On Tue, Mar 24, 2026 at 11:15 AM Stefano Tondo <[email protected]> wrote: > > Add SPDX_PACKAGE_URLS to recipe classes to generate ecosystem-specific > Package URLs for SPDX 3.0 SBOMs. This enables proper package > identification across different packaging ecosystems. > > Classes updated: > - cargo_common.bbclass: pkg:cargo PURLs for Rust crates > - cpan.bbclass: pkg:cpan PURLs for Perl modules (with name normalization) > - go-mod.bbclass: pkg:golang PURLs for Go modules > - npm.bbclass: pkg:npm PURLs for Node.js packages (with name normalization) > - pypi.bbclass: pkg:pypi PURLs for Python packages (with name normalization) > > The SPDX_PACKAGE_URLS variable is a space-separated list which > create-spdx-3.0 already reads via set_purls() to populate > software_packageUrl and externalIdentifier on recipe packages. >
LGTM, thanks Reviewed-by: Joshua Watt <[email protected]> > Signed-off-by: Stefano Tondo <[email protected]> > --- > meta/classes-recipe/cargo_common.bbclass | 3 +++ > meta/classes-recipe/cpan.bbclass | 11 +++++++++++ > meta/classes-recipe/go-mod.bbclass | 3 +++ > meta/classes-recipe/npm.bbclass | 7 +++++++ > meta/classes-recipe/pypi.bbclass | 3 +++ > 5 files changed, 27 insertions(+) > > diff --git a/meta/classes-recipe/cargo_common.bbclass > b/meta/classes-recipe/cargo_common.bbclass > index bc44ad7918..0d3edfe4a7 100644 > --- a/meta/classes-recipe/cargo_common.bbclass > +++ b/meta/classes-recipe/cargo_common.bbclass > @@ -240,3 +240,6 @@ EXPORT_FUNCTIONS do_configure > # https://github.com/rust-lang/libc/issues/3223 > # https://github.com/rust-lang/libc/pull/3175 > INSANE_SKIP:append = " 32bit-time" > + > +# Generate ecosystem-specific Package URL for SPDX > +SPDX_PACKAGE_URLS =+ "pkg:cargo/${BPN}@${PV} " > diff --git a/meta/classes-recipe/cpan.bbclass > b/meta/classes-recipe/cpan.bbclass > index bb76a5b326..dbf44da9d2 100644 > --- a/meta/classes-recipe/cpan.bbclass > +++ b/meta/classes-recipe/cpan.bbclass > @@ -68,4 +68,15 @@ cpan_do_install () { > done > } > > +# Generate ecosystem-specific Package URL for SPDX > +def cpan_spdx_name(d): > + bpn = d.getVar('BPN') > + if bpn.startswith('perl-'): > + return bpn[5:] > + elif bpn.startswith('libperl-'): > + return bpn[8:] > + return bpn > + > +SPDX_PACKAGE_URLS =+ "pkg:cpan/${@cpan_spdx_name(d)}@${PV} " > + > EXPORT_FUNCTIONS do_configure do_compile do_install > diff --git a/meta/classes-recipe/go-mod.bbclass > b/meta/classes-recipe/go-mod.bbclass > index a15dda8f0e..0f5835f26e 100644 > --- a/meta/classes-recipe/go-mod.bbclass > +++ b/meta/classes-recipe/go-mod.bbclass > @@ -32,3 +32,6 @@ do_compile[dirs] += "${B}/src/${GO_WORKDIR}" > # Make go install unpack the module zip files in the module cache directory > # before the license directory is polulated with license files. > addtask do_compile before do_populate_lic > + > +# Generate ecosystem-specific Package URL for SPDX > +SPDX_PACKAGE_URLS =+ "pkg:golang/${GO_IMPORT}@${PV} " > diff --git a/meta/classes-recipe/npm.bbclass b/meta/classes-recipe/npm.bbclass > index 344e8b4bec..7bb791d543 100644 > --- a/meta/classes-recipe/npm.bbclass > +++ b/meta/classes-recipe/npm.bbclass > @@ -354,4 +354,11 @@ FILES:${PN} += " \ > ${nonarch_libdir} \ > " > > +# Generate ecosystem-specific Package URL for SPDX > +def npm_spdx_name(d): > + bpn = d.getVar('BPN') > + return bpn[5:] if bpn.startswith('node-') else bpn > + > +SPDX_PACKAGE_URLS =+ "pkg:npm/${@npm_spdx_name(d)}@${PV} " > + > EXPORT_FUNCTIONS do_configure do_compile do_install > diff --git a/meta/classes-recipe/pypi.bbclass > b/meta/classes-recipe/pypi.bbclass > index 9d46c035f6..bd21557c60 100644 > --- a/meta/classes-recipe/pypi.bbclass > +++ b/meta/classes-recipe/pypi.bbclass > @@ -54,3 +54,6 @@ UPSTREAM_CHECK_URI ?= > "https://pypi.org/simple/${@pypi_normalize(d)}/" > UPSTREAM_CHECK_REGEX ?= > "${UPSTREAM_CHECK_PYPI_PACKAGE}-(?P<pver>(\d+[\.\-_]*)+).(tar\.gz|tgz|zip|tar\.bz2)" > > CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" > + > +# Generate ecosystem-specific Package URL for SPDX > +SPDX_PACKAGE_URLS =+ "pkg:pypi/${@pypi_normalize(d)}@${PV} " > -- > 2.53.0 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234049): https://lists.openembedded.org/g/openembedded-core/message/234049 Mute This Topic: https://lists.openembedded.org/mt/118487361/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
