yocto SPDX sboms #26
Comments
|
@mischief i appreciate you may have resolved some of your issues. however i have created a script that may be of interest to you. This is a post script that is ran against a folder of spdx json files and updates them accordingly to reflect some of the "undefined" items. I would note that it does not provide you the ability to get any links to external layers etc. #! /usr/bin/env python
import json
import os
import sys
import glob
def update_file(path):
try:
with open(path, 'r+') as f:
res = json.load(f)
if "packages" in res:
for package in res["packages"]:
if "versionInfo" in package :
package["packageVersion"] = package["versionInfo"]
if "licenseDeclared" in package:
package["licenseConcluded"] = package["licenseDeclared"]
f.seek(0)
json.dump(res, f, indent=2)
f.truncate()
print(f"Updated {path}")
except FileNotFoundError:
print(f"Error: File '{path}' not found.")
except Exception as e:
print(f"An error occurred: {e} in {path}")
def update_var(path):
if os.path.isdir(path):
for filename in glob.glob(path + '/*.spdx.json'):
update_file(filename)
else:
update_file(path)
if __name__ == "__main__":
if len(sys.argv) > 1:
update_var(sys.argv[1])
else:
print("Must provide an input file", file=sys.stderr)
exit(1)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hi,
is this project maintained?
is it possible to make this work with Yocto generated SBOMs? i have a demo using the action in https://github.com/mischief/spdx-sbom-test, with an SBOM generated by running upstream poky with https://github.com/yoctoproject/poky/blob/mickledore/meta/classes/create-spdx-2.2.bbclass enabled.
the dependency names are recognized but not versions and other metadata, and i think this is due to some differences in which fields of the SPDX format are populated by Yocto vs what this action expects.
The text was updated successfully, but these errors were encountered: