[{"id":3675182,"web_url":"http://patchwork.ozlabs.org/comment/3675182/","msgid":"<20260409084938.28685-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-09T08:49:38","subject":"Re: [Buildroot] [PATCH v4 6/6] utils/generate-cyclonedx: generate\n vcs externalReferences for source repos","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"Acked-By: Thomas Perale <thomas.perale@mind.be>\n\nIn reply of:\n> Some packages do not have a http/https download URL for a source tarball,\n> but are acquired over a version control system like git. If so, add\n> externalReferences of type \"vcs\" for such URLs.\n> \n> As most git repositories use a https:// transport that may not indicated the\n> repository type, add a \"comment\" due to the lack of a better mechanism in\n> CycloneDX.\n> \n> While the hashes are calculated over a tarball created locally, it still may\n> be useful, so add them for \"vcs\" externalReferences as well.\n> \n> Signed-off-by: Martin Willi <martin@strongswan.org>\n\n> ---\n>  .../tests/utils/test_generate_cyclonedx.py    | 30 ++++++++++++++++++-\n>  utils/generate-cyclonedx                      |  8 +++++\n>  2 files changed, 37 insertions(+), 1 deletion(-)\n> \n> diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\n> index 84f94f050760..77690b1b98bc 100644\n> --- a/support/testing/tests/utils/test_generate_cyclonedx.py\n> +++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n> @@ -147,6 +147,8 @@ class TestGenerateCycloneDX(unittest.TestCase):\n>              {\n>                  \"source\": \"foo-1.2.tar.gz\",\n>                  \"uris\": [\n> +                    \"git+git://git.example.org/foo\",\n> +                    \"svn+https://svn.example.org/foo\",\n>                      \"https+https://sources.buildroot.net/foo\",\n>                      \"http|https+https://mirror.example.org/foo\",\n>                  ],\n> @@ -160,10 +162,20 @@ class TestGenerateCycloneDX(unittest.TestCase):\n>          self.assertEqual(\n>              foo[\"externalReferences\"],\n>              [\n> +                {\n> +                    \"type\": \"vcs\",\n> +                    \"url\": \"git://git.example.org/foo\",\n> +                    \"comment\": \"git repository\",\n> +                },\n> +                {\n> +                    \"type\": \"vcs\",\n> +                    \"url\": \"https://svn.example.org/foo\",\n> +                    \"comment\": \"svn repository\",\n> +                },\n>                  {\n>                      \"type\": \"source-distribution\",\n>                      \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n> -                },\n> +                }\n>              ],\n>          )\n>  \n> @@ -183,6 +195,7 @@ class TestGenerateCycloneDX(unittest.TestCase):\n>                  {\n>                      \"source\": \"foo-1.2.tar.gz\",\n>                      \"uris\": [\n> +                        \"git+git://git.example.org/foo\",\n>                          \"http|https+https://mirror.example.org/foo\",\n>                      ],\n>                  },\n> @@ -194,6 +207,21 @@ class TestGenerateCycloneDX(unittest.TestCase):\n>          self.assertEqual(\n>              foo[\"externalReferences\"],\n>              [\n> +                {\n> +                    \"type\": \"vcs\",\n> +                    \"url\": \"git://git.example.org/foo\",\n> +                    \"comment\": \"git repository\",\n> +                    \"hashes\": [\n> +                        {\n> +                            \"alg\": \"SHA-256\",\n> +                            \"content\": \"1111111111111111111111111111111111111111111111111111111111111111\",\n> +                        },\n> +                        {\n> +                            \"alg\": \"SHA-1\",\n> +                            \"content\": \"2222222222222222222222222222222222222222\",\n> +                        },\n> +                    ]\n> +                },\n>                  {\n>                      \"type\": \"source-distribution\",\n>                      \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\n> index 382d91ce55af..4166abd9ff04 100755\n> --- a/utils/generate-cyclonedx\n> +++ b/utils/generate-cyclonedx\n> @@ -325,6 +325,7 @@ def cyclonedx_external_refs(comp):\n>          dict: External reference information in CycloneDX format, or empty dict\n>      \"\"\"\n>      SOURCE_DIST_SCHEMES = {\"http\", \"https\"}\n> +    VCS_SCHEMES = {\"git\", \"svn\", \"cvs\", \"hg\", \"bzr\"}\n>  \n>      refs = []\n>      for download in comp.get(\"downloads\", []):\n> @@ -336,6 +337,13 @@ def cyclonedx_external_refs(comp):\n>                      \"url\": f\"{uri}/{source}\",\n>                      **cyclonedx_source_hashes(comp, source),\n>                  })\n> +            elif set(schemes) & VCS_SCHEMES:\n> +                refs.append({\n> +                    \"type\": \"vcs\",\n> +                    \"url\": uri,\n> +                    \"comment\": f\"{schemes[0]} repository\",\n> +                    **cyclonedx_source_hashes(comp, source),\n> +                })\n>      if refs:\n>          return {\"externalReferences\": refs}\n>      return {}\n> -- \n> 2.43.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=aHAWxgGc;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frtsl1PS1z1xtJ\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 09 Apr 2026 18:49:47 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 6A5A240FDF;\n\tThu,  9 Apr 2026 08:49:45 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id eW6mo0XcZoFG; Thu,  9 Apr 2026 08:49:44 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 9393540988;\n\tThu,  9 Apr 2026 08:49:44 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 5308F237\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:49:43 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 4138382925\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:49:43 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id fVSr3YjPpdKT for <buildroot@buildroot.org>;\n Thu,  9 Apr 2026 08:49:42 +0000 (UTC)","from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com\n [IPv6:2a00:1450:4864:20::32c])\n by smtp1.osuosl.org (Postfix) with ESMTPS id D13C58264C\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:49:41 +0000 (UTC)","by mail-wm1-x32c.google.com with SMTP id\n 5b1f17b1804b1-488971db0fdso6244755e9.0\n for <buildroot@buildroot.org>; Thu, 09 Apr 2026 01:49:41 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43d1e4d289asm64739862f8f.19.2026.04.09.01.49.38\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 09 Apr 2026 01:49:39 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9393540988","OpenDKIM Filter v2.11.0 smtp1.osuosl.org D13C58264C"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775724584;\n\tbh=HAhDxHpAWigc2Y9Z/VZwozAvSTAC7/mBtYTs5sPutA8=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=aHAWxgGcW1KO48PBD9EEBr54376R5gXOFNHgxDvvsCvnb1w+A759eB0roFbgxtM3f\n\t /0N39LAav7ieXI7f73q5IlN8J8dhDbOE9yP/9kcrseCGj7dNDURjgEKY3OfPrPEB6R\n\t xcrS5OwMy0PJaZBZ3D5YUa0gycGxY6OpBuQ1VtYZMa6FhPyl2T4fzoKvXisf7vvt8z\n\t uK4rw2yGN/ZHoAYOvlMjg7oH5utqKYWNPZJxN/bHK1sEr5pI5axL8aoaNXF2uHVdRJ\n\t AvAjWS1iEnCtv5KjN0DC/7fK3mQXOC3FFyaUwwYJYs3p3/QSkI+ezZh1Lp8SGml+kj\n\t gJrJKQJC3mkVg==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32c; helo=mail-wm1-x32c.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org D13C58264C","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775724579; x=1776329379;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=FjDxBUDOxPK5v5YzCOKdzPNbKrUncgT3tWx/mVMcV+A=;\n b=VO+hPah3HosDIkZyatbQ2uUHFZCA528duUnC0Gvtkcmn3ed9y2GIm5WFvCWeh75ssK\n gAZtHWx4K5vJIEvRUzfxd+D7aXaneEjj+wSfIAvozSvoZem73GC1CQvUr6Vz+93W/nR4\n Otwjm15OMc1uu3kq7m7CdNkmjqKnBXUClQ1qRBnwj24PbyCv5t5+wtnWitolW+fdKwUE\n +xwTELKr9daB+6b6MH4RjfcUXqM7uNtxWl9wzQyixqlWq6OAvgNx8Cd11V7PLPpC37Wz\n yzrQheWZFviygIs3kPkjQIol7DbiOxvB5sdtYLqOjPGn09EwQStiA0eIzO5dUYX+30Zj\n vuEQ==","X-Forwarded-Encrypted":"i=1;\n AJvYcCVCVBw68NfaJiKST8LixV9CBdkT7/zAJH2eX0Zg8/IWujJ6QSCvlViqD4iAspaHa7lKTURaDig/9Oo=@buildroot.org","X-Gm-Message-State":"AOJu0Yw1pyY+YBz3ZmUvbg/pcRvnFI7XPp0358xxpzM2E4GXn2kFoKYT\n JkoleHVnQqInBfLa012P+GGNtVuJ68oipYrVQ9s5ikKyqwkWWTfDHjXKyjINjBV+7eBQTribduY\n HqUtQ8b8=","X-Gm-Gg":"AeBDievTKb2hrViwXTRXtuYzN/H9kDbjCUHXtcavnK8eV3XNgCmK4h/fHelragPA2g3\n lHcGBI6tH523C6j29ZzJSv1tXXq6qTtkCMlEstMKW064AOw6Q/dA/pkNszs5CL+w926kpY0nv+5\n quZQ+oP6U7yTyDZQPwTeXxBKpxK4nPMDeepb6OJ1qTsstuX3Ss5J47DmFefj8VibQNlb6XjXxRe\n NkPqWnj6KssdTMkxLsRQBwgq6bCyYtcNxS7DUz4HswX4Rqme9j+/mSdY2W2o632wTdVFuUuScGL\n h9MYTbqUHRhAjJdidzk5jpKGuzDxce8hXuzJaImgcVacfxMx90O1mvaVW9xRA0ovSusU8KBdU6P\n xovAKT2qb5OlQfjNRM8DKYxP8vXfa29qGyoDF23MhVQa8mySTJqQnh/+lX7DsoIYiha0H/1ulzY\n /dMtuuE++2AcOWrBtQulHKhrY9XVY=","X-Received":"by 2002:a05:600c:8b28:b0:47e:e48b:506d with SMTP id\n 5b1f17b1804b1-488cd0201d5mr44207495e9.16.1775724579380;\n Thu, 09 Apr 2026 01:49:39 -0700 (PDT)","To":"Martin Willi <martin@strongswan.org>","Cc":"Thomas Perale <thomas.perale@mind.be>,\n\tbuildroot@buildroot.org","Date":"Thu,  9 Apr 2026 10:49:38 +0200","Message-ID":"<20260409084938.28685-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260409081401.2060709-7-martin@strongswan.org>","References":"<20260409081401.2060709-7-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1775724579; x=1776329379; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=FjDxBUDOxPK5v5YzCOKdzPNbKrUncgT3tWx/mVMcV+A=;\n b=SD2C1KWlJGUVJ6bxiPq18nWaxlle3z10bfnRp8MxaYNsYzSRfMoKXdD+4gaT4metRh\n 7SBgb7P8JxQ8M67PWL27oXT9jpVEZ21T2Y2N1guWZrLrMwU4vE/KrG6lApSZOT48mZG8\n uUp8oH28W1JxLtW+VaPtEkcH6pPXTYcEDcWcI2v9UC0kRI1ejbvCBCsw/bpgbLA7+tMs\n GdvByh5cxWVKx9sNhovapJ3/WBUXTk1uhBedPgwvwhXwtMI85ol5maV/vYJUmFjkpoay\n xJP4Hf2+bYOOUbqhS7U7KWgzUTUTHxVy5X7anxMF76PtRhNk19ZTh2qWkoA3iZ/ojsbb\n E4dA==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=SD2C1KWl"],"Subject":"Re: [Buildroot] [PATCH v4 6/6] utils/generate-cyclonedx: generate\n vcs externalReferences for source repos","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Thomas Perale via buildroot <buildroot@buildroot.org>","Reply-To":"Thomas Perale <thomas.perale@mind.be>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"}}]