[OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance improvements

Thu, 12 Mar 2026 08:38:56 -0700 

From: Stefano Tondo <[email protected]>

This series enhances SPDX 3.0 SBOM generation with enriched
metadata, ecosystem-specific Package URLs, and compliance
improvements.

Changes since v8 (addressing Joshua Watt's review):

  1/7: File exclusion now uses re.compile() for proper regex
       matching instead of substring matching. Excluded files
       are tracked in a set() returned from add_package_files()
       and passed to get_package_sources_from_debug() for
       precise cross-checking.

  2/7: Unchanged (Reviewed-by added).

  3/7: Fixed npm_spdx_name() to use bpn[5:] instead of bpn[4:]
       since "node-" is 5 characters.

  4/7: Dropped PV fallback for non-Git source versions since
       the recipe version does not necessarily match individual
       downloaded file versions. Ecosystem PURLs (which include
       version) from SPDX_PACKAGE_URLS are still used.

  5/7: Renamed recipe-m4/recipe-tar to build-m4/build-tar in
       tests to align with upstream rename.

  6/7: Unchanged (Reviewed-by added).

  7/7: Unchanged (Reviewed-by added).

Stefano Tondo (7):
  spdx30: Add configurable file exclusion pattern support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Add ecosystem-specific PURL generation via bbclasses
  spdx30: Enrich source downloads with version and PURL
  oeqa/selftest: Add tests for source download enrichment
  cve_check: Escape special characters in CPE 2.3 strings
  spdx-common: Add documentation for undocumented SPDX variables

 meta/classes-recipe/cargo_common.bbclass |   3 +
 meta/classes-recipe/cpan.bbclass         |  11 ++
 meta/classes-recipe/go-mod.bbclass       |   3 +
 meta/classes-recipe/npm.bbclass          |   7 +
 meta/classes-recipe/pypi.bbclass         |   3 +
 meta/classes/create-spdx-3.0.bbclass     |  17 +++
 meta/classes/spdx-common.bbclass         |  33 +++++
 meta/lib/oe/cve_check.py                 |  38 ++++-
 meta/lib/oe/spdx30_tasks.py              | 175 +++++++++++++++++++++--
 meta/lib/oeqa/selftest/cases/spdx.py     |  71 ++++++++-
 10 files changed, 351 insertions(+), 10 deletions(-)

-- 
2.53.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232973): 
https://lists.openembedded.org/g/openembedded-core/message/232973
Mute This Topic: https://lists.openembedded.org/mt/118281259/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to