[{"id":3675177,"web_url":"http://patchwork.ozlabs.org/comment/3675177/","msgid":"<20260409084310.27382-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-09T08:43:10","subject":"Re: [Buildroot] [PATCH v4 3/6] utils/generate-cyclonedx: generate\n externalReferences with source-distribution","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"Thanks !\n\nAcked-by: Thomas Perale <thomas.perale@mind.be>\n\nIn reply of:\n> BSI TR-03183-2 5.4.2 [1] lists source code URIs under \"Additional data fields\n> for each component\", and as such \"MUST additionally be provided, if it exists\".\n> \n> If a http or https source download URI is available from show-info, extract\n> it and include it as an externalReference of type \"source-distribution\" in the\n> CycloneDX output.\n> \n> [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n> \n> Signed-off-by: Martin Willi <martin@strongswan.org>\n\n> ---\n>  .../tests/utils/test_generate_cyclonedx.py    | 26 ++++++++++\n>  utils/generate-cyclonedx                      | 47 +++++++++++++++++++\n>  2 files changed, 73 insertions(+)\n> \n> diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\n> index bf1b8e099bf9..a071ff867923 100644\n> --- a/support/testing/tests/utils/test_generate_cyclonedx.py\n> +++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n> @@ -140,3 +140,29 @@ class TestGenerateCycloneDX(unittest.TestCase):\n>  \n>          foo_deps = next(d for d in result[\"dependencies\"] if d[\"ref\"] == \"package-foo\")\n>          self.assertEqual(foo_deps[\"dependsOn\"], [\"package-bar\", \"skeleton-baz\"])\n> +\n> +    def test_external_references(self):\n> +        info = self._make_show_info()\n> +        info[\"package-foo\"][\"downloads\"] = [\n> +            {\n> +                \"source\": \"foo-1.2.tar.gz\",\n> +                \"uris\": [\n> +                    \"https+https://sources.buildroot.net/foo\",\n> +                    \"http|https+https://mirror.example.org/foo\",\n> +                ],\n> +            },\n> +        ]\n> +\n> +        result = self._run_script(show_info=info)\n> +        foo = self._find_component(result, \"package-foo\")\n> +\n> +        self.assertIn(\"externalReferences\", foo)\n> +        self.assertEqual(\n> +            foo[\"externalReferences\"],\n> +            [\n> +                {\n> +                    \"type\": \"source-distribution\",\n> +                    \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n> +                },\n> +            ],\n> +        )\n> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\n> index f4d5afd847e5..a3b7293f9a5e 100755\n> --- a/utils/generate-cyclonedx\n> +++ b/utils/generate-cyclonedx\n> @@ -14,6 +14,8 @@ import gzip\n>  import json\n>  import os\n>  from pathlib import Path\n> +from typing import Iterator\n> +import urllib.parse\n>  import urllib.request\n>  import subprocess\n>  import sys\n> @@ -261,6 +263,50 @@ def cyclonedx_patches(patch_list: list[str]):\n>      }\n>  \n>  \n> +def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:\n> +    \"\"\"Parse download URIs into (schemes, url) tuples.\n> +\n> +    Splits the Buildroot URI format \"scheme[|scheme]+url\" and yields all\n> +    Buildroot schemes with the stripped URL, excluding\n> +    sources.buildroot.net mirrors.\n> +\n> +    Args:\n> +        uris (list): Array of URI strings from the show-info output.\n> +    Yields:\n> +        tuple[list[str], str]: (schemes, url) for each usable URI.\n> +    \"\"\"\n> +    for uri in uris:\n> +        scheme, _, stripped_uri = uri.partition(\"+\")\n> +        if stripped_uri:\n> +            parsed = urllib.parse.urlparse(stripped_uri)\n> +            if parsed.hostname != \"sources.buildroot.net\":\n> +                yield scheme.split(\"|\"), stripped_uri\n> +\n> +\n> +def cyclonedx_external_refs(comp):\n> +    \"\"\"Create CycloneDX external references for a component.\n> +\n> +    Args:\n> +        comp (dict): The component information from the show-info output.\n> +    Returns:\n> +        dict: External reference information in CycloneDX format, or empty dict\n> +    \"\"\"\n> +    SOURCE_DIST_SCHEMES = {\"http\", \"https\"}\n> +\n> +    refs = []\n> +    for download in comp.get(\"downloads\", []):\n> +        source = download.get(\"source\")\n> +        for schemes, uri in parse_uris(download.get(\"uris\", [])):\n> +            if set(schemes) & SOURCE_DIST_SCHEMES and source:\n> +                refs.append({\n> +                    \"type\": \"source-distribution\",\n> +                    \"url\": f\"{uri}/{source}\",\n> +                })\n> +    if refs:\n> +        return {\"externalReferences\": refs}\n> +    return {}\n> +\n> +\n>  def cyclonedx_component(name, comp):\n>      \"\"\"Translate a component from the show-info output, to a component entry in CycloneDX format.\n>  \n> @@ -284,6 +330,7 @@ def cyclonedx_component(name, comp):\n>          **({\n>              \"cpe\": comp[\"cpe-id\"],\n>          } if \"cpe-id\" in comp else {}),\n> +        **cyclonedx_external_refs(comp),\n>          **(cyclonedx_patches(comp[\"patches\"]) if comp.get(\"patches\") else {}),\n>          \"properties\": [{\n>              \"name\": \"BR_TYPE\",\n> -- \n> 2.43.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=nRHbjN18;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frtkH3Zxwz1yCv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 09 Apr 2026 18:43:19 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 0393840FBC;\n\tThu,  9 Apr 2026 08:43:17 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tFjcnBGkA-8X; Thu,  9 Apr 2026 08:43:16 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 0AA1F40FD1;\n\tThu,  9 Apr 2026 08:43:16 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id 4170C237\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:43:15 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 3EEE74039B\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:43:15 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Ay79JahlqJL3 for <buildroot@buildroot.org>;\n Thu,  9 Apr 2026 08:43:14 +0000 (UTC)","from mail-wm1-x330.google.com (mail-wm1-x330.google.com\n [IPv6:2a00:1450:4864:20::330])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 7DA094039D\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:43:12 +0000 (UTC)","by mail-wm1-x330.google.com with SMTP id\n 5b1f17b1804b1-48374014a77so7879485e9.3\n for <buildroot@buildroot.org>; Thu, 09 Apr 2026 01:43:12 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488cd19a69esm20272185e9.32.2026.04.09.01.43.10\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 09 Apr 2026 01:43:10 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0AA1F40FD1","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7DA094039D"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775724196;\n\tbh=YMlxl6NAzS7JHNOZraKlxYqbI1ju5uPyYB3PtkiDjNQ=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=nRHbjN18CWij5ZDAOhIo/F+dhh6G8cniBDl2Xy7pxY86Zn/a+PHNLVfq4VLOfVDJr\n\t gsQaNNkXOS9doVCav9uoT/dqJ2UYQIBsJ3wzWCs+jAtJL+io1zc8y9MoSlx1Ze6pH9\n\t xaZWc8yES3I0kVJuESjVqhPoFJabW3H8kAk7/XPtaxn3JUhyHjkXJCoI33XnXwSG5U\n\t IcbVQnNFNAvAk/jezvRIJBAKGk90pywBZRNmuQNEpc6AX3LWXnZlZq4PxvA87A9o21\n\t sLeYDsXpXl3Hc2J5incPCG8dL86lQ7KxvvQNyOg/TT0aZqfwlKZ3UK1Fzf/5Zt2UeA\n\t tCTrfSHs6cIgw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::330; helo=mail-wm1-x330.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 7DA094039D","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775724191; x=1776328991;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=gVY7xot0SlWePQMbNUFrSkcfVE2UR/yCndnWje17vyw=;\n b=d7Ki5Aw3Ykm65m+nm4Tr+gfJynLayx6LlUx0tdlq9H4JVm8tOii8k4yO4Iq7oKGL8j\n DyngF9DHI9lRdAiTDCsik+6GSl7QQHZP8XNCcpg37mL0uxGqsvpsj/mOw8fsheuWIjRY\n d8TYoJVn0iDIWfdEBzfIVIGpNZsl3r1Ilu6VVMwVR6JQBZr717lipp1fObx4SNX42aSN\n PqDhE8M2m4hgaUJYdnKqu96x01qn064KgAnCoOmHql13sysdHOeqDh5f2SWEKH7qDSAa\n y1okXGUTXcI/e5zsb1dclbgXKTUHv6B/aEdi8+GLGoHm6kLedpb9yyny/zEhg5lIi6uE\n gbjQ==","X-Forwarded-Encrypted":"i=1;\n AJvYcCU/n46AqJOYT3OabhzjsAIaTUD1pWm7rccj5/wZccna9uESnTXZOvHP5v8vgaWmgwFa6iJyosmJIxM=@buildroot.org","X-Gm-Message-State":"AOJu0YyhwRrRfeIka9G7z4Upuf/InZ0xP8kTfVSSeJUKSoehT+Qs9X9d\n quUFgLYyQwWft+B7EMO4Oi6xG90FfODq347yCDki0VKw4FZORA0RDBm7a+TRass0UrI=","X-Gm-Gg":"AeBDiesIWf9Ey8g3xPRGVaZe2JWgdkfZi+/SI6ARzGAC94LFKQzLwnYlv1cBhNaFqdr\n /e8xLs9i/sYj3oSY5P58dunq2WG0koN7fAfOfN+q0JezERu5x0AfcvFx88NcmbwCO31LMzSFI6f\n tne/k9f/QJHYshGeZ3it7dNXg6/0Y97Jaq4A0wMKSS8z2AJhKTMNlnaN/Gl4rKMKTb7C853N+wU\n ZZkgxdyClmxdSzDbaX/Hqj0VDc2QBJfPMYphvlexMCpX4WdX8lOinvA8QEZPSgAu384Hnm/Ycbq\n r+eUcNCoi6o8ModDh/BNa3T/USu6Kc4DMGZb+exW7x2SRJOe94JlWuZl6F+F0KEmFkM4Zyzk/4M\n m62PeBbbVLBnKPT3sL5BNbSkUVrlgCCLgz+joXDmkove8KdjsFOlKlz+z93ChbQGJBSQHe6gbV6\n lgGS2/S5HiraizlnGP","X-Received":"by 2002:a05:600c:6305:b0:486:d76c:fa57 with SMTP id\n 5b1f17b1804b1-4889978da75mr330990145e9.17.1775724190900;\n Thu, 09 Apr 2026 01:43:10 -0700 (PDT)","To":"Martin Willi <martin@strongswan.org>","Cc":"Thomas Perale <thomas.perale@mind.be>,\n\tbuildroot@buildroot.org","Date":"Thu,  9 Apr 2026 10:43:10 +0200","Message-ID":"<20260409084310.27382-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260409081401.2060709-4-martin@strongswan.org>","References":"<20260409081401.2060709-4-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1775724191; x=1776328991; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=gVY7xot0SlWePQMbNUFrSkcfVE2UR/yCndnWje17vyw=;\n b=Sn8/ekr+hrvBcTBX1MBXrreIblhkmWerfbe0+YYbZbfkOg2WNHgbpy9gLC7EGqMd8L\n iklb0qkqeCBBBT/uPi4ZJlID2bp670uIMYlXhpm4zQEcifYPNJ8QjIXGsLrYuHxF5rrs\n p5eo2nESUPkwKii8m6HSOemhyZMKz+Zi9D0dNzK5E3LdK4L975xYDHS+wFuUtkJnz7Hy\n b2nxtLJB7oL6Y9yVl7TSN7THaTdugbwJR3U4lbRo8M5NQa6BlWYxTy9iE9YqaN4I2gy9\n 2XQbA49fWGjwlU0rb2Z2+h38cWn170+Tw2DmkGhiCQX5UxAw9p9lhuE9+QJnAFB84QdP\n 277g==","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=Sn8/ekr+"],"Subject":"Re: [Buildroot] [PATCH v4 3/6] utils/generate-cyclonedx: generate\n externalReferences with source-distribution","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Thomas Perale via buildroot <buildroot@buildroot.org>","Reply-To":"Thomas Perale <thomas.perale@mind.be>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"}}]