fd31b9b4ac
This adds support to generate SPDX 2.2 tag-value documents via the
new west spdx command. The CMake file-based APIs are leveraged to
create relationships from source files to the corresponding
generated build files. SPDX-License-Identifier comments in source
files are scanned and filled into the SPDX documents.
Before `west build` is run, a specific file must be created in the
build directory so that the CMake API reply will run. This can be
done by running:
west spdx --init -d BUILD_DIR
After `west build` is run, SPDX generation is then activated by
calling `west spdx`; currently this requires passing the build
directory as a parameter again:
west spdx -d BUILD_DIR
This will generate three SPDX documents in `BUILD_DIR/spdx/`:
1) `app.spdx`: This contains the bill-of-materials for the
application source files used for the build.
2) `zephyr.spdx`: This contains the bill-of-materials for the
specific Zephyr source code files that are used for the build.
3) `build.spdx`: This contains the bill-of-materials for the built
output files.
Each file in the bill-of-materials is scanned, so that its hashes
(SHA256 and SHA1) can be recorded, along with any detected licenses
if an `SPDX-License-Identifier` appears in the file.
SPDX Relationships are created to indicate dependencies between
CMake build targets; build targets that are linked together; and
source files that are compiled to generate the built library files.
`west spdx` can be called with optional parameters for further
configuration:
* `-n PREFIX`: specifies a prefix for the Document Namespaces that
will be included in the generated SPDX documents. See SPDX spec 2.2
section 2.5 at
https://spdx.github.io/spdx-spec/2-document-creation-information/.
If -n is omitted, a default namespace will be generated according
to the default format described in section 2.5 using a random UUID.
* `-s SPDX_DIR`: specifies an alternate directory where the SPDX
documents should be written. If not specified, they will be saved
in `BUILD_DIR/spdx/`.
* `--analyze-includes`: in addition to recording the compiled
source code files (e.g. `.c`, `.S`) in the bills-of-materials, if
this flag is specified, `west spdx` will attempt to determine the
specific header files that are included for each `.c` file. This
will take longer, as it performs a dry run using the C compiler
for each `.c` file (using the same arguments that were passed to it
for the actual build).
* `--include-sdk`: if `--analyze-includes` is used, then adding
`--include-sdk` will create a fourth SPDX document, `sdk.spdx`,
which will list any header files included from the SDK.
Signed-off-by: Steve Winslow <steve@swinslow.net>
|
||
|---|---|---|
| .. | ||
| completion | ||
| runners | ||
| tests | ||
| zspdx | ||
| boards.py | ||
| build_helpers.py | ||
| build.py | ||
| completion.py | ||
| debug.py | ||
| export.py | ||
| flash.py | ||
| mypy.ini | ||
| README.txt | ||
| run_common.py | ||
| run_tests.py | ||
| sign.py | ||
| spdx.py | ||
| zcmake.py | ||
| zephyr_ext_common.py | ||
This directory contains implementations for west commands which are tightly coupled to the zephyr tree. This includes the build, flash, and debug commands. Before adding more here, consider whether you might want to put new extensions in upstream west. For example, any commands which operate on the multi-repo need to be in upstream west, not here. Try to limit what goes in here to Zephyr-specific features. When extending this code, please keep the unit tests (in tests/) up to date. The mypy static type checker is also run on the runners package. To run these tests locally on Windows, run: py -3 run_tests.py On macOS and Linux: ./run_tests.py Note that these tests are run as part of Zephyr's CI when submitting an upstream pull request, and pull requests which break the tests cannot be merged. Thanks!