zara/zephyr - zephyr - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Benjamin Cabé	be504b000d	west: spdx: allow to generate for different SPDX versions When support for SPDX 2.3 was added, it effectively dropped support for SPDX 2.2, which in retrospect was a bad idea since SPDX 2.2 is the version that is the current ISO/IEC standard. This commit adds a `--spdx-version` option to the `west spdx` command so that users can generate SPDX 2.2 documents if they want. Default is 2.3 given that's effectively what shipped for a few releases now, including latest LTS. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>	4 weeks ago
Pieter De Gendt	88d7715a29	scripts: west_commands: zspdx: writer: Fix linter issues Fix issues reported by ruff. Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>	1 month ago
Thomas Gagneret	f5df063cbd	scripts: zephyr_module: Move SPDX name normalization to writer.py Since `writer.py` is the one writting the SPDX file, it should normalize the name field and not `walker.py` which generates the SBOM components. Signed-off-by: Thomas Gagneret <thomas.gagneret@hexploy.com>	1 year ago
Thomas Gagneret	0d05318c96	scripts: zephyr_module: Add URL, version to SPDX Improve the SPDX with the current values: - URL: extracted from `git remote`. If more than one remote, URL is not set. - Version: extracted from `git rev-parse` (commit id). - PURL and CPE for Zephyr: generated from URL and version. For zephyr, the tag is extracted, if present, and replace the commit id for the version field. Since official modules does not have tags, tags are not yet extracted for modules. To track vulnerabilities from modules dependencies, a new SBOM, `modules-deps.spdx` was created. It contains the `external-references` provided by the modules. It allows to easily track vulnerabilities from these external dependencies. Signed-off-by: Thomas Gagneret <thomas.gagneret@hexploy.com>	1 year ago
Benjamin Cabé	9ebf341977	west: spdx: introduce support for SPDX 2.3 Minor update to existing zspdx implementation to add support for PrimaryPackagePurpose introduced in SPDX 2.3. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>	1 year ago
Jordan Yates	06aae61019	scripts: zspdx: fix writing custom license IDs The builtin list function `.sort()` sorts the list in-place and returns None. As this is an invalid type for iteration, use the builtin `sorted` function, which returns a sorted copy of the list, which we can iterate over. Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>	3 years ago
Steve Winslow	e12d9385c6	west: spdx: Fix missing field in build results When using the west spdx functionality to create an SPDX SBOM during a build, several SPDX Documents are created. In some instances, the SPDX metadata field PackageLicenseInfoFromFiles is required to be present according to the SPDX 2.2 spec, but is being omitted from the build.spdx Document if no licenses were detected. This commit fixes this bug so that a NOASSERTION value is written for this field for Packages that do not contain any detected licenses. Additionally, this ensures that Packages with a FilesAnalyzed value of false do not have this field written, also in accordance with the spec. Fixes #42070 Signed-off-by: Steve Winslow <steve@swinslow.net>	3 years ago
Steve Winslow	fd31b9b4ac	west: spdx: Generate SPDX 2.2 tag-value documents This adds support to generate SPDX 2.2 tag-value documents via the new west spdx command. The CMake file-based APIs are leveraged to create relationships from source files to the corresponding generated build files. SPDX-License-Identifier comments in source files are scanned and filled into the SPDX documents. Before `west build` is run, a specific file must be created in the build directory so that the CMake API reply will run. This can be done by running: west spdx --init -d BUILD_DIR After `west build` is run, SPDX generation is then activated by calling `west spdx`; currently this requires passing the build directory as a parameter again: west spdx -d BUILD_DIR This will generate three SPDX documents in `BUILD_DIR/spdx/`: 1) `app.spdx`: This contains the bill-of-materials for the application source files used for the build. 2) `zephyr.spdx`: This contains the bill-of-materials for the specific Zephyr source code files that are used for the build. 3) `build.spdx`: This contains the bill-of-materials for the built output files. Each file in the bill-of-materials is scanned, so that its hashes (SHA256 and SHA1) can be recorded, along with any detected licenses if an `SPDX-License-Identifier` appears in the file. SPDX Relationships are created to indicate dependencies between CMake build targets; build targets that are linked together; and source files that are compiled to generate the built library files. `west spdx` can be called with optional parameters for further configuration: * `-n PREFIX`: specifies a prefix for the Document Namespaces that will be included in the generated SPDX documents. See SPDX spec 2.2 section 2.5 at https://spdx.github.io/spdx-spec/2-document-creation-information/. If -n is omitted, a default namespace will be generated according to the default format described in section 2.5 using a random UUID. * `-s SPDX_DIR`: specifies an alternate directory where the SPDX documents should be written. If not specified, they will be saved in `BUILD_DIR/spdx/`. * `--analyze-includes`: in addition to recording the compiled source code files (e.g. `.c`, `.S`) in the bills-of-materials, if this flag is specified, `west spdx` will attempt to determine the specific header files that are included for each `.c` file. This will take longer, as it performs a dry run using the C compiler for each `.c` file (using the same arguments that were passed to it for the actual build). * `--include-sdk`: if `--analyze-includes` is used, then adding `--include-sdk` will create a fourth SPDX document, `sdk.spdx`, which will list any header files included from the SDK. Signed-off-by: Steve Winslow <steve@swinslow.net>	4 years ago