1): spdx30: Read runtime dependencies from package manifests meta/classes/spdx-common.bbclass | 53 +++++++++---- meta/lib/oe/spdx30_tasks.py | 112 ++++++++++++++++++++++++++- meta/lib/oeqa/selftest/cases/spdx.py | 78 +++++++++++++++++++ 3 files changed, 227 insertions(+), 16 deletions(-) -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231571): https://lists.openembedded.org/g/openembedded-core/message/231571 Mute This Topic: https://lists.openembedded.org/mt/117922393/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
