yocto SPDX sboms

[mischief]

hi,

is this project maintained?

is it possible to make this work with Yocto generated SBOMs? i have a demo using the action in https://github.com/mischief/spdx-sbom-test, with an SBOM generated by running upstream poky with https://github.com/yoctoproject/poky/blob/mickledore/meta/classes/create-spdx-2.2.bbclass enabled.

the dependency names are recognized but not versions and other metadata, and i think this is due to some differences in which fields of the SPDX format are populated by Yocto vs what this action expects.

[Gigaclank]

@mischief i appreciate you may have resolved some of your issues.

however i have created a script that may be of interest to you. This is a post script that is ran against a folder of spdx json files and updates them accordingly to reflect some of the "undefined" items.

I would note that it does not provide you the ability to get any links to external layers etc.

#! /usr/bin/env python

import json
import os
import sys
import glob

def update_file(path):
    try:
        with open(path, 'r+') as f:
            res = json.load(f)
            if "packages" in res:
                for package in res["packages"]:
                    if "versionInfo" in package :
                        package["packageVersion"] = package["versionInfo"]
                    if "licenseDeclared" in package:
                        package["licenseConcluded"] = package["licenseDeclared"]
    
            f.seek(0)
            json.dump(res, f, indent=2)
            f.truncate()
            print(f"Updated {path}")
    except FileNotFoundError:
        print(f"Error: File '{path}' not found.")
    except Exception as e:
        print(f"An error occurred: {e} in {path}")


def update_var(path):
    if os.path.isdir(path):
        for filename in glob.glob(path + '/*.spdx.json'):
            update_file(filename)
    else:
        update_file(path)



if __name__ == "__main__":
    if len(sys.argv) > 1:
        update_var(sys.argv[1])
    else:
        print("Must provide an input file", file=sys.stderr)
        exit(1)