Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | # This class integrates real-time license scanning, generation of SPDX standard |
| 2 | # output and verifiying license info during the building process. |
| 3 | # It is a combination of efforts from the OE-Core, SPDX and Fossology projects. |
| 4 | # |
| 5 | # For more information on FOSSology: |
| 6 | # http://www.fossology.org |
| 7 | # |
| 8 | # For more information on FOSSologySPDX commandline: |
| 9 | # https://github.com/spdx-tools/fossology-spdx/wiki/Fossology-SPDX-Web-API |
| 10 | # |
| 11 | # For more information on SPDX: |
| 12 | # http://www.spdx.org |
| 13 | # |
| 14 | |
| 15 | # SPDX file will be output to the path which is defined as[SPDX_MANIFEST_DIR] |
| 16 | # in ./meta/conf/licenses.conf. |
| 17 | |
| 18 | SPDXSSTATEDIR = "${WORKDIR}/spdx_sstate_dir" |
| 19 | |
| 20 | # If ${S} isn't actually the top-level source directory, set SPDX_S to point at |
| 21 | # the real top-level directory. |
| 22 | SPDX_S ?= "${S}" |
| 23 | |
| 24 | python do_spdx () { |
| 25 | import os, sys |
| 26 | import json, shutil |
| 27 | |
| 28 | info = {} |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 29 | info['workdir'] = d.getVar('WORKDIR') |
| 30 | info['sourcedir'] = d.getVar('SPDX_S') |
| 31 | info['pn'] = d.getVar('PN') |
| 32 | info['pv'] = d.getVar('PV') |
| 33 | info['spdx_version'] = d.getVar('SPDX_VERSION') |
| 34 | info['data_license'] = d.getVar('DATA_LICENSE') |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 35 | |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 36 | sstatedir = d.getVar('SPDXSSTATEDIR') |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 37 | sstatefile = os.path.join(sstatedir, info['pn'] + info['pv'] + ".spdx") |
| 38 | |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 39 | manifest_dir = d.getVar('SPDX_MANIFEST_DIR') |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 40 | info['outfile'] = os.path.join(manifest_dir, info['pn'] + ".spdx" ) |
| 41 | |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 42 | info['spdx_temp_dir'] = d.getVar('SPDX_TEMP_DIR') |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 43 | info['tar_file'] = os.path.join(info['workdir'], info['pn'] + ".tar.gz" ) |
| 44 | |
| 45 | # Make sure important dirs exist |
| 46 | try: |
| 47 | bb.utils.mkdirhier(manifest_dir) |
| 48 | bb.utils.mkdirhier(sstatedir) |
| 49 | bb.utils.mkdirhier(info['spdx_temp_dir']) |
| 50 | except OSError as e: |
| 51 | bb.error("SPDX: Could not set up required directories: " + str(e)) |
| 52 | return |
| 53 | |
| 54 | ## get everything from cache. use it to decide if |
| 55 | ## something needs to be rerun |
| 56 | cur_ver_code = get_ver_code(info['sourcedir']) |
| 57 | cache_cur = False |
| 58 | if os.path.exists(sstatefile): |
| 59 | ## cache for this package exists. read it in |
| 60 | cached_spdx = get_cached_spdx(sstatefile) |
| 61 | |
| 62 | if cached_spdx['PackageVerificationCode'] == cur_ver_code: |
| 63 | bb.warn("SPDX: Verification code for " + info['pn'] |
| 64 | + "is same as cache's. do nothing") |
| 65 | cache_cur = True |
| 66 | else: |
| 67 | local_file_info = setup_foss_scan(info, True, cached_spdx['Files']) |
| 68 | else: |
| 69 | local_file_info = setup_foss_scan(info, False, None) |
| 70 | |
| 71 | if cache_cur: |
| 72 | spdx_file_info = cached_spdx['Files'] |
| 73 | foss_package_info = cached_spdx['Package'] |
| 74 | foss_license_info = cached_spdx['Licenses'] |
| 75 | else: |
| 76 | ## setup fossology command |
Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 77 | foss_server = d.getVar('FOSS_SERVER') |
| 78 | foss_flags = d.getVar('FOSS_WGET_FLAGS') |
| 79 | foss_full_spdx = d.getVar('FOSS_FULL_SPDX') == "true" or False |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 80 | foss_command = "wget %s --post-file=%s %s"\ |
| 81 | % (foss_flags, info['tar_file'], foss_server) |
| 82 | |
| 83 | foss_result = run_fossology(foss_command, foss_full_spdx) |
| 84 | if foss_result is not None: |
| 85 | (foss_package_info, foss_file_info, foss_license_info) = foss_result |
| 86 | spdx_file_info = create_spdx_doc(local_file_info, foss_file_info) |
| 87 | ## write to cache |
| 88 | write_cached_spdx(sstatefile, cur_ver_code, foss_package_info, |
| 89 | spdx_file_info, foss_license_info) |
| 90 | else: |
| 91 | bb.error("SPDX: Could not communicate with FOSSology server. Command was: " + foss_command) |
| 92 | return |
| 93 | |
| 94 | ## Get document and package level information |
| 95 | spdx_header_info = get_header_info(info, cur_ver_code, foss_package_info) |
| 96 | |
| 97 | ## CREATE MANIFEST |
| 98 | create_manifest(info, spdx_header_info, spdx_file_info, foss_license_info) |
| 99 | |
| 100 | ## clean up the temp stuff |
| 101 | shutil.rmtree(info['spdx_temp_dir'], ignore_errors=True) |
| 102 | if os.path.exists(info['tar_file']): |
| 103 | remove_file(info['tar_file']) |
| 104 | } |
| 105 | addtask spdx after do_patch before do_configure |
| 106 | |
| 107 | def create_manifest(info, header, files, licenses): |
| 108 | import codecs |
| 109 | with codecs.open(info['outfile'], mode='w', encoding='utf-8') as f: |
| 110 | # Write header |
| 111 | f.write(header + '\n') |
| 112 | |
| 113 | # Write file data |
| 114 | for chksum, block in files.iteritems(): |
| 115 | f.write("FileName: " + block['FileName'] + '\n') |
| 116 | for key, value in block.iteritems(): |
| 117 | if not key == 'FileName': |
| 118 | f.write(key + ": " + value + '\n') |
| 119 | f.write('\n') |
| 120 | |
| 121 | # Write license data |
| 122 | for id, block in licenses.iteritems(): |
| 123 | f.write("LicenseID: " + id + '\n') |
| 124 | for key, value in block.iteritems(): |
| 125 | f.write(key + ": " + value + '\n') |
| 126 | f.write('\n') |
| 127 | |
| 128 | def get_cached_spdx(sstatefile): |
| 129 | import json |
| 130 | import codecs |
| 131 | cached_spdx_info = {} |
| 132 | with codecs.open(sstatefile, mode='r', encoding='utf-8') as f: |
| 133 | try: |
| 134 | cached_spdx_info = json.load(f) |
| 135 | except ValueError as e: |
| 136 | cached_spdx_info = None |
| 137 | return cached_spdx_info |
| 138 | |
| 139 | def write_cached_spdx(sstatefile, ver_code, package_info, files, license_info): |
| 140 | import json |
| 141 | import codecs |
| 142 | spdx_doc = {} |
| 143 | spdx_doc['PackageVerificationCode'] = ver_code |
| 144 | spdx_doc['Files'] = {} |
| 145 | spdx_doc['Files'] = files |
| 146 | spdx_doc['Package'] = {} |
| 147 | spdx_doc['Package'] = package_info |
| 148 | spdx_doc['Licenses'] = {} |
| 149 | spdx_doc['Licenses'] = license_info |
| 150 | with codecs.open(sstatefile, mode='w', encoding='utf-8') as f: |
| 151 | f.write(json.dumps(spdx_doc)) |
| 152 | |
| 153 | def setup_foss_scan(info, cache, cached_files): |
| 154 | import errno, shutil |
| 155 | import tarfile |
| 156 | file_info = {} |
| 157 | cache_dict = {} |
| 158 | |
| 159 | for f_dir, f in list_files(info['sourcedir']): |
| 160 | full_path = os.path.join(f_dir, f) |
| 161 | abs_path = os.path.join(info['sourcedir'], full_path) |
| 162 | dest_dir = os.path.join(info['spdx_temp_dir'], f_dir) |
| 163 | dest_path = os.path.join(info['spdx_temp_dir'], full_path) |
| 164 | |
| 165 | checksum = hash_file(abs_path) |
| 166 | if not checksum is None: |
| 167 | file_info[checksum] = {} |
| 168 | ## retain cache information if it exists |
| 169 | if cache and checksum in cached_files: |
| 170 | file_info[checksum] = cached_files[checksum] |
| 171 | ## have the file included in what's sent to the FOSSology server |
| 172 | else: |
| 173 | file_info[checksum]['FileName'] = full_path |
| 174 | try: |
| 175 | bb.utils.mkdirhier(dest_dir) |
| 176 | shutil.copyfile(abs_path, dest_path) |
| 177 | except OSError as e: |
| 178 | bb.warn("SPDX: mkdirhier failed: " + str(e)) |
| 179 | except shutil.Error as e: |
| 180 | bb.warn("SPDX: copyfile failed: " + str(e)) |
| 181 | except IOError as e: |
| 182 | bb.warn("SPDX: copyfile failed: " + str(e)) |
| 183 | else: |
| 184 | bb.warn("SPDX: Could not get checksum for file: " + f) |
| 185 | |
| 186 | with tarfile.open(info['tar_file'], "w:gz") as tar: |
| 187 | tar.add(info['spdx_temp_dir'], arcname=os.path.basename(info['spdx_temp_dir'])) |
| 188 | |
| 189 | return file_info |
| 190 | |
| 191 | def remove_file(file_name): |
| 192 | try: |
| 193 | os.remove(file_name) |
| 194 | except OSError as e: |
| 195 | pass |
| 196 | |
| 197 | def list_files(dir): |
| 198 | for root, subFolders, files in os.walk(dir): |
| 199 | for f in files: |
| 200 | rel_root = os.path.relpath(root, dir) |
| 201 | yield rel_root, f |
| 202 | return |
| 203 | |
| 204 | def hash_file(file_name): |
| 205 | try: |
| 206 | with open(file_name, 'rb') as f: |
| 207 | data_string = f.read() |
| 208 | sha1 = hash_string(data_string) |
| 209 | return sha1 |
| 210 | except: |
| 211 | return None |
| 212 | |
| 213 | def hash_string(data): |
| 214 | import hashlib |
| 215 | sha1 = hashlib.sha1() |
| 216 | sha1.update(data) |
| 217 | return sha1.hexdigest() |
| 218 | |
| 219 | def run_fossology(foss_command, full_spdx): |
| 220 | import string, re |
| 221 | import subprocess |
Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 222 | |
| 223 | try: |
| 224 | foss_output = subprocess.check_output(foss_command.split(), |
| 225 | stderr=subprocess.STDOUT).decode('utf-8') |
| 226 | except subprocess.CalledProcessError as e: |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 227 | return None |
| 228 | |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 229 | foss_output = string.replace(foss_output, '\r', '') |
| 230 | |
| 231 | # Package info |
| 232 | package_info = {} |
| 233 | if full_spdx: |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 234 | # All mandatory, only one occurrence |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 235 | package_info['PackageCopyrightText'] = re.findall('PackageCopyrightText: (.*?</text>)', foss_output, re.S)[0] |
| 236 | package_info['PackageLicenseDeclared'] = re.findall('PackageLicenseDeclared: (.*)', foss_output)[0] |
| 237 | package_info['PackageLicenseConcluded'] = re.findall('PackageLicenseConcluded: (.*)', foss_output)[0] |
| 238 | # These may be more than one |
| 239 | package_info['PackageLicenseInfoFromFiles'] = re.findall('PackageLicenseInfoFromFiles: (.*)', foss_output) |
| 240 | else: |
| 241 | DEFAULT = "NOASSERTION" |
| 242 | package_info['PackageCopyrightText'] = "<text>" + DEFAULT + "</text>" |
| 243 | package_info['PackageLicenseDeclared'] = DEFAULT |
| 244 | package_info['PackageLicenseConcluded'] = DEFAULT |
| 245 | package_info['PackageLicenseInfoFromFiles'] = [] |
| 246 | |
| 247 | # File info |
| 248 | file_info = {} |
| 249 | records = [] |
| 250 | # FileName is also in PackageFileName, so we match on FileType as well. |
| 251 | records = re.findall('FileName:.*?FileType:.*?</text>', foss_output, re.S) |
| 252 | for rec in records: |
| 253 | chksum = re.findall('FileChecksum: SHA1: (.*)\n', rec)[0] |
| 254 | file_info[chksum] = {} |
| 255 | file_info[chksum]['FileCopyrightText'] = re.findall('FileCopyrightText: ' |
| 256 | + '(.*?</text>)', rec, re.S )[0] |
| 257 | fields = ['FileName', 'FileType', 'LicenseConcluded', 'LicenseInfoInFile'] |
| 258 | for field in fields: |
| 259 | file_info[chksum][field] = re.findall(field + ': (.*)', rec)[0] |
| 260 | |
| 261 | # Licenses |
| 262 | license_info = {} |
| 263 | licenses = [] |
| 264 | licenses = re.findall('LicenseID:.*?LicenseName:.*?\n', foss_output, re.S) |
| 265 | for lic in licenses: |
| 266 | license_id = re.findall('LicenseID: (.*)\n', lic)[0] |
| 267 | license_info[license_id] = {} |
| 268 | license_info[license_id]['ExtractedText'] = re.findall('ExtractedText: (.*?</text>)', lic, re.S)[0] |
| 269 | license_info[license_id]['LicenseName'] = re.findall('LicenseName: (.*)', lic)[0] |
| 270 | |
| 271 | return (package_info, file_info, license_info) |
| 272 | |
| 273 | def create_spdx_doc(file_info, scanned_files): |
| 274 | import json |
| 275 | ## push foss changes back into cache |
| 276 | for chksum, lic_info in scanned_files.iteritems(): |
| 277 | if chksum in file_info: |
| 278 | file_info[chksum]['FileType'] = lic_info['FileType'] |
| 279 | file_info[chksum]['FileChecksum: SHA1'] = chksum |
| 280 | file_info[chksum]['LicenseInfoInFile'] = lic_info['LicenseInfoInFile'] |
| 281 | file_info[chksum]['LicenseConcluded'] = lic_info['LicenseConcluded'] |
| 282 | file_info[chksum]['FileCopyrightText'] = lic_info['FileCopyrightText'] |
| 283 | else: |
| 284 | bb.warn("SPDX: " + lic_info['FileName'] + " : " + chksum |
| 285 | + " : is not in the local file info: " |
| 286 | + json.dumps(lic_info, indent=1)) |
| 287 | return file_info |
| 288 | |
| 289 | def get_ver_code(dirname): |
| 290 | chksums = [] |
| 291 | for f_dir, f in list_files(dirname): |
| 292 | hash = hash_file(os.path.join(dirname, f_dir, f)) |
| 293 | if not hash is None: |
| 294 | chksums.append(hash) |
| 295 | else: |
| 296 | bb.warn("SPDX: Could not hash file: " + path) |
| 297 | ver_code_string = ''.join(chksums).lower() |
| 298 | ver_code = hash_string(ver_code_string) |
| 299 | return ver_code |
| 300 | |
| 301 | def get_header_info(info, spdx_verification_code, package_info): |
| 302 | """ |
| 303 | Put together the header SPDX information. |
| 304 | Eventually this needs to become a lot less |
| 305 | of a hardcoded thing. |
| 306 | """ |
| 307 | from datetime import datetime |
| 308 | import os |
| 309 | head = [] |
| 310 | DEFAULT = "NOASSERTION" |
| 311 | |
| 312 | package_checksum = hash_file(info['tar_file']) |
| 313 | if package_checksum is None: |
| 314 | package_checksum = DEFAULT |
| 315 | |
| 316 | ## document level information |
| 317 | head.append("## SPDX Document Information") |
| 318 | head.append("SPDXVersion: " + info['spdx_version']) |
| 319 | head.append("DataLicense: " + info['data_license']) |
| 320 | head.append("DocumentComment: <text>SPDX for " |
| 321 | + info['pn'] + " version " + info['pv'] + "</text>") |
| 322 | head.append("") |
| 323 | |
| 324 | ## Creator information |
| 325 | ## Note that this does not give time in UTC. |
| 326 | now = datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ') |
| 327 | head.append("## Creation Information") |
| 328 | ## Tools are supposed to have a version, but FOSSology+SPDX provides none. |
| 329 | head.append("Creator: Tool: FOSSology+SPDX") |
| 330 | head.append("Created: " + now) |
| 331 | head.append("CreatorComment: <text>UNO</text>") |
| 332 | head.append("") |
| 333 | |
| 334 | ## package level information |
| 335 | head.append("## Package Information") |
| 336 | head.append("PackageName: " + info['pn']) |
| 337 | head.append("PackageVersion: " + info['pv']) |
| 338 | head.append("PackageFileName: " + os.path.basename(info['tar_file'])) |
| 339 | head.append("PackageSupplier: Person:" + DEFAULT) |
| 340 | head.append("PackageDownloadLocation: " + DEFAULT) |
| 341 | head.append("PackageSummary: <text></text>") |
| 342 | head.append("PackageOriginator: Person:" + DEFAULT) |
| 343 | head.append("PackageChecksum: SHA1: " + package_checksum) |
| 344 | head.append("PackageVerificationCode: " + spdx_verification_code) |
| 345 | head.append("PackageDescription: <text>" + info['pn'] |
| 346 | + " version " + info['pv'] + "</text>") |
| 347 | head.append("") |
| 348 | head.append("PackageCopyrightText: " |
| 349 | + package_info['PackageCopyrightText']) |
| 350 | head.append("") |
| 351 | head.append("PackageLicenseDeclared: " |
| 352 | + package_info['PackageLicenseDeclared']) |
| 353 | head.append("PackageLicenseConcluded: " |
| 354 | + package_info['PackageLicenseConcluded']) |
| 355 | |
| 356 | for licref in package_info['PackageLicenseInfoFromFiles']: |
| 357 | head.append("PackageLicenseInfoFromFiles: " + licref) |
| 358 | head.append("") |
| 359 | |
| 360 | ## header for file level |
| 361 | head.append("## File Information") |
| 362 | head.append("") |
| 363 | |
| 364 | return '\n'.join(head) |