On Tue, May 12, 2026 at 11:02 AM Jérémie Dautheribes via
lists.openembedded.org
<[email protected]> wrote:
>
> In preparation for upcoming work, introduce a new SPDX_SBOM_EXT variable
> explicitly telling the file extension name for SBOMs.
>
> Keep the default value ".spdx.json" to maintain compatibility with the
> current behavior.
>
> Co-authored-by: Benjamin Robin (Schneider Electric)
> <[email protected]>
> Signed-off-by: Jérémie Dautheribes (Schneider Electric)
> <[email protected]>
> ---
> meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
> meta/classes/create-spdx-3.0.bbclass | 3 +++
> meta/classes/sbom-cve-check-recipe.bbclass | 2 +-
> meta/lib/oe/spdx30_tasks.py | 12 +++++++-----
> 4 files changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/meta/classes-recipe/sbom-cve-check.bbclass
> b/meta/classes-recipe/sbom-cve-check.bbclass
> index fe145a2212..ddecb82e52 100644
> --- a/meta/classes-recipe/sbom-cve-check.bbclass
> +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> @@ -14,7 +14,7 @@ python do_sbom_cve_check() {
> """
> Task: Run sbom-cve-check analysis on SBOM.
> """
> - sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
> + sbom_path =
> d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}${SPDX_SBOM_EXT}")
> image_name = d.getVar("IMAGE_NAME")
> link_name = d.getVar("IMAGE_LINK_NAME")
> run_sbom_cve_check(d, sbom_path, image_name, link_name)
> diff --git a/meta/classes/create-spdx-3.0.bbclass
> b/meta/classes/create-spdx-3.0.bbclass
> index 56fd01fd53..785edb9865 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -74,6 +74,9 @@ SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that
> describes how to \
> algorithms, as described by the HashAlgorithm vocabulary in the\
> SPDX 3 spec. Optional but recommended"
>
> +SPDX_SBOM_EXT ??= ".spdx.json"
We should perhaps consider making this SPDX_SBOM_EXT_SUFFIX instead;
.spdx.json is the ISO standard extension for SPDX documents and is
non-optional.
> +SPDX_SBOM_EXT[doc] = "SBOM file extension name."
> +
> # Agents
> # Bitbake variables can be used to describe an SPDX Agent that may be used
> # during the build. An Agent is specified using a set of variables which
> all
> diff --git a/meta/classes/sbom-cve-check-recipe.bbclass
> b/meta/classes/sbom-cve-check-recipe.bbclass
> index c80b8ac83f..eaad73ddaf 100644
> --- a/meta/classes/sbom-cve-check-recipe.bbclass
> +++ b/meta/classes/sbom-cve-check-recipe.bbclass
> @@ -16,7 +16,7 @@ python do_sbom_cve_check_recipe() {
> """
> Task: Run sbom-cve-check analysis on a recipe SBOM.
> """
> - sbom_path =
> d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}.spdx.json")
> + sbom_path =
> d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}${SPDX_SBOM_EXT}")
> recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
> run_sbom_cve_check(d, sbom_path, recipe)
> }
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index 1821dd7de4..63d93c7901 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -1526,8 +1526,9 @@ def create_image_sbom_spdx(d):
> image_link_name = d.getVar("IMAGE_LINK_NAME")
> imgdeploydir = Path(d.getVar("SPDXIMAGEDEPLOYDIR"))
> machine = d.getVar("MACHINE")
> + sbom_ext = d.getVar("SPDX_SBOM_EXT")
>
> - spdx_path = imgdeploydir / (image_name + ".spdx.json")
> + spdx_path = imgdeploydir / f"{image_name}{sbom_ext}"
>
> root_elements = []
>
> @@ -1567,7 +1568,7 @@ def create_image_sbom_spdx(d):
> if link != target_path:
> link.symlink_to(os.path.relpath(target_path, link.parent))
>
> - make_image_link(spdx_path, ".spdx.json")
> + make_image_link(spdx_path, sbom_ext)
>
>
> def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
> @@ -1603,6 +1604,7 @@ def sdk_create_spdx(d, sdk_type, spdx_work_dir,
> toolchain_outputname):
>
>
> def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
> + sbom_ext = d.getVar("SPDX_SBOM_EXT")
> # Load the document written earlier
> rootfs_objset = oe.sbom30.load_jsonld(
> d, spdx_work_dir / "sdk-rootfs.spdx.json", required=True
> @@ -1681,15 +1683,15 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir,
> toolchain_outputname):
> elem.suppliedBy = supplier_id
>
> oe.sbom30.write_jsonld_doc(
> - d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
> + d, objset, sdk_deploydir / f"{toolchain_outputname}{sbom_ext}"
> )
>
>
> def create_recipe_sbom(d, deploydir):
> sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
> -
> + sbom_ext = d.getVar("SPDX_SBOM_EXT")
> recipe, recipe_objset = load_recipe_spdx(d)
>
> objset, sbom = oe.sbom30.create_sbom(d, sbom_name, [recipe],
> [recipe_objset])
>
> - oe.sbom30.write_jsonld_doc(d, objset, deploydir / (sbom_name +
> ".spdx.json"))
> + oe.sbom30.write_jsonld_doc(d, objset, deploydir /
> f"{sbom_name}{sbom_ext}")
>
> --
> 2.54.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236915):
https://lists.openembedded.org/g/openembedded-core/message/236915
Mute This Topic: https://lists.openembedded.org/mt/119282963/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
