Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 5199d831602da71945df7cef62eb3c01183cf20e / . / poky / meta / classes / create-spdx.bbclass
blob: 3c73c21c0440b8a2ffc0058c83d8c438fccbd983 [file] [log] [blame]
Andrew Geissler5199d832021-09-24 16:47:35 -0500[diff] [blame^]1#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}"
6
7# The product name that the CVE database uses. Defaults to BPN, but may need to
8# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
9CVE_PRODUCT ??= "${BPN}"
10CVE_VERSION ??= "${PV}"
11
12SPDXDIR ??= "${WORKDIR}/spdx"
13SPDXDEPLOY = "${SPDXDIR}/deploy"
14SPDXWORK = "${SPDXDIR}/work"
15
16SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
17
18SPDX_INCLUDE_SOURCES ??= "0"
19SPDX_INCLUDE_PACKAGED ??= "0"
20SPDX_ARCHIVE_SOURCES ??= "0"
21SPDX_ARCHIVE_PACKAGED ??= "0"
22
23SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
24SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
25
26SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
27
28do_image_complete[depends] = "virtual/kernel:do_create_spdx"
29
30def get_doc_namespace(d, doc):
31 import uuid
32 namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
33 return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
34
35
36def is_work_shared(d):
37 pn = d.getVar('PN')
38 return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
39
40
41python() {
42 import json
43 if d.getVar("SPDX_LICENSE_DATA"):
44 return
45
46 with open(d.getVar("SPDX_LICENSES"), "r") as f:
47 data = json.load(f)
48 # Transform the license array to a dictionary
49 data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
50 d.setVar("SPDX_LICENSE_DATA", data)
51}
52
53def convert_license_to_spdx(lic, document, d, existing={}):
54 from pathlib import Path
55 import oe.spdx
56
57 available_licenses = d.getVar("AVAILABLE_LICENSES").split()
58 license_data = d.getVar("SPDX_LICENSE_DATA")
59 extracted = {}
60
61 def add_extracted_license(ident, name):
62 nonlocal document
63
64 if name in extracted:
65 return
66
67 extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
68 extracted_info.name = name
69 extracted_info.licenseId = ident
70 extracted_info.extractedText = None
71
72 if name == "PD":
73 # Special-case this.
74 extracted_info.extractedText = "Software released to the public domain"
75 elif name in available_licenses:
76 # This license can be found in COMMON_LICENSE_DIR or LICENSE_PATH
77 for directory in [d.getVar('COMMON_LICENSE_DIR')] + d.getVar('LICENSE_PATH').split():
78 try:
79 with (Path(directory) / name).open(errors="replace") as f:
80 extracted_info.extractedText = f.read()
81 break
82 except FileNotFoundError:
83 pass
84 if extracted_info.extractedText is None:
85 # Error out, as the license was in available_licenses so should
86 # be on disk somewhere.
87 bb.error("Cannot find text for license %s" % name)
88 else:
89 # If it's not SPDX, or PD, or in available licenses, then NO_GENERIC_LICENSE must be set
90 filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
91 if filename:
92 filename = d.expand("${S}/" + filename)
93 with open(filename, errors="replace") as f:
94 extracted_info.extractedText = f.read()
95 else:
96 bb.error("Cannot find any text for license %s" % name)
97
98 extracted[name] = extracted_info
99 document.hasExtractedLicensingInfos.append(extracted_info)
100
101 def convert(l):
102 if l == "(" or l == ")":
103 return l
104
105 if l == "&":
106 return "AND"
107
108 if l == "|":
109 return "OR"
110
111 if l == "CLOSED":
112 return "NONE"
113
114 spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
115 if spdx_license in license_data["licenses"]:
116 return spdx_license
117
118 try:
119 spdx_license = existing[l]
120 except KeyError:
121 spdx_license = "LicenseRef-" + l
122 add_extracted_license(spdx_license, l)
123
124 return spdx_license
125
126 lic_split = lic.replace("(", " ( ").replace(")", " ) ").split()
127
128 return ' '.join(convert(l) for l in lic_split)
129
130
131def process_sources(d):
132 pn = d.getVar('PN')
133 assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
134 if pn in assume_provided:
135 for p in d.getVar("PROVIDES").split():
136 if p != pn:
137 pn = p
138 break
139
140 # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
141 # so avoid archiving source here.
142 if pn.startswith('glibc-locale'):
143 return False
144 if d.getVar('PN') == "libtool-cross":
145 return False
146 if d.getVar('PN') == "libgcc-initial":
147 return False
148 if d.getVar('PN') == "shadow-sysroot":
149 return False
150
151 # We just archive gcc-source for all the gcc related recipes
152 if d.getVar('BPN') in ['gcc', 'libgcc']:
153 bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
154 return False
155
156 return True
157
158
159def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
160 from pathlib import Path
161 import oe.spdx
162 import hashlib
163
164 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
165 if source_date_epoch:
166 source_date_epoch = int(source_date_epoch)
167
168 sha1s = []
169 spdx_files = []
170
171 file_counter = 1
172 for subdir, dirs, files in os.walk(topdir):
173 dirs[:] = [d for d in dirs if d not in ignore_dirs]
174 if subdir == str(topdir):
175 dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
176
177 for file in files:
178 filepath = Path(subdir) / file
179 filename = str(filepath.relative_to(topdir))
180
181 if filepath.is_file() and not filepath.is_symlink():
182 spdx_file = oe.spdx.SPDXFile()
183 spdx_file.SPDXID = get_spdxid(file_counter)
184 for t in get_types(filepath):
185 spdx_file.fileTypes.append(t)
186 spdx_file.fileName = filename
187
188 if archive is not None:
189 with filepath.open("rb") as f:
190 info = archive.gettarinfo(fileobj=f)
191 info.name = filename
192 info.uid = 0
193 info.gid = 0
194 info.uname = "root"
195 info.gname = "root"
196
197 if source_date_epoch is not None and info.mtime > source_date_epoch:
198 info.mtime = source_date_epoch
199
200 archive.addfile(info, f)
201
202 sha1 = bb.utils.sha1_file(filepath)
203 sha1s.append(sha1)
204 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
205 algorithm="SHA1",
206 checksumValue=sha1,
207 ))
208 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
209 algorithm="SHA256",
210 checksumValue=bb.utils.sha256_file(filepath),
211 ))
212
213 doc.files.append(spdx_file)
214 doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file)
215 spdx_pkg.hasFiles.append(spdx_file.SPDXID)
216
217 spdx_files.append(spdx_file)
218
219 file_counter += 1
220
221 sha1s.sort()
222 verifier = hashlib.sha1()
223 for v in sha1s:
224 verifier.update(v.encode("utf-8"))
225 spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest()
226
227 return spdx_files
228
229
230def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources):
231 from pathlib import Path
232 import hashlib
233 import oe.packagedata
234 import oe.spdx
235
236 debug_search_paths = [
237 Path(d.getVar('PKGD')),
238 Path(d.getVar('STAGING_DIR_TARGET')),
239 Path(d.getVar('STAGING_DIR_NATIVE')),
240 ]
241
242 pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
243
244 if pkg_data is None:
245 return
246
247 for file_path, file_data in pkg_data["files_info"].items():
248 if not "debugsrc" in file_data:
249 continue
250
251 for pkg_file in package_files:
252 if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"):
253 break
254 else:
255 bb.fatal("No package file found for %s" % str(file_path))
256 continue
257
258 for debugsrc in file_data["debugsrc"]:
259 ref_id = "NOASSERTION"
260 for search in debug_search_paths:
261 debugsrc_path = search / debugsrc.lstrip("/")
262 if not debugsrc_path.exists():
263 continue
264
265 file_sha256 = bb.utils.sha256_file(debugsrc_path)
266
267 if file_sha256 in sources:
268 source_file = sources[file_sha256]
269
270 doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace)
271 if doc_ref is None:
272 doc_ref = oe.spdx.SPDXExternalDocumentRef()
273 doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name
274 doc_ref.spdxDocument = source_file.doc.documentNamespace
275 doc_ref.checksum.algorithm = "SHA1"
276 doc_ref.checksum.checksumValue = source_file.doc_sha1
277 package_doc.externalDocumentRefs.append(doc_ref)
278
279 ref_id = "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID)
280 else:
281 bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
282 break
283 else:
284 bb.debug(1, "Debug source %s not found" % debugsrc)
285
286 package_doc.add_relationship(pkg_file, "GENERATED_FROM", ref_id, comment=debugsrc)
287
288def collect_dep_recipes(d, doc, spdx_recipe):
289 from pathlib import Path
290 import oe.sbom
291 import oe.spdx
292
293 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
294
295 dep_recipes = []
296 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
297 deps = sorted(set(
298 dep[0] for dep in taskdepdata.values() if
299 dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN")
300 ))
301 for dep_pn in deps:
302 dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn)
303
304 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
305
306 for pkg in spdx_dep_doc.packages:
307 if pkg.name == dep_pn:
308 spdx_dep_recipe = pkg
309 break
310 else:
311 continue
312
313 dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe))
314
315 dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef()
316 dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name
317 dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace
318 dep_recipe_ref.checksum.algorithm = "SHA1"
319 dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1
320
321 doc.externalDocumentRefs.append(dep_recipe_ref)
322
323 doc.add_relationship(
324 "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID),
325 "BUILD_DEPENDENCY_OF",
326 spdx_recipe
327 )
328
329 return dep_recipes
330
331collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA"
332
333
334def collect_dep_sources(d, dep_recipes):
335 import oe.sbom
336
337 sources = {}
338 for dep in dep_recipes:
339 recipe_files = set(dep.recipe.hasFiles)
340
341 for spdx_file in dep.doc.files:
342 if spdx_file.SPDXID not in recipe_files:
343 continue
344
345 if "SOURCE" in spdx_file.fileTypes:
346 for checksum in spdx_file.checksums:
347 if checksum.algorithm == "SHA256":
348 sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file)
349 break
350
351 return sources
352
353
354python do_create_spdx() {
355 from datetime import datetime, timezone
356 import oe.sbom
357 import oe.spdx
358 import uuid
359 from pathlib import Path
360 from contextlib import contextmanager
361 import oe.cve_check
362
363 @contextmanager
364 def optional_tarfile(name, guard, mode="w"):
365 import tarfile
366 import bb.compress.zstd
367
368 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
369
370 if guard:
371 name.parent.mkdir(parents=True, exist_ok=True)
372 with bb.compress.zstd.open(name, mode=mode + "b", num_threads=num_threads) as f:
373 with tarfile.open(fileobj=f, mode=mode + "|") as tf:
374 yield tf
375 else:
376 yield None
377
378
379 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
380 spdx_workdir = Path(d.getVar("SPDXWORK"))
381 include_packaged = d.getVar("SPDX_INCLUDE_PACKAGED") == "1"
382 include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
383 archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
384 archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
385 is_native = bb.data.inherits_class("native", d)
386
387 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
388
389 doc = oe.spdx.SPDXDocument()
390
391 doc.name = "recipe-" + d.getVar("PN")
392 doc.documentNamespace = get_doc_namespace(d, doc)
393 doc.creationInfo.created = creation_time
394 doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
395 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
396 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
397 doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
398 doc.creationInfo.creators.append("Person: N/A ()")
399
400 recipe = oe.spdx.SPDXPackage()
401 recipe.name = d.getVar("PN")
402 recipe.versionInfo = d.getVar("PV")
403 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
404
405 for s in d.getVar('SRC_URI').split():
406 if not s.startswith("file://"):
407 recipe.downloadLocation = s
408 break
409 else:
410 recipe.downloadLocation = "NOASSERTION"
411
412 homepage = d.getVar("HOMEPAGE")
413 if homepage:
414 recipe.homepage = homepage
415
416 license = d.getVar("LICENSE")
417 if license:
418 recipe.licenseDeclared = convert_license_to_spdx(license, doc, d)
419
420 summary = d.getVar("SUMMARY")
421 if summary:
422 recipe.summary = summary
423
424 description = d.getVar("DESCRIPTION")
425 if description:
426 recipe.description = description
427
428 # Some CVEs may be patched during the build process without incrementing the version number,
429 # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
430 # save the CVEs fixed by patches to source information field in the SPDX.
431 patched_cves = oe.cve_check.get_patched_cves(d)
432 patched_cves = list(patched_cves)
433 patched_cves = ' '.join(patched_cves)
434 if patched_cves:
435 recipe.sourceInfo = "CVEs fixed: " + patched_cves
436
437 cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
438 if cpe_ids:
439 for cpe_id in cpe_ids:
440 cpe = oe.spdx.SPDXExternalReference()
441 cpe.referenceCategory = "SECURITY"
442 cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type"
443 cpe.referenceLocator = cpe_id
444 recipe.externalRefs.append(cpe)
445
446 doc.packages.append(recipe)
447 doc.add_relationship(doc, "DESCRIBES", recipe)
448
449 if process_sources(d) and include_sources:
450 recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst")
451 with optional_tarfile(recipe_archive, archive_sources) as archive:
452 spdx_get_src(d)
453
454 add_package_files(
455 d,
456 doc,
457 recipe,
458 spdx_workdir,
459 lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter),
460 lambda filepath: ["SOURCE"],
461 ignore_dirs=[".git"],
462 ignore_top_level_dirs=["temp"],
463 archive=archive,
464 )
465
466 if archive is not None:
467 recipe.packageFileName = str(recipe_archive.name)
468
469 dep_recipes = collect_dep_recipes(d, doc, recipe)
470
471 doc_sha1 = oe.sbom.write_doc(d, doc, "recipes")
472 dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe))
473
474 recipe_ref = oe.spdx.SPDXExternalDocumentRef()
475 recipe_ref.externalDocumentId = "DocumentRef-recipe-" + recipe.name
476 recipe_ref.spdxDocument = doc.documentNamespace
477 recipe_ref.checksum.algorithm = "SHA1"
478 recipe_ref.checksum.checksumValue = doc_sha1
479
480 sources = collect_dep_sources(d, dep_recipes)
481 found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
482
483 if not is_native:
484 bb.build.exec_func("read_subpackage_metadata", d)
485
486 pkgdest = Path(d.getVar("PKGDEST"))
487 for package in d.getVar("PACKAGES").split():
488 if not oe.packagedata.packaged(package, d):
489 continue
490
491 package_doc = oe.spdx.SPDXDocument()
492 pkg_name = d.getVar("PKG:%s" % package) or package
493 package_doc.name = pkg_name
494 package_doc.documentNamespace = get_doc_namespace(d, package_doc)
495 package_doc.creationInfo.created = creation_time
496 package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
497 package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
498 package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
499 package_doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
500 package_doc.creationInfo.creators.append("Person: N/A ()")
501 package_doc.externalDocumentRefs.append(recipe_ref)
502
503 package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE")
504
505 spdx_package = oe.spdx.SPDXPackage()
506
507 spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
508 spdx_package.name = pkg_name
509 spdx_package.versionInfo = d.getVar("PV")
510 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
511
512 package_doc.packages.append(spdx_package)
513
514 package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID))
515 package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package)
516
517 package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.zst")
518 with optional_tarfile(package_archive, archive_packaged) as archive:
519 package_files = add_package_files(
520 d,
521 package_doc,
522 spdx_package,
523 pkgdest / package,
524 lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
525 lambda filepath: ["BINARY"],
526 archive=archive,
527 )
528
529 if archive is not None:
530 spdx_package.packageFileName = str(package_archive.name)
531
532 add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources)
533
534 oe.sbom.write_doc(d, package_doc, "packages")
535}
536# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
537addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work
538
539SSTATETASKS += "do_create_spdx"
540do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
541do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
542
543python do_create_spdx_setscene () {
544 sstate_setscene(d)
545}
546addtask do_create_spdx_setscene
547
548do_create_spdx[dirs] = "${SPDXDEPLOY} ${SPDXWORK}"
549do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
550do_create_spdx[depends] += "${PATCHDEPENDENCY}"
551do_create_spdx[deptask] = "do_create_spdx"
552
553def collect_package_providers(d):
554 from pathlib import Path
555 import oe.sbom
556 import oe.spdx
557 import json
558
559 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
560
561 providers = {}
562
563 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
564 deps = sorted(set(
565 dep[0] for dep in taskdepdata.values() if dep[0] != d.getVar("PN")
566 ))
567 deps.append(d.getVar("PN"))
568
569 for dep_pn in deps:
570 recipe_data = oe.packagedata.read_pkgdata(dep_pn, d)
571
572 for pkg in recipe_data.get("PACKAGES", "").split():
573
574 pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, d)
575 rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
576 rprovides.add(pkg)
577
578 for r in rprovides:
579 providers[r] = pkg
580
581 return providers
582
583collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
584
585python do_create_runtime_spdx() {
586 from datetime import datetime, timezone
587 import oe.sbom
588 import oe.spdx
589 import oe.packagedata
590 from pathlib import Path
591
592 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
593 spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
594 is_native = bb.data.inherits_class("native", d)
595
596 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
597
598 providers = collect_package_providers(d)
599
600 if not is_native:
601 bb.build.exec_func("read_subpackage_metadata", d)
602
603 dep_package_cache = {}
604
605 pkgdest = Path(d.getVar("PKGDEST"))
606 for package in d.getVar("PACKAGES").split():
607 localdata = bb.data.createCopy(d)
608 pkg_name = d.getVar("PKG:%s" % package) or package
609 localdata.setVar("PKG", pkg_name)
610 localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package)
611
612 if not oe.packagedata.packaged(package, localdata):
613 continue
614
615 pkg_spdx_path = deploy_dir_spdx / "packages" / (pkg_name + ".spdx.json")
616
617 package_doc, package_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
618
619 for p in package_doc.packages:
620 if p.name == pkg_name:
621 spdx_package = p
622 break
623 else:
624 bb.fatal("Package '%s' not found in %s" % (pkg_name, pkg_spdx_path))
625
626 runtime_doc = oe.spdx.SPDXDocument()
627 runtime_doc.name = "runtime-" + pkg_name
628 runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
629 runtime_doc.creationInfo.created = creation_time
630 runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
631 runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
632 runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
633 runtime_doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
634 runtime_doc.creationInfo.creators.append("Person: N/A ()")
635
636 package_ref = oe.spdx.SPDXExternalDocumentRef()
637 package_ref.externalDocumentId = "DocumentRef-package-" + package
638 package_ref.spdxDocument = package_doc.documentNamespace
639 package_ref.checksum.algorithm = "SHA1"
640 package_ref.checksum.checksumValue = package_doc_sha1
641
642 runtime_doc.externalDocumentRefs.append(package_ref)
643
644 runtime_doc.add_relationship(
645 runtime_doc.SPDXID,
646 "AMENDS",
647 "%s:%s" % (package_ref.externalDocumentId, package_doc.SPDXID)
648 )
649
650 deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
651 seen_deps = set()
652 for dep, _ in deps.items():
653 if dep in seen_deps:
654 continue
655
656 dep = providers[dep]
657
658 if not oe.packagedata.packaged(dep, localdata):
659 continue
660
661 dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
662 dep_pkg = dep_pkg_data["PKG"]
663
664 if dep in dep_package_cache:
665 (dep_spdx_package, dep_package_ref) = dep_package_cache[dep]
666 else:
667 dep_path = deploy_dir_spdx / "packages" / ("%s.spdx.json" % dep_pkg)
668
669 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_path)
670
671 for pkg in spdx_dep_doc.packages:
672 if pkg.name == dep_pkg:
673 dep_spdx_package = pkg
674 break
675 else:
676 bb.fatal("Package '%s' not found in %s" % (dep_pkg, dep_path))
677
678 dep_package_ref = oe.spdx.SPDXExternalDocumentRef()
679 dep_package_ref.externalDocumentId = "DocumentRef-runtime-dependency-" + spdx_dep_doc.name
680 dep_package_ref.spdxDocument = spdx_dep_doc.documentNamespace
681 dep_package_ref.checksum.algorithm = "SHA1"
682 dep_package_ref.checksum.checksumValue = spdx_dep_sha1
683
684 dep_package_cache[dep] = (dep_spdx_package, dep_package_ref)
685
686 runtime_doc.externalDocumentRefs.append(dep_package_ref)
687
688 runtime_doc.add_relationship(
689 "%s:%s" % (dep_package_ref.externalDocumentId, dep_spdx_package.SPDXID),
690 "RUNTIME_DEPENDENCY_OF",
691 "%s:%s" % (package_ref.externalDocumentId, spdx_package.SPDXID)
692 )
693 seen_deps.add(dep)
694
695 oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy)
696}
697
698addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
699SSTATETASKS += "do_create_runtime_spdx"
700do_create_runtime_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
701do_create_runtime_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
702
703python do_create_runtime_spdx_setscene () {
704 sstate_setscene(d)
705}
706addtask do_create_runtime_spdx_setscene
707
708do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
709do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
710do_create_runtime_spdx[rdeptask] = "do_create_spdx"
711
712def spdx_get_src(d):
713 """
714 save patched source of the recipe in SPDX_WORKDIR.
715 """
716 import shutil
717 spdx_workdir = d.getVar('SPDXWORK')
718 spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
719 pn = d.getVar('PN')
720
721 workdir = d.getVar("WORKDIR")
722
723 try:
724 # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
725 if not is_work_shared(d):
726 # Change the WORKDIR to make do_unpack do_patch run in another dir.
727 d.setVar('WORKDIR', spdx_workdir)
728 # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
729 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
730
731 # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
732 # possibly requiring of the following tasks (such as some recipes's
733 # do_patch required 'B' existed).
734 bb.utils.mkdirhier(d.getVar('B'))
735
736 bb.build.exec_func('do_unpack', d)
737 # Copy source of kernel to spdx_workdir
738 if is_work_shared(d):
739 d.setVar('WORKDIR', spdx_workdir)
740 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
741 src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
742 bb.utils.mkdirhier(src_dir)
743 if bb.data.inherits_class('kernel',d):
744 share_src = d.getVar('STAGING_KERNEL_DIR')
745 cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
746 cmd_copy_kernel_result = os.popen(cmd_copy_share).read()
747 bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result)
748
749 git_path = src_dir + "/.git"
750 if os.path.exists(git_path):
751 shutils.rmtree(git_path)
752
753 # Make sure gcc and kernel sources are patched only once
754 if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
755 bb.build.exec_func('do_patch', d)
756
757 # Some userland has no source.
758 if not os.path.exists( spdx_workdir ):
759 bb.utils.mkdirhier(spdx_workdir)
760 finally:
761 d.setVar("WORKDIR", workdir)
762
763do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
764
765ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
766python image_combine_spdx() {
767 import os
768 import oe.spdx
769 import oe.sbom
770 import io
771 import json
772 from oe.rootfs import image_list_installed_packages
773 from datetime import timezone, datetime
774 from pathlib import Path
775 import tarfile
776 import bb.compress.zstd
777
778 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
779 image_name = d.getVar("IMAGE_NAME")
780 image_link_name = d.getVar("IMAGE_LINK_NAME")
781
782 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
783 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
784 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
785
786 doc = oe.spdx.SPDXDocument()
787 doc.name = image_name
788 doc.documentNamespace = get_doc_namespace(d, doc)
789 doc.creationInfo.created = creation_time
790 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
791 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
792 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
793 doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
794 doc.creationInfo.creators.append("Person: N/A ()")
795
796 image = oe.spdx.SPDXPackage()
797 image.name = d.getVar("PN")
798 image.versionInfo = d.getVar("PV")
799 image.SPDXID = oe.sbom.get_image_spdxid(image_name)
800
801 doc.packages.append(image)
802
803 spdx_package = oe.spdx.SPDXPackage()
804
805 packages = image_list_installed_packages(d)
806
807 for name in sorted(packages.keys()):
808 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
809 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
810
811 for p in pkg_doc.packages:
812 if p.name == name:
813 pkg_ref = oe.spdx.SPDXExternalDocumentRef()
814 pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
815 pkg_ref.spdxDocument = pkg_doc.documentNamespace
816 pkg_ref.checksum.algorithm = "SHA1"
817 pkg_ref.checksum.checksumValue = pkg_doc_sha1
818
819 doc.externalDocumentRefs.append(pkg_ref)
820 doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
821 break
822 else:
823 bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
824
825 runtime_spdx_path = deploy_dir_spdx / "runtime" / ("runtime-" + name + ".spdx.json")
826 runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
827
828 runtime_ref = oe.spdx.SPDXExternalDocumentRef()
829 runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
830 runtime_ref.spdxDocument = runtime_doc.documentNamespace
831 runtime_ref.checksum.algorithm = "SHA1"
832 runtime_ref.checksum.checksumValue = runtime_doc_sha1
833
834 # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
835 doc.externalDocumentRefs.append(runtime_ref)
836 doc.add_relationship(
837 image,
838 "OTHER",
839 "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
840 comment="Runtime dependencies for %s" % name
841 )
842
843 image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
844
845 with image_spdx_path.open("wb") as f:
846 doc.to_json(f, sort_keys=True)
847
848 image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
849 image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
850
851 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
852
853 visited_docs = set()
854
855 index = {"documents": []}
856
857 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
858 with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
859 with tarfile.open(fileobj=f, mode="w|") as tar:
860 def collect_spdx_document(path):
861 nonlocal tar
862 nonlocal deploy_dir_spdx
863 nonlocal source_date_epoch
864 nonlocal index
865
866 if path in visited_docs:
867 return
868
869 visited_docs.add(path)
870
871 with path.open("rb") as f:
872 doc, sha1 = oe.sbom.read_doc(f)
873 f.seek(0)
874
875 if doc.documentNamespace in visited_docs:
876 return
877
878 bb.note("Adding SPDX document %s" % path)
879 visited_docs.add(doc.documentNamespace)
880 info = tar.gettarinfo(fileobj=f)
881
882 info.name = doc.name + ".spdx.json"
883 info.uid = 0
884 info.gid = 0
885 info.uname = "root"
886 info.gname = "root"
887
888 if source_date_epoch is not None and info.mtime > int(source_date_epoch):
889 info.mtime = int(source_date_epoch)
890
891 tar.addfile(info, f)
892
893 index["documents"].append({
894 "filename": info.name,
895 "documentNamespace": doc.documentNamespace,
896 "sha1": sha1,
897 })
898
899 for ref in doc.externalDocumentRefs:
900 ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_")
901 collect_spdx_document(ref_path)
902
903 collect_spdx_document(image_spdx_path)
904
905 index["documents"].sort(key=lambda x: x["filename"])
906
907 index_str = io.BytesIO(json.dumps(index, sort_keys=True).encode("utf-8"))
908
909 info = tarfile.TarInfo()
910 info.name = "index.json"
911 info.size = len(index_str.getvalue())
912 info.uid = 0
913 info.gid = 0
914 info.uname = "root"
915 info.gname = "root"
916
917 tar.addfile(info, fileobj=index_str)
918
919 def make_image_link(target_path, suffix):
920 link = imgdeploydir / (image_link_name + suffix)
921 link.symlink_to(os.path.relpath(target_path, link.parent))
922
923 make_image_link(spdx_tar_path, ".spdx.tar.zst")
924
925 spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
926 with spdx_index_path.open("w") as f:
927 json.dump(index, f, sort_keys=True)
928
929 make_image_link(spdx_index_path, ".spdx.index.json")
930}
931