fd31b9b4ac
This adds support to generate SPDX 2.2 tag-value documents via the
new west spdx command. The CMake file-based APIs are leveraged to
create relationships from source files to the corresponding
generated build files. SPDX-License-Identifier comments in source
files are scanned and filled into the SPDX documents.
Before `west build` is run, a specific file must be created in the
build directory so that the CMake API reply will run. This can be
done by running:
west spdx --init -d BUILD_DIR
After `west build` is run, SPDX generation is then activated by
calling `west spdx`; currently this requires passing the build
directory as a parameter again:
west spdx -d BUILD_DIR
This will generate three SPDX documents in `BUILD_DIR/spdx/`:
1) `app.spdx`: This contains the bill-of-materials for the
application source files used for the build.
2) `zephyr.spdx`: This contains the bill-of-materials for the
specific Zephyr source code files that are used for the build.
3) `build.spdx`: This contains the bill-of-materials for the built
output files.
Each file in the bill-of-materials is scanned, so that its hashes
(SHA256 and SHA1) can be recorded, along with any detected licenses
if an `SPDX-License-Identifier` appears in the file.
SPDX Relationships are created to indicate dependencies between
CMake build targets; build targets that are linked together; and
source files that are compiled to generate the built library files.
`west spdx` can be called with optional parameters for further
configuration:
* `-n PREFIX`: specifies a prefix for the Document Namespaces that
will be included in the generated SPDX documents. See SPDX spec 2.2
section 2.5 at
https://spdx.github.io/spdx-spec/2-document-creation-information/.
If -n is omitted, a default namespace will be generated according
to the default format described in section 2.5 using a random UUID.
* `-s SPDX_DIR`: specifies an alternate directory where the SPDX
documents should be written. If not specified, they will be saved
in `BUILD_DIR/spdx/`.
* `--analyze-includes`: in addition to recording the compiled
source code files (e.g. `.c`, `.S`) in the bills-of-materials, if
this flag is specified, `west spdx` will attempt to determine the
specific header files that are included for each `.c` file. This
will take longer, as it performs a dry run using the C compiler
for each `.c` file (using the same arguments that were passed to it
for the actual build).
* `--include-sdk`: if `--analyze-includes` is used, then adding
`--include-sdk` will create a fourth SPDX document, `sdk.spdx`,
which will list any header files included from the SDK.
Signed-off-by: Steve Winslow <steve@swinslow.net>
39 lines
1.2 KiB
Python
39 lines
1.2 KiB
Python
# Copyright (c) 2021 The Linux Foundation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
from west import log
|
|
|
|
# Parse a CMakeCache file and return a dict of key:value (discarding
|
|
# type hints).
|
|
def parseCMakeCacheFile(filePath):
|
|
log.dbg(f"parsing CMake cache file at {filePath}")
|
|
kv = {}
|
|
try:
|
|
with open(filePath, "r") as f:
|
|
# should be a short file, so we'll use readlines
|
|
lines = f.readlines()
|
|
|
|
# walk through and look for non-comment, non-empty lines
|
|
for line in lines:
|
|
sline = line.strip()
|
|
if sline == "":
|
|
continue
|
|
if sline.startswith("#") or sline.startswith("//"):
|
|
continue
|
|
|
|
# parse out : and = characters
|
|
pline1 = sline.split(":", maxsplit=1)
|
|
if len(pline1) != 2:
|
|
continue
|
|
pline2 = pline1[1].split("=", maxsplit=1)
|
|
if len(pline2) != 2:
|
|
continue
|
|
kv[pline1[0]] = pline2[1]
|
|
|
|
return kv
|
|
|
|
except OSError as e:
|
|
log.err(f"Error loading {filePath}: {str(e)}")
|
|
return {}
|