This change adds a new variable to track which recipe variables
are added as SPDX Annotations.

Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>

The recipe spdx json will contain an annotation stanza that looks
something like this:

"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},

Signed-off-by: Saul Wold <saul.wold@...>
---
meta/classes/create-spdx-2.2.bbclass | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..bdc2e2c91e7 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"

SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"

+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):

return sources

-
python do_create_spdx() {
from datetime import datetime, timezone
import oe.sbom
@@ -479,6 +480,11 @@ python do_create_spdx() {
if description:
recipe.description = description

+ if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+ for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split():
+ if d.getVar(var):
+ recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
# Some CVEs may be patched during the build process without incrementing the version number,
# so querying for CVEs based on the CPE id can lead to false positives. To account for this,
# save the CVEs fixed by patches to source information field in the SPDX.
--
2.25.1