On Wed Mar 4, 2026 at 5:44 PM CET, Joshua Watt via lists.openembedded.org wrote: > Changes the SPDX 3 output to include a "recipe" package that describe > static information available at parse time (without building). This is > primarily useful for gathering SPDX 3 VEX information about some or all > recipes, enabling SPDX 3 to be used in place of cve_check.bbclass and > vex.bbclass. > > Special thanks to Benjamin Robin <[email protected]> for > helping work through this. > > V2: Fixes a bug where do_populate_sysroot was running when it should not > be. Drops the patch to ignore ASSUME_PROVIDES recipes, since this is > incorrect (this is already handled by bitbake in the taskgraph, and > doesn't need to be manually removed). > > V3: Fixes a bug where meta-world-recipe-sbom was reporting a circular > dependency. meta-world-recipe-sbom also no longer runs in world builds, > as there's no reason to this. Finally, fixes a bug where > NO_GENERIC_LICENSE files would fail to be found in do_create_spdx > (because do_unpack was not run). > > V4: Fixes test cases. Adds SPDX_PACKAGE_INCLUDE_VEX to control if VEX > information is linked to binary packages, or just recipes. Defaults to > "0" to significantly reduce the size of the SPDX output. > > V5: Fixes dummy-sdk-packages to not generate SPDX output, since it > does funny things with its arch which prevents it from rebuilding SPDX > data properly, and no SPDX data is needed for it anyway > > Joshua Watt (13): > llvm-project-source: Use allarch.bbclass > gcc-source: Use allarch.bbclass > spdx3: Add recipe SPDX data > spdx3: Add recipe SBoM task > spdx3: Add is-native property > spdx30: Include patch file information in VEX > spdx: De-duplicate CreationInfo > spdx_common: Check for dependent task in task flags > spdx30: Skip install package CVE information > dummy-sdk-package: Disable SPDX > spdx: Remove fatal errors for missing providers > spdx3: Use common variable for vardeps > glibc-testsuite: Do not generate SPDX > > meta/classes-global/sstate.bbclass | 4 +- > .../create-spdx-image-3.0.bbclass | 4 +- > .../create-spdx-sdk-3.0.bbclass | 4 +- > meta/classes-recipe/kernel.bbclass | 2 +- > meta/classes-recipe/nospdx.bbclass | 1 + > meta/classes/create-spdx-2.2.bbclass | 15 +- > meta/classes/create-spdx-3.0.bbclass | 87 ++- > meta/classes/spdx-common.bbclass | 22 +- > meta/conf/distro/include/maintainers.inc | 1 + > meta/lib/oe/sbom30.py | 192 ++++--- > meta/lib/oe/spdx30.py | 2 +- > meta/lib/oe/spdx30_tasks.py | 496 +++++++++++++----- > meta/lib/oe/spdx_common.py | 11 + > meta/lib/oeqa/selftest/cases/spdx.py | 41 +- > .../glibc/glibc-testsuite_2.42.bb | 1 + > meta/recipes-core/meta/dummy-sdk-package.inc | 1 + > .../meta/meta-world-recipe-sbom.bb | 29 + > .../clang/llvm-project-source.inc | 8 +- > meta/recipes-devtools/gcc/gcc-source.inc | 16 +- > 19 files changed, 667 insertions(+), 270 deletions(-) > create mode 100644 meta/recipes-core/meta/meta-world-recipe-sbom.bb
Ok, we are almost there! We only have a selftest failure now: 2026-03-05 16:33:10,060 - oe-selftest - INFO - sysroot.SysrootTests.test_sysroot_cleanup (subunit.RemotedTestCase) 2026-03-05 16:33:10,061 - oe-selftest - INFO - ... FAIL ... ERROR: sysroot-test-1.0-r0 do_create_spdx: Could not find a builds SPDX document named build-sysroot-test-arch1 https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3457 https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3338 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3227 Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232516): https://lists.openembedded.org/g/openembedded-core/message/232516 Mute This Topic: https://lists.openembedded.org/mt/118135789/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
