blob: 739b46e9b3fff77c49451534e222abf57c8ca691 [file] [log] [blame]
Andrew Geissler5199d832021-09-24 16:47:35 -05001#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}"
6
7# The product name that the CVE database uses. Defaults to BPN, but may need to
8# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
9CVE_PRODUCT ??= "${BPN}"
10CVE_VERSION ??= "${PV}"
11
12SPDXDIR ??= "${WORKDIR}/spdx"
13SPDXDEPLOY = "${SPDXDIR}/deploy"
14SPDXWORK = "${SPDXDIR}/work"
15
Patrick Williams93c203f2021-10-06 16:15:23 -050016SPDX_TOOL_NAME ??= "oe-spdx-creator"
17SPDX_TOOL_VERSION ??= "1.0"
18
Andrew Geissler5199d832021-09-24 16:47:35 -050019SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
20
21SPDX_INCLUDE_SOURCES ??= "0"
22SPDX_INCLUDE_PACKAGED ??= "0"
23SPDX_ARCHIVE_SOURCES ??= "0"
24SPDX_ARCHIVE_PACKAGED ??= "0"
25
26SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
27SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
28
29SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
30
31do_image_complete[depends] = "virtual/kernel:do_create_spdx"
32
33def get_doc_namespace(d, doc):
34 import uuid
35 namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
36 return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
37
Patrick Williams93c203f2021-10-06 16:15:23 -050038def recipe_spdx_is_native(d, recipe):
39 return any(a.annotationType == "OTHER" and
40 a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
41 a.comment == "isNative" for a in recipe.annotations)
Andrew Geissler5199d832021-09-24 16:47:35 -050042
43def is_work_shared(d):
44 pn = d.getVar('PN')
45 return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
46
47
48python() {
49 import json
50 if d.getVar("SPDX_LICENSE_DATA"):
51 return
52
53 with open(d.getVar("SPDX_LICENSES"), "r") as f:
54 data = json.load(f)
55 # Transform the license array to a dictionary
56 data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
57 d.setVar("SPDX_LICENSE_DATA", data)
58}
59
60def convert_license_to_spdx(lic, document, d, existing={}):
61 from pathlib import Path
62 import oe.spdx
63
64 available_licenses = d.getVar("AVAILABLE_LICENSES").split()
65 license_data = d.getVar("SPDX_LICENSE_DATA")
66 extracted = {}
67
68 def add_extracted_license(ident, name):
69 nonlocal document
70
71 if name in extracted:
72 return
73
74 extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
75 extracted_info.name = name
76 extracted_info.licenseId = ident
77 extracted_info.extractedText = None
78
79 if name == "PD":
80 # Special-case this.
81 extracted_info.extractedText = "Software released to the public domain"
82 elif name in available_licenses:
83 # This license can be found in COMMON_LICENSE_DIR or LICENSE_PATH
84 for directory in [d.getVar('COMMON_LICENSE_DIR')] + d.getVar('LICENSE_PATH').split():
85 try:
86 with (Path(directory) / name).open(errors="replace") as f:
87 extracted_info.extractedText = f.read()
88 break
89 except FileNotFoundError:
90 pass
91 if extracted_info.extractedText is None:
92 # Error out, as the license was in available_licenses so should
93 # be on disk somewhere.
94 bb.error("Cannot find text for license %s" % name)
95 else:
96 # If it's not SPDX, or PD, or in available licenses, then NO_GENERIC_LICENSE must be set
97 filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
98 if filename:
99 filename = d.expand("${S}/" + filename)
100 with open(filename, errors="replace") as f:
101 extracted_info.extractedText = f.read()
102 else:
103 bb.error("Cannot find any text for license %s" % name)
104
105 extracted[name] = extracted_info
106 document.hasExtractedLicensingInfos.append(extracted_info)
107
108 def convert(l):
109 if l == "(" or l == ")":
110 return l
111
112 if l == "&":
113 return "AND"
114
115 if l == "|":
116 return "OR"
117
118 if l == "CLOSED":
119 return "NONE"
120
121 spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
122 if spdx_license in license_data["licenses"]:
123 return spdx_license
124
125 try:
126 spdx_license = existing[l]
127 except KeyError:
128 spdx_license = "LicenseRef-" + l
129 add_extracted_license(spdx_license, l)
130
131 return spdx_license
132
133 lic_split = lic.replace("(", " ( ").replace(")", " ) ").split()
134
135 return ' '.join(convert(l) for l in lic_split)
136
137
138def process_sources(d):
139 pn = d.getVar('PN')
140 assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
141 if pn in assume_provided:
142 for p in d.getVar("PROVIDES").split():
143 if p != pn:
144 pn = p
145 break
146
147 # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
148 # so avoid archiving source here.
149 if pn.startswith('glibc-locale'):
150 return False
151 if d.getVar('PN') == "libtool-cross":
152 return False
153 if d.getVar('PN') == "libgcc-initial":
154 return False
155 if d.getVar('PN') == "shadow-sysroot":
156 return False
157
158 # We just archive gcc-source for all the gcc related recipes
159 if d.getVar('BPN') in ['gcc', 'libgcc']:
160 bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
161 return False
162
163 return True
164
165
166def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
167 from pathlib import Path
168 import oe.spdx
169 import hashlib
170
171 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
172 if source_date_epoch:
173 source_date_epoch = int(source_date_epoch)
174
175 sha1s = []
176 spdx_files = []
177
178 file_counter = 1
179 for subdir, dirs, files in os.walk(topdir):
180 dirs[:] = [d for d in dirs if d not in ignore_dirs]
181 if subdir == str(topdir):
182 dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
183
184 for file in files:
185 filepath = Path(subdir) / file
186 filename = str(filepath.relative_to(topdir))
187
188 if filepath.is_file() and not filepath.is_symlink():
189 spdx_file = oe.spdx.SPDXFile()
190 spdx_file.SPDXID = get_spdxid(file_counter)
191 for t in get_types(filepath):
192 spdx_file.fileTypes.append(t)
193 spdx_file.fileName = filename
194
195 if archive is not None:
196 with filepath.open("rb") as f:
197 info = archive.gettarinfo(fileobj=f)
198 info.name = filename
199 info.uid = 0
200 info.gid = 0
201 info.uname = "root"
202 info.gname = "root"
203
204 if source_date_epoch is not None and info.mtime > source_date_epoch:
205 info.mtime = source_date_epoch
206
207 archive.addfile(info, f)
208
209 sha1 = bb.utils.sha1_file(filepath)
210 sha1s.append(sha1)
211 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
212 algorithm="SHA1",
213 checksumValue=sha1,
214 ))
215 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
216 algorithm="SHA256",
217 checksumValue=bb.utils.sha256_file(filepath),
218 ))
219
220 doc.files.append(spdx_file)
221 doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file)
222 spdx_pkg.hasFiles.append(spdx_file.SPDXID)
223
224 spdx_files.append(spdx_file)
225
226 file_counter += 1
227
228 sha1s.sort()
229 verifier = hashlib.sha1()
230 for v in sha1s:
231 verifier.update(v.encode("utf-8"))
232 spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest()
233
234 return spdx_files
235
236
237def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources):
238 from pathlib import Path
239 import hashlib
240 import oe.packagedata
241 import oe.spdx
242
243 debug_search_paths = [
244 Path(d.getVar('PKGD')),
245 Path(d.getVar('STAGING_DIR_TARGET')),
246 Path(d.getVar('STAGING_DIR_NATIVE')),
247 ]
248
249 pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
250
251 if pkg_data is None:
252 return
253
254 for file_path, file_data in pkg_data["files_info"].items():
255 if not "debugsrc" in file_data:
256 continue
257
258 for pkg_file in package_files:
259 if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"):
260 break
261 else:
262 bb.fatal("No package file found for %s" % str(file_path))
263 continue
264
265 for debugsrc in file_data["debugsrc"]:
266 ref_id = "NOASSERTION"
267 for search in debug_search_paths:
268 debugsrc_path = search / debugsrc.lstrip("/")
269 if not debugsrc_path.exists():
270 continue
271
272 file_sha256 = bb.utils.sha256_file(debugsrc_path)
273
274 if file_sha256 in sources:
275 source_file = sources[file_sha256]
276
277 doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace)
278 if doc_ref is None:
279 doc_ref = oe.spdx.SPDXExternalDocumentRef()
280 doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name
281 doc_ref.spdxDocument = source_file.doc.documentNamespace
282 doc_ref.checksum.algorithm = "SHA1"
283 doc_ref.checksum.checksumValue = source_file.doc_sha1
284 package_doc.externalDocumentRefs.append(doc_ref)
285
286 ref_id = "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID)
287 else:
288 bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
289 break
290 else:
291 bb.debug(1, "Debug source %s not found" % debugsrc)
292
293 package_doc.add_relationship(pkg_file, "GENERATED_FROM", ref_id, comment=debugsrc)
294
295def collect_dep_recipes(d, doc, spdx_recipe):
296 from pathlib import Path
297 import oe.sbom
298 import oe.spdx
299
300 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
301
302 dep_recipes = []
303 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
304 deps = sorted(set(
305 dep[0] for dep in taskdepdata.values() if
306 dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN")
307 ))
308 for dep_pn in deps:
309 dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn)
310
311 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
312
313 for pkg in spdx_dep_doc.packages:
314 if pkg.name == dep_pn:
315 spdx_dep_recipe = pkg
316 break
317 else:
318 continue
319
320 dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe))
321
322 dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef()
323 dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name
324 dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace
325 dep_recipe_ref.checksum.algorithm = "SHA1"
326 dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1
327
328 doc.externalDocumentRefs.append(dep_recipe_ref)
329
330 doc.add_relationship(
331 "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID),
332 "BUILD_DEPENDENCY_OF",
333 spdx_recipe
334 )
335
336 return dep_recipes
337
338collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA"
339
340
341def collect_dep_sources(d, dep_recipes):
342 import oe.sbom
343
344 sources = {}
345 for dep in dep_recipes:
Patrick Williams93c203f2021-10-06 16:15:23 -0500346 # Don't collect sources from native recipes as they
347 # match non-native sources also.
348 if recipe_spdx_is_native(d, dep.recipe):
349 continue
Andrew Geissler5199d832021-09-24 16:47:35 -0500350 recipe_files = set(dep.recipe.hasFiles)
351
352 for spdx_file in dep.doc.files:
353 if spdx_file.SPDXID not in recipe_files:
354 continue
355
356 if "SOURCE" in spdx_file.fileTypes:
357 for checksum in spdx_file.checksums:
358 if checksum.algorithm == "SHA256":
359 sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file)
360 break
361
362 return sources
363
364
365python do_create_spdx() {
366 from datetime import datetime, timezone
367 import oe.sbom
368 import oe.spdx
369 import uuid
370 from pathlib import Path
371 from contextlib import contextmanager
372 import oe.cve_check
373
374 @contextmanager
375 def optional_tarfile(name, guard, mode="w"):
376 import tarfile
377 import bb.compress.zstd
378
379 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
380
381 if guard:
382 name.parent.mkdir(parents=True, exist_ok=True)
383 with bb.compress.zstd.open(name, mode=mode + "b", num_threads=num_threads) as f:
384 with tarfile.open(fileobj=f, mode=mode + "|") as tf:
385 yield tf
386 else:
387 yield None
388
389
390 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
391 spdx_workdir = Path(d.getVar("SPDXWORK"))
392 include_packaged = d.getVar("SPDX_INCLUDE_PACKAGED") == "1"
393 include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
394 archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
395 archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
Andrew Geissler5199d832021-09-24 16:47:35 -0500396
397 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
398
399 doc = oe.spdx.SPDXDocument()
400
401 doc.name = "recipe-" + d.getVar("PN")
402 doc.documentNamespace = get_doc_namespace(d, doc)
403 doc.creationInfo.created = creation_time
404 doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
405 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
406 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
407 doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
408 doc.creationInfo.creators.append("Person: N/A ()")
409
410 recipe = oe.spdx.SPDXPackage()
411 recipe.name = d.getVar("PN")
412 recipe.versionInfo = d.getVar("PV")
413 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
Patrick Williams93c203f2021-10-06 16:15:23 -0500414 if bb.data.inherits_class("native", d):
415 annotation = oe.spdx.SPDXAnnotation()
416 annotation.annotationDate = creation_time
417 annotation.annotationType = "OTHER"
418 annotation.annotator = "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION"))
419 annotation.comment = "isNative"
420 recipe.annotations.append(annotation)
Andrew Geissler5199d832021-09-24 16:47:35 -0500421
422 for s in d.getVar('SRC_URI').split():
423 if not s.startswith("file://"):
424 recipe.downloadLocation = s
425 break
426 else:
427 recipe.downloadLocation = "NOASSERTION"
428
429 homepage = d.getVar("HOMEPAGE")
430 if homepage:
431 recipe.homepage = homepage
432
433 license = d.getVar("LICENSE")
434 if license:
435 recipe.licenseDeclared = convert_license_to_spdx(license, doc, d)
436
437 summary = d.getVar("SUMMARY")
438 if summary:
439 recipe.summary = summary
440
441 description = d.getVar("DESCRIPTION")
442 if description:
443 recipe.description = description
444
445 # Some CVEs may be patched during the build process without incrementing the version number,
446 # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
447 # save the CVEs fixed by patches to source information field in the SPDX.
448 patched_cves = oe.cve_check.get_patched_cves(d)
449 patched_cves = list(patched_cves)
450 patched_cves = ' '.join(patched_cves)
451 if patched_cves:
452 recipe.sourceInfo = "CVEs fixed: " + patched_cves
453
454 cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
455 if cpe_ids:
456 for cpe_id in cpe_ids:
457 cpe = oe.spdx.SPDXExternalReference()
458 cpe.referenceCategory = "SECURITY"
459 cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type"
460 cpe.referenceLocator = cpe_id
461 recipe.externalRefs.append(cpe)
462
463 doc.packages.append(recipe)
464 doc.add_relationship(doc, "DESCRIBES", recipe)
465
466 if process_sources(d) and include_sources:
467 recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst")
468 with optional_tarfile(recipe_archive, archive_sources) as archive:
469 spdx_get_src(d)
470
471 add_package_files(
472 d,
473 doc,
474 recipe,
475 spdx_workdir,
476 lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter),
477 lambda filepath: ["SOURCE"],
478 ignore_dirs=[".git"],
479 ignore_top_level_dirs=["temp"],
480 archive=archive,
481 )
482
483 if archive is not None:
484 recipe.packageFileName = str(recipe_archive.name)
485
486 dep_recipes = collect_dep_recipes(d, doc, recipe)
487
488 doc_sha1 = oe.sbom.write_doc(d, doc, "recipes")
489 dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe))
490
491 recipe_ref = oe.spdx.SPDXExternalDocumentRef()
492 recipe_ref.externalDocumentId = "DocumentRef-recipe-" + recipe.name
493 recipe_ref.spdxDocument = doc.documentNamespace
494 recipe_ref.checksum.algorithm = "SHA1"
495 recipe_ref.checksum.checksumValue = doc_sha1
496
497 sources = collect_dep_sources(d, dep_recipes)
498 found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
499
Patrick Williams93c203f2021-10-06 16:15:23 -0500500 if not recipe_spdx_is_native(d, recipe):
Andrew Geissler5199d832021-09-24 16:47:35 -0500501 bb.build.exec_func("read_subpackage_metadata", d)
502
503 pkgdest = Path(d.getVar("PKGDEST"))
504 for package in d.getVar("PACKAGES").split():
505 if not oe.packagedata.packaged(package, d):
506 continue
507
508 package_doc = oe.spdx.SPDXDocument()
509 pkg_name = d.getVar("PKG:%s" % package) or package
510 package_doc.name = pkg_name
511 package_doc.documentNamespace = get_doc_namespace(d, package_doc)
512 package_doc.creationInfo.created = creation_time
513 package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
514 package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
515 package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
516 package_doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
517 package_doc.creationInfo.creators.append("Person: N/A ()")
518 package_doc.externalDocumentRefs.append(recipe_ref)
519
520 package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE")
521
522 spdx_package = oe.spdx.SPDXPackage()
523
524 spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
525 spdx_package.name = pkg_name
526 spdx_package.versionInfo = d.getVar("PV")
527 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
528
529 package_doc.packages.append(spdx_package)
530
531 package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID))
532 package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package)
533
534 package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.zst")
535 with optional_tarfile(package_archive, archive_packaged) as archive:
536 package_files = add_package_files(
537 d,
538 package_doc,
539 spdx_package,
540 pkgdest / package,
541 lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
542 lambda filepath: ["BINARY"],
543 archive=archive,
544 )
545
546 if archive is not None:
547 spdx_package.packageFileName = str(package_archive.name)
548
549 add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources)
550
551 oe.sbom.write_doc(d, package_doc, "packages")
552}
553# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
554addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work
555
556SSTATETASKS += "do_create_spdx"
557do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
558do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
559
560python do_create_spdx_setscene () {
561 sstate_setscene(d)
562}
563addtask do_create_spdx_setscene
564
565do_create_spdx[dirs] = "${SPDXDEPLOY} ${SPDXWORK}"
566do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
567do_create_spdx[depends] += "${PATCHDEPENDENCY}"
568do_create_spdx[deptask] = "do_create_spdx"
569
570def collect_package_providers(d):
571 from pathlib import Path
572 import oe.sbom
573 import oe.spdx
574 import json
575
576 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
577
578 providers = {}
579
580 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
581 deps = sorted(set(
582 dep[0] for dep in taskdepdata.values() if dep[0] != d.getVar("PN")
583 ))
584 deps.append(d.getVar("PN"))
585
586 for dep_pn in deps:
587 recipe_data = oe.packagedata.read_pkgdata(dep_pn, d)
588
589 for pkg in recipe_data.get("PACKAGES", "").split():
590
591 pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, d)
592 rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
593 rprovides.add(pkg)
594
595 for r in rprovides:
596 providers[r] = pkg
597
598 return providers
599
600collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
601
602python do_create_runtime_spdx() {
603 from datetime import datetime, timezone
604 import oe.sbom
605 import oe.spdx
606 import oe.packagedata
607 from pathlib import Path
608
609 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
610 spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
611 is_native = bb.data.inherits_class("native", d)
612
613 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
614
615 providers = collect_package_providers(d)
616
617 if not is_native:
618 bb.build.exec_func("read_subpackage_metadata", d)
619
620 dep_package_cache = {}
621
622 pkgdest = Path(d.getVar("PKGDEST"))
623 for package in d.getVar("PACKAGES").split():
624 localdata = bb.data.createCopy(d)
625 pkg_name = d.getVar("PKG:%s" % package) or package
626 localdata.setVar("PKG", pkg_name)
627 localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package)
628
629 if not oe.packagedata.packaged(package, localdata):
630 continue
631
632 pkg_spdx_path = deploy_dir_spdx / "packages" / (pkg_name + ".spdx.json")
633
634 package_doc, package_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
635
636 for p in package_doc.packages:
637 if p.name == pkg_name:
638 spdx_package = p
639 break
640 else:
641 bb.fatal("Package '%s' not found in %s" % (pkg_name, pkg_spdx_path))
642
643 runtime_doc = oe.spdx.SPDXDocument()
644 runtime_doc.name = "runtime-" + pkg_name
645 runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
646 runtime_doc.creationInfo.created = creation_time
647 runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
648 runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
649 runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
650 runtime_doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
651 runtime_doc.creationInfo.creators.append("Person: N/A ()")
652
653 package_ref = oe.spdx.SPDXExternalDocumentRef()
654 package_ref.externalDocumentId = "DocumentRef-package-" + package
655 package_ref.spdxDocument = package_doc.documentNamespace
656 package_ref.checksum.algorithm = "SHA1"
657 package_ref.checksum.checksumValue = package_doc_sha1
658
659 runtime_doc.externalDocumentRefs.append(package_ref)
660
661 runtime_doc.add_relationship(
662 runtime_doc.SPDXID,
663 "AMENDS",
664 "%s:%s" % (package_ref.externalDocumentId, package_doc.SPDXID)
665 )
666
667 deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
668 seen_deps = set()
669 for dep, _ in deps.items():
670 if dep in seen_deps:
671 continue
672
673 dep = providers[dep]
674
675 if not oe.packagedata.packaged(dep, localdata):
676 continue
677
678 dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
679 dep_pkg = dep_pkg_data["PKG"]
680
681 if dep in dep_package_cache:
682 (dep_spdx_package, dep_package_ref) = dep_package_cache[dep]
683 else:
684 dep_path = deploy_dir_spdx / "packages" / ("%s.spdx.json" % dep_pkg)
685
686 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_path)
687
688 for pkg in spdx_dep_doc.packages:
689 if pkg.name == dep_pkg:
690 dep_spdx_package = pkg
691 break
692 else:
693 bb.fatal("Package '%s' not found in %s" % (dep_pkg, dep_path))
694
695 dep_package_ref = oe.spdx.SPDXExternalDocumentRef()
696 dep_package_ref.externalDocumentId = "DocumentRef-runtime-dependency-" + spdx_dep_doc.name
697 dep_package_ref.spdxDocument = spdx_dep_doc.documentNamespace
698 dep_package_ref.checksum.algorithm = "SHA1"
699 dep_package_ref.checksum.checksumValue = spdx_dep_sha1
700
701 dep_package_cache[dep] = (dep_spdx_package, dep_package_ref)
702
703 runtime_doc.externalDocumentRefs.append(dep_package_ref)
704
705 runtime_doc.add_relationship(
706 "%s:%s" % (dep_package_ref.externalDocumentId, dep_spdx_package.SPDXID),
707 "RUNTIME_DEPENDENCY_OF",
708 "%s:%s" % (package_ref.externalDocumentId, spdx_package.SPDXID)
709 )
710 seen_deps.add(dep)
711
712 oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy)
713}
714
715addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
716SSTATETASKS += "do_create_runtime_spdx"
717do_create_runtime_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
718do_create_runtime_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
719
720python do_create_runtime_spdx_setscene () {
721 sstate_setscene(d)
722}
723addtask do_create_runtime_spdx_setscene
724
725do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
726do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
727do_create_runtime_spdx[rdeptask] = "do_create_spdx"
728
729def spdx_get_src(d):
730 """
731 save patched source of the recipe in SPDX_WORKDIR.
732 """
733 import shutil
734 spdx_workdir = d.getVar('SPDXWORK')
735 spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
736 pn = d.getVar('PN')
737
738 workdir = d.getVar("WORKDIR")
739
740 try:
741 # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
742 if not is_work_shared(d):
743 # Change the WORKDIR to make do_unpack do_patch run in another dir.
744 d.setVar('WORKDIR', spdx_workdir)
745 # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
746 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
747
748 # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
749 # possibly requiring of the following tasks (such as some recipes's
750 # do_patch required 'B' existed).
751 bb.utils.mkdirhier(d.getVar('B'))
752
753 bb.build.exec_func('do_unpack', d)
754 # Copy source of kernel to spdx_workdir
755 if is_work_shared(d):
756 d.setVar('WORKDIR', spdx_workdir)
757 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
758 src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
759 bb.utils.mkdirhier(src_dir)
760 if bb.data.inherits_class('kernel',d):
761 share_src = d.getVar('STAGING_KERNEL_DIR')
762 cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
763 cmd_copy_kernel_result = os.popen(cmd_copy_share).read()
764 bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result)
765
766 git_path = src_dir + "/.git"
767 if os.path.exists(git_path):
768 shutils.rmtree(git_path)
769
770 # Make sure gcc and kernel sources are patched only once
771 if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
772 bb.build.exec_func('do_patch', d)
773
774 # Some userland has no source.
775 if not os.path.exists( spdx_workdir ):
776 bb.utils.mkdirhier(spdx_workdir)
777 finally:
778 d.setVar("WORKDIR", workdir)
779
780do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
781
782ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
783python image_combine_spdx() {
784 import os
785 import oe.spdx
786 import oe.sbom
787 import io
788 import json
789 from oe.rootfs import image_list_installed_packages
790 from datetime import timezone, datetime
791 from pathlib import Path
792 import tarfile
793 import bb.compress.zstd
794
795 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
796 image_name = d.getVar("IMAGE_NAME")
797 image_link_name = d.getVar("IMAGE_LINK_NAME")
798
799 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
800 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
801 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
802
803 doc = oe.spdx.SPDXDocument()
804 doc.name = image_name
805 doc.documentNamespace = get_doc_namespace(d, doc)
806 doc.creationInfo.created = creation_time
807 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
808 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
809 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
810 doc.creationInfo.creators.append("Organization: OpenEmbedded ()")
811 doc.creationInfo.creators.append("Person: N/A ()")
812
813 image = oe.spdx.SPDXPackage()
814 image.name = d.getVar("PN")
815 image.versionInfo = d.getVar("PV")
816 image.SPDXID = oe.sbom.get_image_spdxid(image_name)
817
818 doc.packages.append(image)
819
820 spdx_package = oe.spdx.SPDXPackage()
821
822 packages = image_list_installed_packages(d)
823
824 for name in sorted(packages.keys()):
825 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
826 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
827
828 for p in pkg_doc.packages:
829 if p.name == name:
830 pkg_ref = oe.spdx.SPDXExternalDocumentRef()
831 pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
832 pkg_ref.spdxDocument = pkg_doc.documentNamespace
833 pkg_ref.checksum.algorithm = "SHA1"
834 pkg_ref.checksum.checksumValue = pkg_doc_sha1
835
836 doc.externalDocumentRefs.append(pkg_ref)
837 doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
838 break
839 else:
840 bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
841
842 runtime_spdx_path = deploy_dir_spdx / "runtime" / ("runtime-" + name + ".spdx.json")
843 runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
844
845 runtime_ref = oe.spdx.SPDXExternalDocumentRef()
846 runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
847 runtime_ref.spdxDocument = runtime_doc.documentNamespace
848 runtime_ref.checksum.algorithm = "SHA1"
849 runtime_ref.checksum.checksumValue = runtime_doc_sha1
850
851 # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
852 doc.externalDocumentRefs.append(runtime_ref)
853 doc.add_relationship(
854 image,
855 "OTHER",
856 "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
857 comment="Runtime dependencies for %s" % name
858 )
859
860 image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
861
862 with image_spdx_path.open("wb") as f:
863 doc.to_json(f, sort_keys=True)
864
865 image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
866 image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
867
868 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
869
870 visited_docs = set()
871
872 index = {"documents": []}
873
874 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
875 with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
876 with tarfile.open(fileobj=f, mode="w|") as tar:
877 def collect_spdx_document(path):
878 nonlocal tar
879 nonlocal deploy_dir_spdx
880 nonlocal source_date_epoch
881 nonlocal index
882
883 if path in visited_docs:
884 return
885
886 visited_docs.add(path)
887
888 with path.open("rb") as f:
889 doc, sha1 = oe.sbom.read_doc(f)
890 f.seek(0)
891
892 if doc.documentNamespace in visited_docs:
893 return
894
895 bb.note("Adding SPDX document %s" % path)
896 visited_docs.add(doc.documentNamespace)
897 info = tar.gettarinfo(fileobj=f)
898
899 info.name = doc.name + ".spdx.json"
900 info.uid = 0
901 info.gid = 0
902 info.uname = "root"
903 info.gname = "root"
904
905 if source_date_epoch is not None and info.mtime > int(source_date_epoch):
906 info.mtime = int(source_date_epoch)
907
908 tar.addfile(info, f)
909
910 index["documents"].append({
911 "filename": info.name,
912 "documentNamespace": doc.documentNamespace,
913 "sha1": sha1,
914 })
915
916 for ref in doc.externalDocumentRefs:
917 ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_")
918 collect_spdx_document(ref_path)
919
920 collect_spdx_document(image_spdx_path)
921
922 index["documents"].sort(key=lambda x: x["filename"])
923
924 index_str = io.BytesIO(json.dumps(index, sort_keys=True).encode("utf-8"))
925
926 info = tarfile.TarInfo()
927 info.name = "index.json"
928 info.size = len(index_str.getvalue())
929 info.uid = 0
930 info.gid = 0
931 info.uname = "root"
932 info.gname = "root"
933
934 tar.addfile(info, fileobj=index_str)
935
936 def make_image_link(target_path, suffix):
937 link = imgdeploydir / (image_link_name + suffix)
938 link.symlink_to(os.path.relpath(target_path, link.parent))
939
940 make_image_link(spdx_tar_path, ".spdx.tar.zst")
941
942 spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
943 with spdx_index_path.open("w") as f:
944 json.dump(index, f, sort_keys=True)
945
946 make_image_link(spdx_index_path, ".spdx.index.json")
947}
948