2013-08-23 21:40:35 +00:00
|
|
|
# This class integrates real-time license scanning, generation of SPDX standard
|
|
|
|
# output and verifiying license info during the building process.
|
|
|
|
# It is a combination of efforts from the OE-Core, SPDX and Fossology projects.
|
|
|
|
#
|
|
|
|
# For more information on FOSSology:
|
|
|
|
# http://www.fossology.org
|
|
|
|
#
|
|
|
|
# For more information on FOSSologySPDX commandline:
|
|
|
|
# https://github.com/spdx-tools/fossology-spdx/wiki/Fossology-SPDX-Web-API
|
|
|
|
#
|
|
|
|
# For more information on SPDX:
|
|
|
|
# http://www.spdx.org
|
|
|
|
#
|
|
|
|
|
|
|
|
# SPDX file will be output to the path which is defined as[SPDX_MANIFEST_DIR]
|
|
|
|
# in ./meta/conf/licenses.conf.
|
|
|
|
|
|
|
|
SPDXSSTATEDIR = "${WORKDIR}/spdx_sstate_dir"
|
|
|
|
|
2014-09-23 09:48:12 +00:00
|
|
|
# If ${S} isn't actually the top-level source directory, set SPDX_S to point at
|
|
|
|
# the real top-level directory.
|
|
|
|
SPDX_S ?= "${S}"
|
|
|
|
|
2013-08-23 21:40:35 +00:00
|
|
|
python do_spdx () {
|
|
|
|
import os, sys
|
2014-11-13 14:49:52 +00:00
|
|
|
import json, shutil
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
info = {}
|
2016-12-14 21:13:04 +00:00
|
|
|
info['workdir'] = d.getVar('WORKDIR')
|
|
|
|
info['sourcedir'] = d.getVar('SPDX_S')
|
|
|
|
info['pn'] = d.getVar('PN')
|
|
|
|
info['pv'] = d.getVar('PV')
|
|
|
|
info['spdx_version'] = d.getVar('SPDX_VERSION')
|
|
|
|
info['data_license'] = d.getVar('DATA_LICENSE')
|
2014-11-13 14:49:52 +00:00
|
|
|
|
2016-12-14 21:13:04 +00:00
|
|
|
sstatedir = d.getVar('SPDXSSTATEDIR')
|
2014-11-13 14:49:52 +00:00
|
|
|
sstatefile = os.path.join(sstatedir, info['pn'] + info['pv'] + ".spdx")
|
|
|
|
|
2016-12-14 21:13:04 +00:00
|
|
|
manifest_dir = d.getVar('SPDX_MANIFEST_DIR')
|
2013-08-23 21:40:35 +00:00
|
|
|
info['outfile'] = os.path.join(manifest_dir, info['pn'] + ".spdx" )
|
|
|
|
|
2016-12-14 21:13:04 +00:00
|
|
|
info['spdx_temp_dir'] = d.getVar('SPDX_TEMP_DIR')
|
2014-11-13 14:49:52 +00:00
|
|
|
info['tar_file'] = os.path.join(info['workdir'], info['pn'] + ".tar.gz" )
|
|
|
|
|
|
|
|
# Make sure important dirs exist
|
|
|
|
try:
|
|
|
|
bb.utils.mkdirhier(manifest_dir)
|
|
|
|
bb.utils.mkdirhier(sstatedir)
|
|
|
|
bb.utils.mkdirhier(info['spdx_temp_dir'])
|
|
|
|
except OSError as e:
|
|
|
|
bb.error("SPDX: Could not set up required directories: " + str(e))
|
|
|
|
return
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
## get everything from cache. use it to decide if
|
|
|
|
## something needs to be rerun
|
2014-11-13 14:49:52 +00:00
|
|
|
cur_ver_code = get_ver_code(info['sourcedir'])
|
2013-08-23 21:40:35 +00:00
|
|
|
cache_cur = False
|
2014-11-13 14:49:52 +00:00
|
|
|
if os.path.exists(sstatefile):
|
2013-08-23 21:40:35 +00:00
|
|
|
## cache for this package exists. read it in
|
2014-11-13 14:49:52 +00:00
|
|
|
cached_spdx = get_cached_spdx(sstatefile)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
if cached_spdx['PackageVerificationCode'] == cur_ver_code:
|
2014-11-13 14:49:52 +00:00
|
|
|
bb.warn("SPDX: Verification code for " + info['pn']
|
|
|
|
+ "is same as cache's. do nothing")
|
2013-08-23 21:40:35 +00:00
|
|
|
cache_cur = True
|
|
|
|
else:
|
2014-11-13 14:49:52 +00:00
|
|
|
local_file_info = setup_foss_scan(info, True, cached_spdx['Files'])
|
2013-08-23 21:40:35 +00:00
|
|
|
else:
|
2014-11-13 14:49:52 +00:00
|
|
|
local_file_info = setup_foss_scan(info, False, None)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
if cache_cur:
|
|
|
|
spdx_file_info = cached_spdx['Files']
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
foss_package_info = cached_spdx['Package']
|
|
|
|
foss_license_info = cached_spdx['Licenses']
|
2013-08-23 21:40:35 +00:00
|
|
|
else:
|
|
|
|
## setup fossology command
|
2016-12-14 21:13:04 +00:00
|
|
|
foss_server = d.getVar('FOSS_SERVER')
|
|
|
|
foss_flags = d.getVar('FOSS_WGET_FLAGS')
|
|
|
|
foss_full_spdx = d.getVar('FOSS_FULL_SPDX') == "true" or False
|
2013-08-23 21:40:35 +00:00
|
|
|
foss_command = "wget %s --post-file=%s %s"\
|
2014-11-13 14:49:52 +00:00
|
|
|
% (foss_flags, info['tar_file'], foss_server)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
foss_result = run_fossology(foss_command, foss_full_spdx)
|
|
|
|
if foss_result is not None:
|
|
|
|
(foss_package_info, foss_file_info, foss_license_info) = foss_result
|
|
|
|
spdx_file_info = create_spdx_doc(local_file_info, foss_file_info)
|
|
|
|
## write to cache
|
|
|
|
write_cached_spdx(sstatefile, cur_ver_code, foss_package_info,
|
|
|
|
spdx_file_info, foss_license_info)
|
|
|
|
else:
|
|
|
|
bb.error("SPDX: Could not communicate with FOSSology server. Command was: " + foss_command)
|
|
|
|
return
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
## Get document and package level information
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
spdx_header_info = get_header_info(info, cur_ver_code, foss_package_info)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
## CREATE MANIFEST
|
2014-11-13 14:49:52 +00:00
|
|
|
create_manifest(info, spdx_header_info, spdx_file_info, foss_license_info)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
## clean up the temp stuff
|
2014-11-13 14:49:52 +00:00
|
|
|
shutil.rmtree(info['spdx_temp_dir'], ignore_errors=True)
|
2013-08-23 21:40:35 +00:00
|
|
|
if os.path.exists(info['tar_file']):
|
2014-11-13 14:49:52 +00:00
|
|
|
remove_file(info['tar_file'])
|
2013-08-23 21:40:35 +00:00
|
|
|
}
|
|
|
|
addtask spdx after do_patch before do_configure
|
|
|
|
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
def create_manifest(info, header, files, licenses):
|
|
|
|
import codecs
|
|
|
|
with codecs.open(info['outfile'], mode='w', encoding='utf-8') as f:
|
|
|
|
# Write header
|
2013-08-23 21:40:35 +00:00
|
|
|
f.write(header + '\n')
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
|
|
|
|
# Write file data
|
2013-08-23 21:40:35 +00:00
|
|
|
for chksum, block in files.iteritems():
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
f.write("FileName: " + block['FileName'] + '\n')
|
2013-08-23 21:40:35 +00:00
|
|
|
for key, value in block.iteritems():
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
if not key == 'FileName':
|
|
|
|
f.write(key + ": " + value + '\n')
|
|
|
|
f.write('\n')
|
|
|
|
|
|
|
|
# Write license data
|
|
|
|
for id, block in licenses.iteritems():
|
|
|
|
f.write("LicenseID: " + id + '\n')
|
|
|
|
for key, value in block.iteritems():
|
|
|
|
f.write(key + ": " + value + '\n')
|
2013-08-23 21:40:35 +00:00
|
|
|
f.write('\n')
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def get_cached_spdx(sstatefile):
|
2013-08-23 21:40:35 +00:00
|
|
|
import json
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
import codecs
|
2013-08-23 21:40:35 +00:00
|
|
|
cached_spdx_info = {}
|
2014-11-13 14:49:52 +00:00
|
|
|
with codecs.open(sstatefile, mode='r', encoding='utf-8') as f:
|
2013-08-23 21:40:35 +00:00
|
|
|
try:
|
|
|
|
cached_spdx_info = json.load(f)
|
|
|
|
except ValueError as e:
|
|
|
|
cached_spdx_info = None
|
|
|
|
return cached_spdx_info
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def write_cached_spdx(sstatefile, ver_code, package_info, files, license_info):
|
2013-08-23 21:40:35 +00:00
|
|
|
import json
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
import codecs
|
2013-08-23 21:40:35 +00:00
|
|
|
spdx_doc = {}
|
|
|
|
spdx_doc['PackageVerificationCode'] = ver_code
|
|
|
|
spdx_doc['Files'] = {}
|
|
|
|
spdx_doc['Files'] = files
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
spdx_doc['Package'] = {}
|
|
|
|
spdx_doc['Package'] = package_info
|
|
|
|
spdx_doc['Licenses'] = {}
|
|
|
|
spdx_doc['Licenses'] = license_info
|
2014-11-13 14:49:52 +00:00
|
|
|
with codecs.open(sstatefile, mode='w', encoding='utf-8') as f:
|
2013-08-23 21:40:35 +00:00
|
|
|
f.write(json.dumps(spdx_doc))
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def setup_foss_scan(info, cache, cached_files):
|
2013-08-23 21:40:35 +00:00
|
|
|
import errno, shutil
|
|
|
|
import tarfile
|
|
|
|
file_info = {}
|
|
|
|
cache_dict = {}
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
for f_dir, f in list_files(info['sourcedir']):
|
|
|
|
full_path = os.path.join(f_dir, f)
|
2013-08-23 21:40:35 +00:00
|
|
|
abs_path = os.path.join(info['sourcedir'], full_path)
|
2014-11-13 14:49:52 +00:00
|
|
|
dest_dir = os.path.join(info['spdx_temp_dir'], f_dir)
|
|
|
|
dest_path = os.path.join(info['spdx_temp_dir'], full_path)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
checksum = hash_file(abs_path)
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
if not checksum is None:
|
2014-11-13 14:49:52 +00:00
|
|
|
file_info[checksum] = {}
|
|
|
|
## retain cache information if it exists
|
|
|
|
if cache and checksum in cached_files:
|
|
|
|
file_info[checksum] = cached_files[checksum]
|
|
|
|
## have the file included in what's sent to the FOSSology server
|
|
|
|
else:
|
|
|
|
file_info[checksum]['FileName'] = full_path
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
try:
|
2014-11-13 14:49:52 +00:00
|
|
|
bb.utils.mkdirhier(dest_dir)
|
|
|
|
shutil.copyfile(abs_path, dest_path)
|
|
|
|
except OSError as e:
|
|
|
|
bb.warn("SPDX: mkdirhier failed: " + str(e))
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
except shutil.Error as e:
|
2014-11-13 14:49:52 +00:00
|
|
|
bb.warn("SPDX: copyfile failed: " + str(e))
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
except IOError as e:
|
2014-11-13 14:49:52 +00:00
|
|
|
bb.warn("SPDX: copyfile failed: " + str(e))
|
|
|
|
else:
|
|
|
|
bb.warn("SPDX: Could not get checksum for file: " + f)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
with tarfile.open(info['tar_file'], "w:gz") as tar:
|
|
|
|
tar.add(info['spdx_temp_dir'], arcname=os.path.basename(info['spdx_temp_dir']))
|
2013-08-23 21:40:35 +00:00
|
|
|
|
|
|
|
return file_info
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def remove_file(file_name):
|
2013-08-23 21:40:35 +00:00
|
|
|
try:
|
2014-11-13 14:49:52 +00:00
|
|
|
os.remove(file_name)
|
2013-08-23 21:40:35 +00:00
|
|
|
except OSError as e:
|
|
|
|
pass
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def list_files(dir):
|
|
|
|
for root, subFolders, files in os.walk(dir):
|
2013-08-23 21:40:35 +00:00
|
|
|
for f in files:
|
2014-11-13 14:49:52 +00:00
|
|
|
rel_root = os.path.relpath(root, dir)
|
2013-08-23 21:40:35 +00:00
|
|
|
yield rel_root, f
|
|
|
|
return
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def hash_file(file_name):
|
2013-08-23 21:40:35 +00:00
|
|
|
try:
|
2014-11-13 14:49:52 +00:00
|
|
|
with open(file_name, 'rb') as f:
|
|
|
|
data_string = f.read()
|
|
|
|
sha1 = hash_string(data_string)
|
|
|
|
return sha1
|
2013-08-23 21:40:35 +00:00
|
|
|
except:
|
2014-11-13 14:49:52 +00:00
|
|
|
return None
|
|
|
|
|
|
|
|
def hash_string(data):
|
2013-08-23 21:40:35 +00:00
|
|
|
import hashlib
|
|
|
|
sha1 = hashlib.sha1()
|
2014-11-13 14:49:52 +00:00
|
|
|
sha1.update(data)
|
2013-08-23 21:40:35 +00:00
|
|
|
return sha1.hexdigest()
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def run_fossology(foss_command, full_spdx):
|
2013-08-23 21:40:35 +00:00
|
|
|
import string, re
|
|
|
|
import subprocess
|
2016-09-29 22:50:24 +00:00
|
|
|
|
|
|
|
try:
|
|
|
|
foss_output = subprocess.check_output(foss_command.split(),
|
|
|
|
stderr=subprocess.STDOUT).decode('utf-8')
|
|
|
|
except subprocess.CalledProcessError as e:
|
2014-11-13 14:49:52 +00:00
|
|
|
return None
|
|
|
|
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
foss_output = string.replace(foss_output, '\r', '')
|
|
|
|
|
|
|
|
# Package info
|
|
|
|
package_info = {}
|
|
|
|
if full_spdx:
|
2015-11-05 15:48:18 +00:00
|
|
|
# All mandatory, only one occurrence
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
package_info['PackageCopyrightText'] = re.findall('PackageCopyrightText: (.*?</text>)', foss_output, re.S)[0]
|
|
|
|
package_info['PackageLicenseDeclared'] = re.findall('PackageLicenseDeclared: (.*)', foss_output)[0]
|
|
|
|
package_info['PackageLicenseConcluded'] = re.findall('PackageLicenseConcluded: (.*)', foss_output)[0]
|
|
|
|
# These may be more than one
|
|
|
|
package_info['PackageLicenseInfoFromFiles'] = re.findall('PackageLicenseInfoFromFiles: (.*)', foss_output)
|
|
|
|
else:
|
|
|
|
DEFAULT = "NOASSERTION"
|
|
|
|
package_info['PackageCopyrightText'] = "<text>" + DEFAULT + "</text>"
|
|
|
|
package_info['PackageLicenseDeclared'] = DEFAULT
|
|
|
|
package_info['PackageLicenseConcluded'] = DEFAULT
|
|
|
|
package_info['PackageLicenseInfoFromFiles'] = []
|
2013-08-23 21:40:35 +00:00
|
|
|
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
# File info
|
2013-08-23 21:40:35 +00:00
|
|
|
file_info = {}
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
records = []
|
|
|
|
# FileName is also in PackageFileName, so we match on FileType as well.
|
|
|
|
records = re.findall('FileName:.*?FileType:.*?</text>', foss_output, re.S)
|
2013-08-23 21:40:35 +00:00
|
|
|
for rec in records:
|
2014-11-13 14:49:52 +00:00
|
|
|
chksum = re.findall('FileChecksum: SHA1: (.*)\n', rec)[0]
|
2013-08-23 21:40:35 +00:00
|
|
|
file_info[chksum] = {}
|
2014-11-13 14:49:52 +00:00
|
|
|
file_info[chksum]['FileCopyrightText'] = re.findall('FileCopyrightText: '
|
2013-08-23 21:40:35 +00:00
|
|
|
+ '(.*?</text>)', rec, re.S )[0]
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
fields = ['FileName', 'FileType', 'LicenseConcluded', 'LicenseInfoInFile']
|
2013-08-23 21:40:35 +00:00
|
|
|
for field in fields:
|
|
|
|
file_info[chksum][field] = re.findall(field + ': (.*)', rec)[0]
|
|
|
|
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
# Licenses
|
|
|
|
license_info = {}
|
|
|
|
licenses = []
|
|
|
|
licenses = re.findall('LicenseID:.*?LicenseName:.*?\n', foss_output, re.S)
|
|
|
|
for lic in licenses:
|
|
|
|
license_id = re.findall('LicenseID: (.*)\n', lic)[0]
|
|
|
|
license_info[license_id] = {}
|
2014-11-13 14:49:52 +00:00
|
|
|
license_info[license_id]['ExtractedText'] = re.findall('ExtractedText: (.*?</text>)', lic, re.S)[0]
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
license_info[license_id]['LicenseName'] = re.findall('LicenseName: (.*)', lic)[0]
|
|
|
|
|
|
|
|
return (package_info, file_info, license_info)
|
2013-08-23 21:40:35 +00:00
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def create_spdx_doc(file_info, scanned_files):
|
2013-08-23 21:40:35 +00:00
|
|
|
import json
|
|
|
|
## push foss changes back into cache
|
|
|
|
for chksum, lic_info in scanned_files.iteritems():
|
|
|
|
if chksum in file_info:
|
|
|
|
file_info[chksum]['FileType'] = lic_info['FileType']
|
|
|
|
file_info[chksum]['FileChecksum: SHA1'] = chksum
|
|
|
|
file_info[chksum]['LicenseInfoInFile'] = lic_info['LicenseInfoInFile']
|
|
|
|
file_info[chksum]['LicenseConcluded'] = lic_info['LicenseConcluded']
|
|
|
|
file_info[chksum]['FileCopyrightText'] = lic_info['FileCopyrightText']
|
|
|
|
else:
|
2014-11-13 14:49:52 +00:00
|
|
|
bb.warn("SPDX: " + lic_info['FileName'] + " : " + chksum
|
2013-08-23 21:40:35 +00:00
|
|
|
+ " : is not in the local file info: "
|
2014-11-13 14:49:52 +00:00
|
|
|
+ json.dumps(lic_info, indent=1))
|
2013-08-23 21:40:35 +00:00
|
|
|
return file_info
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def get_ver_code(dirname):
|
2013-08-23 21:40:35 +00:00
|
|
|
chksums = []
|
2014-11-13 14:49:52 +00:00
|
|
|
for f_dir, f in list_files(dirname):
|
|
|
|
hash = hash_file(os.path.join(dirname, f_dir, f))
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
if not hash is None:
|
|
|
|
chksums.append(hash)
|
2014-11-13 14:49:52 +00:00
|
|
|
else:
|
|
|
|
bb.warn("SPDX: Could not hash file: " + path)
|
|
|
|
ver_code_string = ''.join(chksums).lower()
|
|
|
|
ver_code = hash_string(ver_code_string)
|
2013-08-23 21:40:35 +00:00
|
|
|
return ver_code
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
def get_header_info(info, spdx_verification_code, package_info):
|
2013-08-23 21:40:35 +00:00
|
|
|
"""
|
|
|
|
Put together the header SPDX information.
|
|
|
|
Eventually this needs to become a lot less
|
|
|
|
of a hardcoded thing.
|
|
|
|
"""
|
|
|
|
from datetime import datetime
|
|
|
|
import os
|
|
|
|
head = []
|
|
|
|
DEFAULT = "NOASSERTION"
|
|
|
|
|
2014-11-13 14:49:52 +00:00
|
|
|
package_checksum = hash_file(info['tar_file'])
|
|
|
|
if package_checksum is None:
|
2013-08-23 21:40:35 +00:00
|
|
|
package_checksum = DEFAULT
|
|
|
|
|
|
|
|
## document level information
|
2014-11-13 14:49:52 +00:00
|
|
|
head.append("## SPDX Document Information")
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("SPDXVersion: " + info['spdx_version'])
|
|
|
|
head.append("DataLicense: " + info['data_license'])
|
|
|
|
head.append("DocumentComment: <text>SPDX for "
|
|
|
|
+ info['pn'] + " version " + info['pv'] + "</text>")
|
|
|
|
head.append("")
|
|
|
|
|
|
|
|
## Creator information
|
2014-11-13 14:49:52 +00:00
|
|
|
## Note that this does not give time in UTC.
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
now = datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("## Creation Information")
|
2014-11-13 14:49:52 +00:00
|
|
|
## Tools are supposed to have a version, but FOSSology+SPDX provides none.
|
|
|
|
head.append("Creator: Tool: FOSSology+SPDX")
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("Created: " + now)
|
|
|
|
head.append("CreatorComment: <text>UNO</text>")
|
|
|
|
head.append("")
|
|
|
|
|
|
|
|
## package level information
|
|
|
|
head.append("## Package Information")
|
|
|
|
head.append("PackageName: " + info['pn'])
|
|
|
|
head.append("PackageVersion: " + info['pv'])
|
|
|
|
head.append("PackageFileName: " + os.path.basename(info['tar_file']))
|
|
|
|
head.append("PackageSupplier: Person:" + DEFAULT)
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
head.append("PackageDownloadLocation: " + DEFAULT)
|
|
|
|
head.append("PackageSummary: <text></text>")
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("PackageOriginator: Person:" + DEFAULT)
|
|
|
|
head.append("PackageChecksum: SHA1: " + package_checksum)
|
|
|
|
head.append("PackageVerificationCode: " + spdx_verification_code)
|
|
|
|
head.append("PackageDescription: <text>" + info['pn']
|
|
|
|
+ " version " + info['pv'] + "</text>")
|
|
|
|
head.append("")
|
2014-11-13 14:49:52 +00:00
|
|
|
head.append("PackageCopyrightText: "
|
|
|
|
+ package_info['PackageCopyrightText'])
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("")
|
2014-11-13 14:49:52 +00:00
|
|
|
head.append("PackageLicenseDeclared: "
|
|
|
|
+ package_info['PackageLicenseDeclared'])
|
|
|
|
head.append("PackageLicenseConcluded: "
|
|
|
|
+ package_info['PackageLicenseConcluded'])
|
|
|
|
|
spdx.bbclass: improved stability, fixed SPDX compliance issues. Changes are reflected in licenses.conf.
The previous version could crash on dead links in the rootfs, or if the manifest directory did not
exist. The generated files were also not compliant with the SPDX specification, for example file
entries did not always start with the FileName tag, time stamps were incorrectly formatted etc.
Stability issues are addressed by added checks, originally written by Johan Thelin
<johan.thelin@pelagicore.com>, who never upstreamed them. I've also added an option for getting full
SPDX output from FOSSology, i.e. not only for all files, but for the package as well, including
license references. License refs are required in order to process the output by SPDXTools. For that
reason, this option defaults to true.
(From OE-Core rev: 5d3a4f4f57e4d8581fd88a14324f94e93104a690)
Signed-off-by: Tobias Olausson <tobias.olausson@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-20 14:09:15 +00:00
|
|
|
for licref in package_info['PackageLicenseInfoFromFiles']:
|
|
|
|
head.append("PackageLicenseInfoFromFiles: " + licref)
|
2013-08-23 21:40:35 +00:00
|
|
|
head.append("")
|
|
|
|
|
|
|
|
## header for file level
|
|
|
|
head.append("## File Information")
|
|
|
|
head.append("")
|
|
|
|
|
|
|
|
return '\n'.join(head)
|