{"id":2221311,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2221311/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260409081401.2060709-3-martin@strongswan.org>","date":"2026-04-09T08:13:57","name":"[v4,2/6] utils/generate-cyclonedx: remove indirect dependencies from root component","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f744234facf186847f354dab3b4ed04d35a9cae2","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/1.0/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260409081401.2060709-3-martin@strongswan.org/mbox/","series":[{"id":499252,"url":"http://patchwork.ozlabs.org/api/1.0/series/499252/?format=json","date":"2026-04-09T08:13:57","name":"Extend CycloneDX metadata","version":4,"mbox":"http://patchwork.ozlabs.org/series/499252/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221311/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=CZJHPwvZ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frt5707kmz1yD3\n\tfor ;\n Thu, 09 Apr 2026 18:14:35 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 4899340CEB;\n\tThu, 9 Apr 2026 08:14:29 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id n42Qh8AFLaeX; Thu, 9 Apr 2026 08:14:26 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 7DAFD40CEC;\n\tThu, 9 Apr 2026 08:14:26 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 3B9E4237\n for ; Thu, 9 Apr 2026 08:14:24 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 21CE360EFB\n for ; Thu, 9 Apr 2026 08:14:24 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id vAV_4WexdcUK for ;\n Thu, 9 Apr 2026 08:14:23 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 9EB99607E0\n for ; Thu, 9 Apr 2026 08:14:21 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id 00E875A0005;\n Thu, 09 Apr 2026 10:14:20 +0200 (CEST)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4SvmnbTdDqTP; Thu, 9 Apr 2026 10:14:19 +0200 (CEST)","from zbook.wlp.is (unknown [185.12.128.225])\n by mail.codelabs.ch (Postfix) with ESMTPSA id EEEFE5A0006;\n Thu, 09 Apr 2026 10:14:17 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7DAFD40CEC","OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9EB99607E0"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775722466;\n\tbh=xELSs75mSCH10I21HoQ8PXm+kO8brgOmFG3cOUBuRqU=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=CZJHPwvZj3Gc5RtRekn8nRDNeaXLZZ1fNsaYE2yzdWWZFYmKGlyOcR2yQ8+yOZpda\n\t N/VG0r0aA/UdhfeOPR283sctz6KN1B6UWexNooAQIchTNWKNrMz3iItJbfzotmi052\n\t 4Ch67VzCSUgHhTMBihaLdgPgHPkb7Z6mS9sq+ZPKLtWkuUMJs6mmKe6dUWQLFHY0s0\n\t 8j6zUYnSTkd3ax0CaRXk4l7gzgR+sReXnOGqEFlbxf6aXUVAqZenjDF+SMmcG16jiZ\n\t PsuFUM8vf7CK/N2xPkC56FQruuDs56Rk8OYHjZ4dYSh7iTd4OmWMf0d+E3Nhd3gg4q\n\t oCRtjw5euPyyg==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a02:168:860f:1::35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org 9EB99607E0","From":"Martin Willi ","To":"buildroot@buildroot.org","Cc":"Thomas Perale ","Date":"Thu, 9 Apr 2026 10:13:57 +0200","Message-ID":"<20260409081401.2060709-3-martin@strongswan.org>","In-Reply-To":"<20260409081401.2060709-1-martin@strongswan.org>","References":"<20260409081401.2060709-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1775722457;\n bh=ZP9EDgyKgEq/iW/PQPpC6fiHQtbVrTmOrlFdVsgQAAc=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=CV01GH0CalhlZ7H+7H0NyjVOXPhzxT4q9rP7AHW+b99lJXTG8RfL7THFqzOM8iqJh\n BNjk/rUphurrlgUuwJE44z2Kc9bvEIZnGIJxmGvm3fFwGNU9nrsuHmuyfdX+laEdQO\n QK/1ioQH0PvWmm7oH1TxQALa+AMyBhXkYTYu/4hPZ43W5bU1Q7/tWMstCt6M69RXfX\n Qqe30fPj66J1s2LTriuBL1PdiHdz7Wqtejb/LKQ+GtQvA+UrVlkuWKMAUQiemr/UfU\n g0O722irZ1xNkZtvAQr10K8MwOTiAuqoljKM/gdMXnCtbCHuarW7wWs5xGgfNLTKqC\n WlHZx49k2yZzA==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=CV01GH0C"],"Subject":"[Buildroot] [PATCH v4 2/6] utils/generate-cyclonedx: remove\n indirect dependencies from root component","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"Commit dc4af8bfa979 (\"utils/generate-cyclonedx: use direct dependencies\")\nremoves indirect dependencies from any listed component, as required by\nCycloneDX. The root component, however, still includes indirect dependencies,\nas it just takes the components from the show-info output.\n\nFix this by collecting all component dependencies, and then filter the root\ncomponent dependencies to include direct dependencies only.\n\nSigned-off-by: Martin Willi \nAcked-By: Thomas Perale \n---\n .../tests/utils/test_generate_cyclonedx.py | 3 +++\n utils/generate-cyclonedx | 21 ++++++++++++++++++-\n 2 files changed, 23 insertions(+), 1 deletion(-)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex bfe5eaf054cf..bf1b8e099bf9 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -129,6 +129,9 @@ class TestGenerateCycloneDX(unittest.TestCase):\n bar_deps = next(d for d in result[\"dependencies\"] if d[\"ref\"] == \"package-bar\")\n self.assertEqual(bar_deps[\"dependsOn\"], [\"package-foo\"])\n \n+ project_deps = next(d for d in result[\"dependencies\"] if d[\"ref\"] == \"buildroot\")\n+ self.assertEqual(project_deps[\"dependsOn\"], [\"host-tool\", \"package-foo\"])\n+\n def test_virtual(self):\n result = self._run_script([\"--virtual\"])\n \ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex 35198a47cfdd..f4d5afd847e5 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -385,6 +385,25 @@ def br2_parse_deps(ref, show_info_dict, virtual=False) -> list:\n return list(deps)\n \n \n+def br2_root_deps(show_info_dict, virtual=False) -> list:\n+ \"\"\"Retrieve the list of direct dependencies of the root component.\n+\n+ This function returns all components that are not a dependency of any\n+ other component.\n+\n+ Args:\n+ show_info_dict (dict): The JSON output of the show-info command.\n+ virtual (bool): Whether to resolve virtual dependencies to their providers.\n+\n+ Returns:\n+ list: List of direct dependencies of the root component.\n+ \"\"\"\n+ indirect = set()\n+ for ref in show_info_dict:\n+ indirect.update(br2_parse_deps(ref, show_info_dict, virtual))\n+ return [ref for ref in show_info_dict if ref not in indirect]\n+\n+\n def main():\n parser = argparse.ArgumentParser(\n description='''Create a CycloneDX SBoM for the Buildroot configuration.\n@@ -447,7 +466,7 @@ def main():\n cyclonedx_component(name, comp) for name, comp in filtered_show_info_dict.items()\n ],\n \"dependencies\": [\n- cyclonedx_dependency(args.project_name, list(filtered_show_info_dict)),\n+ cyclonedx_dependency(args.project_name, br2_root_deps(filtered_show_info_dict, args.virtual)),\n *[cyclonedx_dependency(ref, br2_parse_deps(ref, show_info_dict, args.virtual))\n for ref in filtered_show_info_dict],\n ],\n","prefixes":["v4","2/6"]}