From: Stefano Tondo <[email protected]> Extract version information for Git-based source components in SPDX 3.0 SBOMs to improve SBOM completeness and enable better supply chain tracking.
Problem: Git repositories fetched as SRC_URI entries currently appear in SBOMs without version information (software_packageVersion is null). This makes it difficult to track which specific revision of a dependency was used, reducing SBOM usefulness for security and compliance tracking. Solution: - Extract SRCREV for Git sources and use it as packageVersion - Use fd.revision attribute (the resolved Git commit) - Fallback to SRCREV variable if fd.revision not available - Use first 12 characters as version (standard Git short hash) - Generate pkg:github PURLs for GitHub repositories (official PURL type) - Add comprehensive debug logging for troubleshooting Impact: - Git source components now have version information - GitHub repositories get proper PURLs (pkg:github/owner/repo@commit) - Enables tracking specific commit dependencies in SBOMs Signed-off-by: Stefano Tondo <[email protected]> --- meta/lib/oe/spdx30_tasks.py | 79 +++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 0ee39ffcd5..970921e986 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -569,6 +569,85 @@ def add_download_files(d, objset): ) ) + # Extract version and PURL for source packages + dep_version = None + dep_purl = None + + # For Git repositories, extract version from SRCREV + if fd.type == "git": + srcrev = None + + # Try to get SRCREV for this specific source URL + # Note: fd.revision (not fd.revisions) contains the resolved revision + if hasattr(fd, 'revision') and fd.revision: + srcrev = fd.revision + bb.debug(1, f"SPDX: Found fd.revision for {file_name}: {srcrev}") + + # Fallback to general SRCREV variable + if not srcrev: + srcrev = d.getVar('SRCREV') + if srcrev: + bb.debug(1, f"SPDX: Using SRCREV variable for {file_name}: {srcrev}") + + if srcrev and srcrev not in ['${AUTOREV}', 'AUTOINC', 'INVALID']: + # Use first 12 characters of Git commit as version (standard Git short hash) + dep_version = srcrev[:12] if len(srcrev) >= 12 else srcrev + bb.debug(1, f"SPDX: Extracted Git version for {file_name}: {dep_version}") + + # Generate PURL for Git hosting services + # Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst + download_location = oe.spdx_common.fetch_data_to_uri(fd, fd.name) + if download_location and download_location.startswith('git+'): + git_url = download_location[4:] # Remove 'git+' prefix + + # Build Git PURL handlers from default + custom mappings + # Format: 'domain': ('purl_type', lambda to extract path) + # Can be extended in meta-siemens or other layers via SPDX_GIT_PURL_MAPPINGS + git_purl_handlers = { + 'github.com': ('pkg:github', lambda parts: f"{parts[0]}/{parts[1].replace('.git', '')}" if len(parts) >= 2 else None), + # Note: pkg:gitlab is NOT in official PURL spec, so we omit it by default + # Other Git hosts can be added via SPDX_GIT_PURL_MAPPINGS + } + + # Allow layers to extend PURL mappings via SPDX_GIT_PURL_MAPPINGS variable + # Format: "domain1:purl_type1 domain2:purl_type2" + # Example: SPDX_GIT_PURL_MAPPINGS = "gitlab.com:pkg:gitlab git.example.com:pkg:generic" + custom_mappings = d.getVar('SPDX_GIT_PURL_MAPPINGS') + if custom_mappings: + for mapping in custom_mappings.split(): + try: + domain, purl_type = mapping.split(':') + # Use simple path handler for custom domains + git_purl_handlers[domain] = (purl_type, lambda parts: f"{parts[0]}/{parts[1].replace('.git', '')}" if len(parts) >= 2 else None) + bb.debug(2, f"SPDX: Added custom Git PURL mapping: {domain} -> {purl_type}") + except ValueError: + bb.warn(f"SPDX: Invalid SPDX_GIT_PURL_MAPPINGS entry: {mapping} (expected format: domain:purl_type)") + + for domain, (purl_type, path_handler) in git_purl_handlers.items(): + if f'://{domain}/' in git_url or f'//{domain}/' in git_url: + # Extract path after domain + path_start = git_url.find(f'{domain}/') + len(f'{domain}/') + path = git_url[path_start:].split('/') + purl_path = path_handler(path) + if purl_path: + dep_purl = f"{purl_type}/{purl_path}@{srcrev}" + bb.debug(1, f"SPDX: Generated {purl_type} PURL: {dep_purl}") + break + + # Fallback: use parent package version if no other version found + if not dep_version: + pv = d.getVar('PV') + if pv and pv not in ['git', 'AUTOINC', 'INVALID', '${PV}']: + dep_version = pv + bb.debug(1, f"SPDX: Using parent PV for {file_name}: {dep_version}") + + # Set version and PURL if extracted + if dep_version: + dl.software_packageVersion = dep_version + + if dep_purl: + dl.software_packageUrl = dep_purl + if fd.method.supports_checksum(fd): # TODO Need something better than hard coding this for checksum_id in ["sha256", "sha1"]: -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231584): https://lists.openembedded.org/g/openembedded-core/message/231584 Mute This Topic: https://lists.openembedded.org/mt/117922736/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
