| Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 1 | # | 
|  | 2 | # SPDX-License-Identifier: GPL-2.0-only | 
|  | 3 | # | 
|  | 4 |  | 
|  | 5 | DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}" | 
|  | 6 |  | 
|  | 7 | # The product name that the CVE database uses.  Defaults to BPN, but may need to | 
|  | 8 | # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). | 
|  | 9 | CVE_PRODUCT ??= "${BPN}" | 
|  | 10 | CVE_VERSION ??= "${PV}" | 
|  | 11 |  | 
|  | 12 | SPDXDIR ??= "${WORKDIR}/spdx" | 
|  | 13 | SPDXDEPLOY = "${SPDXDIR}/deploy" | 
|  | 14 | SPDXWORK = "${SPDXDIR}/work" | 
|  | 15 |  | 
|  | 16 | SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" | 
|  | 17 |  | 
|  | 18 | SPDX_INCLUDE_SOURCES ??= "0" | 
|  | 19 | SPDX_INCLUDE_PACKAGED ??= "0" | 
|  | 20 | SPDX_ARCHIVE_SOURCES ??= "0" | 
|  | 21 | SPDX_ARCHIVE_PACKAGED ??= "0" | 
|  | 22 |  | 
|  | 23 | SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" | 
|  | 24 | SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc" | 
|  | 25 |  | 
|  | 26 | SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" | 
|  | 27 |  | 
|  | 28 | do_image_complete[depends] = "virtual/kernel:do_create_spdx" | 
|  | 29 |  | 
|  | 30 | def get_doc_namespace(d, doc): | 
|  | 31 | import uuid | 
|  | 32 | namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE")) | 
|  | 33 | return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name))) | 
|  | 34 |  | 
|  | 35 |  | 
|  | 36 | def is_work_shared(d): | 
|  | 37 | pn = d.getVar('PN') | 
|  | 38 | return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source') | 
|  | 39 |  | 
|  | 40 |  | 
|  | 41 | python() { | 
|  | 42 | import json | 
|  | 43 | if d.getVar("SPDX_LICENSE_DATA"): | 
|  | 44 | return | 
|  | 45 |  | 
|  | 46 | with open(d.getVar("SPDX_LICENSES"), "r") as f: | 
|  | 47 | data = json.load(f) | 
|  | 48 | # Transform the license array to a dictionary | 
|  | 49 | data["licenses"] = {l["licenseId"]: l for l in data["licenses"]} | 
|  | 50 | d.setVar("SPDX_LICENSE_DATA", data) | 
|  | 51 | } | 
|  | 52 |  | 
|  | 53 | def convert_license_to_spdx(lic, document, d, existing={}): | 
|  | 54 | from pathlib import Path | 
|  | 55 | import oe.spdx | 
|  | 56 |  | 
|  | 57 | available_licenses = d.getVar("AVAILABLE_LICENSES").split() | 
|  | 58 | license_data = d.getVar("SPDX_LICENSE_DATA") | 
|  | 59 | extracted = {} | 
|  | 60 |  | 
|  | 61 | def add_extracted_license(ident, name): | 
|  | 62 | nonlocal document | 
|  | 63 |  | 
|  | 64 | if name in extracted: | 
|  | 65 | return | 
|  | 66 |  | 
|  | 67 | extracted_info = oe.spdx.SPDXExtractedLicensingInfo() | 
|  | 68 | extracted_info.name = name | 
|  | 69 | extracted_info.licenseId = ident | 
|  | 70 | extracted_info.extractedText = None | 
|  | 71 |  | 
|  | 72 | if name == "PD": | 
|  | 73 | # Special-case this. | 
|  | 74 | extracted_info.extractedText = "Software released to the public domain" | 
|  | 75 | elif name in available_licenses: | 
|  | 76 | # This license can be found in COMMON_LICENSE_DIR or LICENSE_PATH | 
|  | 77 | for directory in [d.getVar('COMMON_LICENSE_DIR')] + d.getVar('LICENSE_PATH').split(): | 
|  | 78 | try: | 
|  | 79 | with (Path(directory) / name).open(errors="replace") as f: | 
|  | 80 | extracted_info.extractedText = f.read() | 
|  | 81 | break | 
|  | 82 | except FileNotFoundError: | 
|  | 83 | pass | 
|  | 84 | if extracted_info.extractedText is None: | 
|  | 85 | # Error out, as the license was in available_licenses so should | 
|  | 86 | # be on disk somewhere. | 
|  | 87 | bb.error("Cannot find text for license %s" % name) | 
|  | 88 | else: | 
|  | 89 | # If it's not SPDX, or PD, or in available licenses, then NO_GENERIC_LICENSE must be set | 
|  | 90 | filename = d.getVarFlag('NO_GENERIC_LICENSE', name) | 
|  | 91 | if filename: | 
|  | 92 | filename = d.expand("${S}/" + filename) | 
|  | 93 | with open(filename, errors="replace") as f: | 
|  | 94 | extracted_info.extractedText = f.read() | 
|  | 95 | else: | 
|  | 96 | bb.error("Cannot find any text for license %s" % name) | 
|  | 97 |  | 
|  | 98 | extracted[name] = extracted_info | 
|  | 99 | document.hasExtractedLicensingInfos.append(extracted_info) | 
|  | 100 |  | 
|  | 101 | def convert(l): | 
|  | 102 | if l == "(" or l == ")": | 
|  | 103 | return l | 
|  | 104 |  | 
|  | 105 | if l == "&": | 
|  | 106 | return "AND" | 
|  | 107 |  | 
|  | 108 | if l == "|": | 
|  | 109 | return "OR" | 
|  | 110 |  | 
|  | 111 | if l == "CLOSED": | 
|  | 112 | return "NONE" | 
|  | 113 |  | 
|  | 114 | spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l | 
|  | 115 | if spdx_license in license_data["licenses"]: | 
|  | 116 | return spdx_license | 
|  | 117 |  | 
|  | 118 | try: | 
|  | 119 | spdx_license = existing[l] | 
|  | 120 | except KeyError: | 
|  | 121 | spdx_license = "LicenseRef-" + l | 
|  | 122 | add_extracted_license(spdx_license, l) | 
|  | 123 |  | 
|  | 124 | return spdx_license | 
|  | 125 |  | 
|  | 126 | lic_split = lic.replace("(", " ( ").replace(")", " ) ").split() | 
|  | 127 |  | 
|  | 128 | return ' '.join(convert(l) for l in lic_split) | 
|  | 129 |  | 
|  | 130 |  | 
|  | 131 | def process_sources(d): | 
|  | 132 | pn = d.getVar('PN') | 
|  | 133 | assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split() | 
|  | 134 | if pn in assume_provided: | 
|  | 135 | for p in d.getVar("PROVIDES").split(): | 
|  | 136 | if p != pn: | 
|  | 137 | pn = p | 
|  | 138 | break | 
|  | 139 |  | 
|  | 140 | # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted, | 
|  | 141 | # so avoid archiving source here. | 
|  | 142 | if pn.startswith('glibc-locale'): | 
|  | 143 | return False | 
|  | 144 | if d.getVar('PN') == "libtool-cross": | 
|  | 145 | return False | 
|  | 146 | if d.getVar('PN') == "libgcc-initial": | 
|  | 147 | return False | 
|  | 148 | if d.getVar('PN') == "shadow-sysroot": | 
|  | 149 | return False | 
|  | 150 |  | 
|  | 151 | # We just archive gcc-source for all the gcc related recipes | 
|  | 152 | if d.getVar('BPN') in ['gcc', 'libgcc']: | 
|  | 153 | bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn) | 
|  | 154 | return False | 
|  | 155 |  | 
|  | 156 | return True | 
|  | 157 |  | 
|  | 158 |  | 
|  | 159 | def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]): | 
|  | 160 | from pathlib import Path | 
|  | 161 | import oe.spdx | 
|  | 162 | import hashlib | 
|  | 163 |  | 
|  | 164 | source_date_epoch = d.getVar("SOURCE_DATE_EPOCH") | 
|  | 165 | if source_date_epoch: | 
|  | 166 | source_date_epoch = int(source_date_epoch) | 
|  | 167 |  | 
|  | 168 | sha1s = [] | 
|  | 169 | spdx_files = [] | 
|  | 170 |  | 
|  | 171 | file_counter = 1 | 
|  | 172 | for subdir, dirs, files in os.walk(topdir): | 
|  | 173 | dirs[:] = [d for d in dirs if d not in ignore_dirs] | 
|  | 174 | if subdir == str(topdir): | 
|  | 175 | dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs] | 
|  | 176 |  | 
|  | 177 | for file in files: | 
|  | 178 | filepath = Path(subdir) / file | 
|  | 179 | filename = str(filepath.relative_to(topdir)) | 
|  | 180 |  | 
|  | 181 | if filepath.is_file() and not filepath.is_symlink(): | 
|  | 182 | spdx_file = oe.spdx.SPDXFile() | 
|  | 183 | spdx_file.SPDXID = get_spdxid(file_counter) | 
|  | 184 | for t in get_types(filepath): | 
|  | 185 | spdx_file.fileTypes.append(t) | 
|  | 186 | spdx_file.fileName = filename | 
|  | 187 |  | 
|  | 188 | if archive is not None: | 
|  | 189 | with filepath.open("rb") as f: | 
|  | 190 | info = archive.gettarinfo(fileobj=f) | 
|  | 191 | info.name = filename | 
|  | 192 | info.uid = 0 | 
|  | 193 | info.gid = 0 | 
|  | 194 | info.uname = "root" | 
|  | 195 | info.gname = "root" | 
|  | 196 |  | 
|  | 197 | if source_date_epoch is not None and info.mtime > source_date_epoch: | 
|  | 198 | info.mtime = source_date_epoch | 
|  | 199 |  | 
|  | 200 | archive.addfile(info, f) | 
|  | 201 |  | 
|  | 202 | sha1 = bb.utils.sha1_file(filepath) | 
|  | 203 | sha1s.append(sha1) | 
|  | 204 | spdx_file.checksums.append(oe.spdx.SPDXChecksum( | 
|  | 205 | algorithm="SHA1", | 
|  | 206 | checksumValue=sha1, | 
|  | 207 | )) | 
|  | 208 | spdx_file.checksums.append(oe.spdx.SPDXChecksum( | 
|  | 209 | algorithm="SHA256", | 
|  | 210 | checksumValue=bb.utils.sha256_file(filepath), | 
|  | 211 | )) | 
|  | 212 |  | 
|  | 213 | doc.files.append(spdx_file) | 
|  | 214 | doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file) | 
|  | 215 | spdx_pkg.hasFiles.append(spdx_file.SPDXID) | 
|  | 216 |  | 
|  | 217 | spdx_files.append(spdx_file) | 
|  | 218 |  | 
|  | 219 | file_counter += 1 | 
|  | 220 |  | 
|  | 221 | sha1s.sort() | 
|  | 222 | verifier = hashlib.sha1() | 
|  | 223 | for v in sha1s: | 
|  | 224 | verifier.update(v.encode("utf-8")) | 
|  | 225 | spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest() | 
|  | 226 |  | 
|  | 227 | return spdx_files | 
|  | 228 |  | 
|  | 229 |  | 
|  | 230 | def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources): | 
|  | 231 | from pathlib import Path | 
|  | 232 | import hashlib | 
|  | 233 | import oe.packagedata | 
|  | 234 | import oe.spdx | 
|  | 235 |  | 
|  | 236 | debug_search_paths = [ | 
|  | 237 | Path(d.getVar('PKGD')), | 
|  | 238 | Path(d.getVar('STAGING_DIR_TARGET')), | 
|  | 239 | Path(d.getVar('STAGING_DIR_NATIVE')), | 
|  | 240 | ] | 
|  | 241 |  | 
|  | 242 | pkg_data = oe.packagedata.read_subpkgdata_extended(package, d) | 
|  | 243 |  | 
|  | 244 | if pkg_data is None: | 
|  | 245 | return | 
|  | 246 |  | 
|  | 247 | for file_path, file_data in pkg_data["files_info"].items(): | 
|  | 248 | if not "debugsrc" in file_data: | 
|  | 249 | continue | 
|  | 250 |  | 
|  | 251 | for pkg_file in package_files: | 
|  | 252 | if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"): | 
|  | 253 | break | 
|  | 254 | else: | 
|  | 255 | bb.fatal("No package file found for %s" % str(file_path)) | 
|  | 256 | continue | 
|  | 257 |  | 
|  | 258 | for debugsrc in file_data["debugsrc"]: | 
|  | 259 | ref_id = "NOASSERTION" | 
|  | 260 | for search in debug_search_paths: | 
|  | 261 | debugsrc_path = search / debugsrc.lstrip("/") | 
|  | 262 | if not debugsrc_path.exists(): | 
|  | 263 | continue | 
|  | 264 |  | 
|  | 265 | file_sha256 = bb.utils.sha256_file(debugsrc_path) | 
|  | 266 |  | 
|  | 267 | if file_sha256 in sources: | 
|  | 268 | source_file = sources[file_sha256] | 
|  | 269 |  | 
|  | 270 | doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace) | 
|  | 271 | if doc_ref is None: | 
|  | 272 | doc_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 273 | doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name | 
|  | 274 | doc_ref.spdxDocument = source_file.doc.documentNamespace | 
|  | 275 | doc_ref.checksum.algorithm = "SHA1" | 
|  | 276 | doc_ref.checksum.checksumValue = source_file.doc_sha1 | 
|  | 277 | package_doc.externalDocumentRefs.append(doc_ref) | 
|  | 278 |  | 
|  | 279 | ref_id = "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID) | 
|  | 280 | else: | 
|  | 281 | bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256)) | 
|  | 282 | break | 
|  | 283 | else: | 
|  | 284 | bb.debug(1, "Debug source %s not found" % debugsrc) | 
|  | 285 |  | 
|  | 286 | package_doc.add_relationship(pkg_file, "GENERATED_FROM", ref_id, comment=debugsrc) | 
|  | 287 |  | 
|  | 288 | def collect_dep_recipes(d, doc, spdx_recipe): | 
|  | 289 | from pathlib import Path | 
|  | 290 | import oe.sbom | 
|  | 291 | import oe.spdx | 
|  | 292 |  | 
|  | 293 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 
|  | 294 |  | 
|  | 295 | dep_recipes = [] | 
|  | 296 | taskdepdata = d.getVar("BB_TASKDEPDATA", False) | 
|  | 297 | deps = sorted(set( | 
|  | 298 | dep[0] for dep in taskdepdata.values() if | 
|  | 299 | dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN") | 
|  | 300 | )) | 
|  | 301 | for dep_pn in deps: | 
|  | 302 | dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn) | 
|  | 303 |  | 
|  | 304 | spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path) | 
|  | 305 |  | 
|  | 306 | for pkg in spdx_dep_doc.packages: | 
|  | 307 | if pkg.name == dep_pn: | 
|  | 308 | spdx_dep_recipe = pkg | 
|  | 309 | break | 
|  | 310 | else: | 
|  | 311 | continue | 
|  | 312 |  | 
|  | 313 | dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe)) | 
|  | 314 |  | 
|  | 315 | dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 316 | dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name | 
|  | 317 | dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace | 
|  | 318 | dep_recipe_ref.checksum.algorithm = "SHA1" | 
|  | 319 | dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1 | 
|  | 320 |  | 
|  | 321 | doc.externalDocumentRefs.append(dep_recipe_ref) | 
|  | 322 |  | 
|  | 323 | doc.add_relationship( | 
|  | 324 | "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID), | 
|  | 325 | "BUILD_DEPENDENCY_OF", | 
|  | 326 | spdx_recipe | 
|  | 327 | ) | 
|  | 328 |  | 
|  | 329 | return dep_recipes | 
|  | 330 |  | 
|  | 331 | collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA" | 
|  | 332 |  | 
|  | 333 |  | 
|  | 334 | def collect_dep_sources(d, dep_recipes): | 
|  | 335 | import oe.sbom | 
|  | 336 |  | 
|  | 337 | sources = {} | 
|  | 338 | for dep in dep_recipes: | 
|  | 339 | recipe_files = set(dep.recipe.hasFiles) | 
|  | 340 |  | 
|  | 341 | for spdx_file in dep.doc.files: | 
|  | 342 | if spdx_file.SPDXID not in recipe_files: | 
|  | 343 | continue | 
|  | 344 |  | 
|  | 345 | if "SOURCE" in spdx_file.fileTypes: | 
|  | 346 | for checksum in spdx_file.checksums: | 
|  | 347 | if checksum.algorithm == "SHA256": | 
|  | 348 | sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file) | 
|  | 349 | break | 
|  | 350 |  | 
|  | 351 | return sources | 
|  | 352 |  | 
|  | 353 |  | 
|  | 354 | python do_create_spdx() { | 
|  | 355 | from datetime import datetime, timezone | 
|  | 356 | import oe.sbom | 
|  | 357 | import oe.spdx | 
|  | 358 | import uuid | 
|  | 359 | from pathlib import Path | 
|  | 360 | from contextlib import contextmanager | 
|  | 361 | import oe.cve_check | 
|  | 362 |  | 
|  | 363 | @contextmanager | 
|  | 364 | def optional_tarfile(name, guard, mode="w"): | 
|  | 365 | import tarfile | 
|  | 366 | import bb.compress.zstd | 
|  | 367 |  | 
|  | 368 | num_threads = int(d.getVar("BB_NUMBER_THREADS")) | 
|  | 369 |  | 
|  | 370 | if guard: | 
|  | 371 | name.parent.mkdir(parents=True, exist_ok=True) | 
|  | 372 | with bb.compress.zstd.open(name, mode=mode + "b", num_threads=num_threads) as f: | 
|  | 373 | with tarfile.open(fileobj=f, mode=mode + "|") as tf: | 
|  | 374 | yield tf | 
|  | 375 | else: | 
|  | 376 | yield None | 
|  | 377 |  | 
|  | 378 |  | 
|  | 379 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 
|  | 380 | spdx_workdir = Path(d.getVar("SPDXWORK")) | 
|  | 381 | include_packaged = d.getVar("SPDX_INCLUDE_PACKAGED") == "1" | 
|  | 382 | include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1" | 
|  | 383 | archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1" | 
|  | 384 | archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1" | 
|  | 385 | is_native = bb.data.inherits_class("native", d) | 
|  | 386 |  | 
|  | 387 | creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") | 
|  | 388 |  | 
|  | 389 | doc = oe.spdx.SPDXDocument() | 
|  | 390 |  | 
|  | 391 | doc.name = "recipe-" + d.getVar("PN") | 
|  | 392 | doc.documentNamespace = get_doc_namespace(d, doc) | 
|  | 393 | doc.creationInfo.created = creation_time | 
|  | 394 | doc.creationInfo.comment = "This document was created by analyzing recipe files during the build." | 
|  | 395 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 
|  | 396 | doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass") | 
|  | 397 | doc.creationInfo.creators.append("Organization: OpenEmbedded ()") | 
|  | 398 | doc.creationInfo.creators.append("Person: N/A ()") | 
|  | 399 |  | 
|  | 400 | recipe = oe.spdx.SPDXPackage() | 
|  | 401 | recipe.name = d.getVar("PN") | 
|  | 402 | recipe.versionInfo = d.getVar("PV") | 
|  | 403 | recipe.SPDXID = oe.sbom.get_recipe_spdxid(d) | 
|  | 404 |  | 
|  | 405 | for s in d.getVar('SRC_URI').split(): | 
|  | 406 | if not s.startswith("file://"): | 
|  | 407 | recipe.downloadLocation = s | 
|  | 408 | break | 
|  | 409 | else: | 
|  | 410 | recipe.downloadLocation = "NOASSERTION" | 
|  | 411 |  | 
|  | 412 | homepage = d.getVar("HOMEPAGE") | 
|  | 413 | if homepage: | 
|  | 414 | recipe.homepage = homepage | 
|  | 415 |  | 
|  | 416 | license = d.getVar("LICENSE") | 
|  | 417 | if license: | 
|  | 418 | recipe.licenseDeclared = convert_license_to_spdx(license, doc, d) | 
|  | 419 |  | 
|  | 420 | summary = d.getVar("SUMMARY") | 
|  | 421 | if summary: | 
|  | 422 | recipe.summary = summary | 
|  | 423 |  | 
|  | 424 | description = d.getVar("DESCRIPTION") | 
|  | 425 | if description: | 
|  | 426 | recipe.description = description | 
|  | 427 |  | 
|  | 428 | # Some CVEs may be patched during the build process without incrementing the version number, | 
|  | 429 | # so querying for CVEs based on the CPE id can lead to false positives. To account for this, | 
|  | 430 | # save the CVEs fixed by patches to source information field in the SPDX. | 
|  | 431 | patched_cves = oe.cve_check.get_patched_cves(d) | 
|  | 432 | patched_cves = list(patched_cves) | 
|  | 433 | patched_cves = ' '.join(patched_cves) | 
|  | 434 | if patched_cves: | 
|  | 435 | recipe.sourceInfo = "CVEs fixed: " + patched_cves | 
|  | 436 |  | 
|  | 437 | cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) | 
|  | 438 | if cpe_ids: | 
|  | 439 | for cpe_id in cpe_ids: | 
|  | 440 | cpe = oe.spdx.SPDXExternalReference() | 
|  | 441 | cpe.referenceCategory = "SECURITY" | 
|  | 442 | cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type" | 
|  | 443 | cpe.referenceLocator = cpe_id | 
|  | 444 | recipe.externalRefs.append(cpe) | 
|  | 445 |  | 
|  | 446 | doc.packages.append(recipe) | 
|  | 447 | doc.add_relationship(doc, "DESCRIBES", recipe) | 
|  | 448 |  | 
|  | 449 | if process_sources(d) and include_sources: | 
|  | 450 | recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst") | 
|  | 451 | with optional_tarfile(recipe_archive, archive_sources) as archive: | 
|  | 452 | spdx_get_src(d) | 
|  | 453 |  | 
|  | 454 | add_package_files( | 
|  | 455 | d, | 
|  | 456 | doc, | 
|  | 457 | recipe, | 
|  | 458 | spdx_workdir, | 
|  | 459 | lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter), | 
|  | 460 | lambda filepath: ["SOURCE"], | 
|  | 461 | ignore_dirs=[".git"], | 
|  | 462 | ignore_top_level_dirs=["temp"], | 
|  | 463 | archive=archive, | 
|  | 464 | ) | 
|  | 465 |  | 
|  | 466 | if archive is not None: | 
|  | 467 | recipe.packageFileName = str(recipe_archive.name) | 
|  | 468 |  | 
|  | 469 | dep_recipes = collect_dep_recipes(d, doc, recipe) | 
|  | 470 |  | 
|  | 471 | doc_sha1 = oe.sbom.write_doc(d, doc, "recipes") | 
|  | 472 | dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe)) | 
|  | 473 |  | 
|  | 474 | recipe_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 475 | recipe_ref.externalDocumentId = "DocumentRef-recipe-" + recipe.name | 
|  | 476 | recipe_ref.spdxDocument = doc.documentNamespace | 
|  | 477 | recipe_ref.checksum.algorithm = "SHA1" | 
|  | 478 | recipe_ref.checksum.checksumValue = doc_sha1 | 
|  | 479 |  | 
|  | 480 | sources = collect_dep_sources(d, dep_recipes) | 
|  | 481 | found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + license.licenseId for license in doc.hasExtractedLicensingInfos} | 
|  | 482 |  | 
|  | 483 | if not is_native: | 
|  | 484 | bb.build.exec_func("read_subpackage_metadata", d) | 
|  | 485 |  | 
|  | 486 | pkgdest = Path(d.getVar("PKGDEST")) | 
|  | 487 | for package in d.getVar("PACKAGES").split(): | 
|  | 488 | if not oe.packagedata.packaged(package, d): | 
|  | 489 | continue | 
|  | 490 |  | 
|  | 491 | package_doc = oe.spdx.SPDXDocument() | 
|  | 492 | pkg_name = d.getVar("PKG:%s" % package) or package | 
|  | 493 | package_doc.name = pkg_name | 
|  | 494 | package_doc.documentNamespace = get_doc_namespace(d, package_doc) | 
|  | 495 | package_doc.creationInfo.created = creation_time | 
|  | 496 | package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build." | 
|  | 497 | package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 
|  | 498 | package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass") | 
|  | 499 | package_doc.creationInfo.creators.append("Organization: OpenEmbedded ()") | 
|  | 500 | package_doc.creationInfo.creators.append("Person: N/A ()") | 
|  | 501 | package_doc.externalDocumentRefs.append(recipe_ref) | 
|  | 502 |  | 
|  | 503 | package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE") | 
|  | 504 |  | 
|  | 505 | spdx_package = oe.spdx.SPDXPackage() | 
|  | 506 |  | 
|  | 507 | spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name) | 
|  | 508 | spdx_package.name = pkg_name | 
|  | 509 | spdx_package.versionInfo = d.getVar("PV") | 
|  | 510 | spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses) | 
|  | 511 |  | 
|  | 512 | package_doc.packages.append(spdx_package) | 
|  | 513 |  | 
|  | 514 | package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID)) | 
|  | 515 | package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package) | 
|  | 516 |  | 
|  | 517 | package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.zst") | 
|  | 518 | with optional_tarfile(package_archive, archive_packaged) as archive: | 
|  | 519 | package_files = add_package_files( | 
|  | 520 | d, | 
|  | 521 | package_doc, | 
|  | 522 | spdx_package, | 
|  | 523 | pkgdest / package, | 
|  | 524 | lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter), | 
|  | 525 | lambda filepath: ["BINARY"], | 
|  | 526 | archive=archive, | 
|  | 527 | ) | 
|  | 528 |  | 
|  | 529 | if archive is not None: | 
|  | 530 | spdx_package.packageFileName = str(package_archive.name) | 
|  | 531 |  | 
|  | 532 | add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources) | 
|  | 533 |  | 
|  | 534 | oe.sbom.write_doc(d, package_doc, "packages") | 
|  | 535 | } | 
|  | 536 | # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source | 
|  | 537 | addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work | 
|  | 538 |  | 
|  | 539 | SSTATETASKS += "do_create_spdx" | 
|  | 540 | do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}" | 
|  | 541 | do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}" | 
|  | 542 |  | 
|  | 543 | python do_create_spdx_setscene () { | 
|  | 544 | sstate_setscene(d) | 
|  | 545 | } | 
|  | 546 | addtask do_create_spdx_setscene | 
|  | 547 |  | 
|  | 548 | do_create_spdx[dirs] = "${SPDXDEPLOY} ${SPDXWORK}" | 
|  | 549 | do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}" | 
|  | 550 | do_create_spdx[depends] += "${PATCHDEPENDENCY}" | 
|  | 551 | do_create_spdx[deptask] = "do_create_spdx" | 
|  | 552 |  | 
|  | 553 | def collect_package_providers(d): | 
|  | 554 | from pathlib import Path | 
|  | 555 | import oe.sbom | 
|  | 556 | import oe.spdx | 
|  | 557 | import json | 
|  | 558 |  | 
|  | 559 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 
|  | 560 |  | 
|  | 561 | providers = {} | 
|  | 562 |  | 
|  | 563 | taskdepdata = d.getVar("BB_TASKDEPDATA", False) | 
|  | 564 | deps = sorted(set( | 
|  | 565 | dep[0] for dep in taskdepdata.values() if dep[0] != d.getVar("PN") | 
|  | 566 | )) | 
|  | 567 | deps.append(d.getVar("PN")) | 
|  | 568 |  | 
|  | 569 | for dep_pn in deps: | 
|  | 570 | recipe_data = oe.packagedata.read_pkgdata(dep_pn, d) | 
|  | 571 |  | 
|  | 572 | for pkg in recipe_data.get("PACKAGES", "").split(): | 
|  | 573 |  | 
|  | 574 | pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, d) | 
|  | 575 | rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items()) | 
|  | 576 | rprovides.add(pkg) | 
|  | 577 |  | 
|  | 578 | for r in rprovides: | 
|  | 579 | providers[r] = pkg | 
|  | 580 |  | 
|  | 581 | return providers | 
|  | 582 |  | 
|  | 583 | collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA" | 
|  | 584 |  | 
|  | 585 | python do_create_runtime_spdx() { | 
|  | 586 | from datetime import datetime, timezone | 
|  | 587 | import oe.sbom | 
|  | 588 | import oe.spdx | 
|  | 589 | import oe.packagedata | 
|  | 590 | from pathlib import Path | 
|  | 591 |  | 
|  | 592 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 
|  | 593 | spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY")) | 
|  | 594 | is_native = bb.data.inherits_class("native", d) | 
|  | 595 |  | 
|  | 596 | creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") | 
|  | 597 |  | 
|  | 598 | providers = collect_package_providers(d) | 
|  | 599 |  | 
|  | 600 | if not is_native: | 
|  | 601 | bb.build.exec_func("read_subpackage_metadata", d) | 
|  | 602 |  | 
|  | 603 | dep_package_cache = {} | 
|  | 604 |  | 
|  | 605 | pkgdest = Path(d.getVar("PKGDEST")) | 
|  | 606 | for package in d.getVar("PACKAGES").split(): | 
|  | 607 | localdata = bb.data.createCopy(d) | 
|  | 608 | pkg_name = d.getVar("PKG:%s" % package) or package | 
|  | 609 | localdata.setVar("PKG", pkg_name) | 
|  | 610 | localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package) | 
|  | 611 |  | 
|  | 612 | if not oe.packagedata.packaged(package, localdata): | 
|  | 613 | continue | 
|  | 614 |  | 
|  | 615 | pkg_spdx_path = deploy_dir_spdx / "packages" / (pkg_name + ".spdx.json") | 
|  | 616 |  | 
|  | 617 | package_doc, package_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path) | 
|  | 618 |  | 
|  | 619 | for p in package_doc.packages: | 
|  | 620 | if p.name == pkg_name: | 
|  | 621 | spdx_package = p | 
|  | 622 | break | 
|  | 623 | else: | 
|  | 624 | bb.fatal("Package '%s' not found in %s" % (pkg_name, pkg_spdx_path)) | 
|  | 625 |  | 
|  | 626 | runtime_doc = oe.spdx.SPDXDocument() | 
|  | 627 | runtime_doc.name = "runtime-" + pkg_name | 
|  | 628 | runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc) | 
|  | 629 | runtime_doc.creationInfo.created = creation_time | 
|  | 630 | runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies." | 
|  | 631 | runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 
|  | 632 | runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass") | 
|  | 633 | runtime_doc.creationInfo.creators.append("Organization: OpenEmbedded ()") | 
|  | 634 | runtime_doc.creationInfo.creators.append("Person: N/A ()") | 
|  | 635 |  | 
|  | 636 | package_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 637 | package_ref.externalDocumentId = "DocumentRef-package-" + package | 
|  | 638 | package_ref.spdxDocument = package_doc.documentNamespace | 
|  | 639 | package_ref.checksum.algorithm = "SHA1" | 
|  | 640 | package_ref.checksum.checksumValue = package_doc_sha1 | 
|  | 641 |  | 
|  | 642 | runtime_doc.externalDocumentRefs.append(package_ref) | 
|  | 643 |  | 
|  | 644 | runtime_doc.add_relationship( | 
|  | 645 | runtime_doc.SPDXID, | 
|  | 646 | "AMENDS", | 
|  | 647 | "%s:%s" % (package_ref.externalDocumentId, package_doc.SPDXID) | 
|  | 648 | ) | 
|  | 649 |  | 
|  | 650 | deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "") | 
|  | 651 | seen_deps = set() | 
|  | 652 | for dep, _ in deps.items(): | 
|  | 653 | if dep in seen_deps: | 
|  | 654 | continue | 
|  | 655 |  | 
|  | 656 | dep = providers[dep] | 
|  | 657 |  | 
|  | 658 | if not oe.packagedata.packaged(dep, localdata): | 
|  | 659 | continue | 
|  | 660 |  | 
|  | 661 | dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d) | 
|  | 662 | dep_pkg = dep_pkg_data["PKG"] | 
|  | 663 |  | 
|  | 664 | if dep in dep_package_cache: | 
|  | 665 | (dep_spdx_package, dep_package_ref) = dep_package_cache[dep] | 
|  | 666 | else: | 
|  | 667 | dep_path = deploy_dir_spdx / "packages" / ("%s.spdx.json" % dep_pkg) | 
|  | 668 |  | 
|  | 669 | spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_path) | 
|  | 670 |  | 
|  | 671 | for pkg in spdx_dep_doc.packages: | 
|  | 672 | if pkg.name == dep_pkg: | 
|  | 673 | dep_spdx_package = pkg | 
|  | 674 | break | 
|  | 675 | else: | 
|  | 676 | bb.fatal("Package '%s' not found in %s" % (dep_pkg, dep_path)) | 
|  | 677 |  | 
|  | 678 | dep_package_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 679 | dep_package_ref.externalDocumentId = "DocumentRef-runtime-dependency-" + spdx_dep_doc.name | 
|  | 680 | dep_package_ref.spdxDocument = spdx_dep_doc.documentNamespace | 
|  | 681 | dep_package_ref.checksum.algorithm = "SHA1" | 
|  | 682 | dep_package_ref.checksum.checksumValue = spdx_dep_sha1 | 
|  | 683 |  | 
|  | 684 | dep_package_cache[dep] = (dep_spdx_package, dep_package_ref) | 
|  | 685 |  | 
|  | 686 | runtime_doc.externalDocumentRefs.append(dep_package_ref) | 
|  | 687 |  | 
|  | 688 | runtime_doc.add_relationship( | 
|  | 689 | "%s:%s" % (dep_package_ref.externalDocumentId, dep_spdx_package.SPDXID), | 
|  | 690 | "RUNTIME_DEPENDENCY_OF", | 
|  | 691 | "%s:%s" % (package_ref.externalDocumentId, spdx_package.SPDXID) | 
|  | 692 | ) | 
|  | 693 | seen_deps.add(dep) | 
|  | 694 |  | 
|  | 695 | oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy) | 
|  | 696 | } | 
|  | 697 |  | 
|  | 698 | addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work | 
|  | 699 | SSTATETASKS += "do_create_runtime_spdx" | 
|  | 700 | do_create_runtime_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}" | 
|  | 701 | do_create_runtime_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}" | 
|  | 702 |  | 
|  | 703 | python do_create_runtime_spdx_setscene () { | 
|  | 704 | sstate_setscene(d) | 
|  | 705 | } | 
|  | 706 | addtask do_create_runtime_spdx_setscene | 
|  | 707 |  | 
|  | 708 | do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}" | 
|  | 709 | do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}" | 
|  | 710 | do_create_runtime_spdx[rdeptask] = "do_create_spdx" | 
|  | 711 |  | 
|  | 712 | def spdx_get_src(d): | 
|  | 713 | """ | 
|  | 714 | save patched source of the recipe in SPDX_WORKDIR. | 
|  | 715 | """ | 
|  | 716 | import shutil | 
|  | 717 | spdx_workdir = d.getVar('SPDXWORK') | 
|  | 718 | spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE') | 
|  | 719 | pn = d.getVar('PN') | 
|  | 720 |  | 
|  | 721 | workdir = d.getVar("WORKDIR") | 
|  | 722 |  | 
|  | 723 | try: | 
|  | 724 | # The kernel class functions require it to be on work-shared, so we dont change WORKDIR | 
|  | 725 | if not is_work_shared(d): | 
|  | 726 | # Change the WORKDIR to make do_unpack do_patch run in another dir. | 
|  | 727 | d.setVar('WORKDIR', spdx_workdir) | 
|  | 728 | # Restore the original path to recipe's native sysroot (it's relative to WORKDIR). | 
|  | 729 | d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) | 
|  | 730 |  | 
|  | 731 | # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the | 
|  | 732 | # possibly requiring of the following tasks (such as some recipes's | 
|  | 733 | # do_patch required 'B' existed). | 
|  | 734 | bb.utils.mkdirhier(d.getVar('B')) | 
|  | 735 |  | 
|  | 736 | bb.build.exec_func('do_unpack', d) | 
|  | 737 | # Copy source of kernel to spdx_workdir | 
|  | 738 | if is_work_shared(d): | 
|  | 739 | d.setVar('WORKDIR', spdx_workdir) | 
|  | 740 | d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) | 
|  | 741 | src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR') | 
|  | 742 | bb.utils.mkdirhier(src_dir) | 
|  | 743 | if bb.data.inherits_class('kernel',d): | 
|  | 744 | share_src = d.getVar('STAGING_KERNEL_DIR') | 
|  | 745 | cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/" | 
|  | 746 | cmd_copy_kernel_result = os.popen(cmd_copy_share).read() | 
|  | 747 | bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result) | 
|  | 748 |  | 
|  | 749 | git_path = src_dir + "/.git" | 
|  | 750 | if os.path.exists(git_path): | 
|  | 751 | shutils.rmtree(git_path) | 
|  | 752 |  | 
|  | 753 | # Make sure gcc and kernel sources are patched only once | 
|  | 754 | if not (d.getVar('SRC_URI') == "" or is_work_shared(d)): | 
|  | 755 | bb.build.exec_func('do_patch', d) | 
|  | 756 |  | 
|  | 757 | # Some userland has no source. | 
|  | 758 | if not os.path.exists( spdx_workdir ): | 
|  | 759 | bb.utils.mkdirhier(spdx_workdir) | 
|  | 760 | finally: | 
|  | 761 | d.setVar("WORKDIR", workdir) | 
|  | 762 |  | 
|  | 763 | do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx" | 
|  | 764 |  | 
|  | 765 | ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; " | 
|  | 766 | python image_combine_spdx() { | 
|  | 767 | import os | 
|  | 768 | import oe.spdx | 
|  | 769 | import oe.sbom | 
|  | 770 | import io | 
|  | 771 | import json | 
|  | 772 | from oe.rootfs import image_list_installed_packages | 
|  | 773 | from datetime import timezone, datetime | 
|  | 774 | from pathlib import Path | 
|  | 775 | import tarfile | 
|  | 776 | import bb.compress.zstd | 
|  | 777 |  | 
|  | 778 | creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") | 
|  | 779 | image_name = d.getVar("IMAGE_NAME") | 
|  | 780 | image_link_name = d.getVar("IMAGE_LINK_NAME") | 
|  | 781 |  | 
|  | 782 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 
|  | 783 | imgdeploydir = Path(d.getVar("IMGDEPLOYDIR")) | 
|  | 784 | source_date_epoch = d.getVar("SOURCE_DATE_EPOCH") | 
|  | 785 |  | 
|  | 786 | doc = oe.spdx.SPDXDocument() | 
|  | 787 | doc.name = image_name | 
|  | 788 | doc.documentNamespace = get_doc_namespace(d, doc) | 
|  | 789 | doc.creationInfo.created = creation_time | 
|  | 790 | doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build." | 
|  | 791 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 
|  | 792 | doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass") | 
|  | 793 | doc.creationInfo.creators.append("Organization: OpenEmbedded ()") | 
|  | 794 | doc.creationInfo.creators.append("Person: N/A ()") | 
|  | 795 |  | 
|  | 796 | image = oe.spdx.SPDXPackage() | 
|  | 797 | image.name = d.getVar("PN") | 
|  | 798 | image.versionInfo = d.getVar("PV") | 
|  | 799 | image.SPDXID = oe.sbom.get_image_spdxid(image_name) | 
|  | 800 |  | 
|  | 801 | doc.packages.append(image) | 
|  | 802 |  | 
|  | 803 | spdx_package = oe.spdx.SPDXPackage() | 
|  | 804 |  | 
|  | 805 | packages = image_list_installed_packages(d) | 
|  | 806 |  | 
|  | 807 | for name in sorted(packages.keys()): | 
|  | 808 | pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json") | 
|  | 809 | pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path) | 
|  | 810 |  | 
|  | 811 | for p in pkg_doc.packages: | 
|  | 812 | if p.name == name: | 
|  | 813 | pkg_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 814 | pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name | 
|  | 815 | pkg_ref.spdxDocument = pkg_doc.documentNamespace | 
|  | 816 | pkg_ref.checksum.algorithm = "SHA1" | 
|  | 817 | pkg_ref.checksum.checksumValue = pkg_doc_sha1 | 
|  | 818 |  | 
|  | 819 | doc.externalDocumentRefs.append(pkg_ref) | 
|  | 820 | doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID)) | 
|  | 821 | break | 
|  | 822 | else: | 
|  | 823 | bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path)) | 
|  | 824 |  | 
|  | 825 | runtime_spdx_path = deploy_dir_spdx / "runtime" / ("runtime-" + name + ".spdx.json") | 
|  | 826 | runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path) | 
|  | 827 |  | 
|  | 828 | runtime_ref = oe.spdx.SPDXExternalDocumentRef() | 
|  | 829 | runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name | 
|  | 830 | runtime_ref.spdxDocument = runtime_doc.documentNamespace | 
|  | 831 | runtime_ref.checksum.algorithm = "SHA1" | 
|  | 832 | runtime_ref.checksum.checksumValue = runtime_doc_sha1 | 
|  | 833 |  | 
|  | 834 | # "OTHER" isn't ideal here, but I can't find a relationship that makes sense | 
|  | 835 | doc.externalDocumentRefs.append(runtime_ref) | 
|  | 836 | doc.add_relationship( | 
|  | 837 | image, | 
|  | 838 | "OTHER", | 
|  | 839 | "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID), | 
|  | 840 | comment="Runtime dependencies for %s" % name | 
|  | 841 | ) | 
|  | 842 |  | 
|  | 843 | image_spdx_path = imgdeploydir / (image_name + ".spdx.json") | 
|  | 844 |  | 
|  | 845 | with image_spdx_path.open("wb") as f: | 
|  | 846 | doc.to_json(f, sort_keys=True) | 
|  | 847 |  | 
|  | 848 | image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json") | 
|  | 849 | image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent)) | 
|  | 850 |  | 
|  | 851 | num_threads = int(d.getVar("BB_NUMBER_THREADS")) | 
|  | 852 |  | 
|  | 853 | visited_docs = set() | 
|  | 854 |  | 
|  | 855 | index = {"documents": []} | 
|  | 856 |  | 
|  | 857 | spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst") | 
|  | 858 | with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f: | 
|  | 859 | with tarfile.open(fileobj=f, mode="w|") as tar: | 
|  | 860 | def collect_spdx_document(path): | 
|  | 861 | nonlocal tar | 
|  | 862 | nonlocal deploy_dir_spdx | 
|  | 863 | nonlocal source_date_epoch | 
|  | 864 | nonlocal index | 
|  | 865 |  | 
|  | 866 | if path in visited_docs: | 
|  | 867 | return | 
|  | 868 |  | 
|  | 869 | visited_docs.add(path) | 
|  | 870 |  | 
|  | 871 | with path.open("rb") as f: | 
|  | 872 | doc, sha1 = oe.sbom.read_doc(f) | 
|  | 873 | f.seek(0) | 
|  | 874 |  | 
|  | 875 | if doc.documentNamespace in visited_docs: | 
|  | 876 | return | 
|  | 877 |  | 
|  | 878 | bb.note("Adding SPDX document %s" % path) | 
|  | 879 | visited_docs.add(doc.documentNamespace) | 
|  | 880 | info = tar.gettarinfo(fileobj=f) | 
|  | 881 |  | 
|  | 882 | info.name = doc.name + ".spdx.json" | 
|  | 883 | info.uid = 0 | 
|  | 884 | info.gid = 0 | 
|  | 885 | info.uname = "root" | 
|  | 886 | info.gname = "root" | 
|  | 887 |  | 
|  | 888 | if source_date_epoch is not None and info.mtime > int(source_date_epoch): | 
|  | 889 | info.mtime = int(source_date_epoch) | 
|  | 890 |  | 
|  | 891 | tar.addfile(info, f) | 
|  | 892 |  | 
|  | 893 | index["documents"].append({ | 
|  | 894 | "filename": info.name, | 
|  | 895 | "documentNamespace": doc.documentNamespace, | 
|  | 896 | "sha1": sha1, | 
|  | 897 | }) | 
|  | 898 |  | 
|  | 899 | for ref in doc.externalDocumentRefs: | 
|  | 900 | ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_") | 
|  | 901 | collect_spdx_document(ref_path) | 
|  | 902 |  | 
|  | 903 | collect_spdx_document(image_spdx_path) | 
|  | 904 |  | 
|  | 905 | index["documents"].sort(key=lambda x: x["filename"]) | 
|  | 906 |  | 
|  | 907 | index_str = io.BytesIO(json.dumps(index, sort_keys=True).encode("utf-8")) | 
|  | 908 |  | 
|  | 909 | info = tarfile.TarInfo() | 
|  | 910 | info.name = "index.json" | 
|  | 911 | info.size = len(index_str.getvalue()) | 
|  | 912 | info.uid = 0 | 
|  | 913 | info.gid = 0 | 
|  | 914 | info.uname = "root" | 
|  | 915 | info.gname = "root" | 
|  | 916 |  | 
|  | 917 | tar.addfile(info, fileobj=index_str) | 
|  | 918 |  | 
|  | 919 | def make_image_link(target_path, suffix): | 
|  | 920 | link = imgdeploydir / (image_link_name + suffix) | 
|  | 921 | link.symlink_to(os.path.relpath(target_path, link.parent)) | 
|  | 922 |  | 
|  | 923 | make_image_link(spdx_tar_path, ".spdx.tar.zst") | 
|  | 924 |  | 
|  | 925 | spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json") | 
|  | 926 | with spdx_index_path.open("w") as f: | 
|  | 927 | json.dump(index, f, sort_keys=True) | 
|  | 928 |  | 
|  | 929 | make_image_link(spdx_index_path, ".spdx.index.json") | 
|  | 930 | } | 
|  | 931 |  |