{"id":2221314,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2221314/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260409081401.2060709-4-martin@strongswan.org>","date":"2026-04-09T08:13:58","name":"[v4,3/6] utils/generate-cyclonedx: generate externalReferences with source-distribution","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"7e4326c8c8c8aef3f38c026aff867a963e20772a","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/1.0/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260409081401.2060709-4-martin@strongswan.org/mbox/","series":[{"id":499252,"url":"http://patchwork.ozlabs.org/api/1.0/series/499252/?format=json","date":"2026-04-09T08:13:57","name":"Extend CycloneDX metadata","version":4,"mbox":"http://patchwork.ozlabs.org/series/499252/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221314/checks/","tags":{},"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=cU6LTEG7;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frt5G2T04z1yD3\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 09 Apr 2026 18:14:42 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 3822D41053;\n\tThu,  9 Apr 2026 08:14:33 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id veklAvE_w0_r; Thu,  9 Apr 2026 08:14:31 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id D804940F33;\n\tThu,  9 Apr 2026 08:14:30 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 1D6891D6\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:25 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 03A06607E0\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:25 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pJY97TJL6CzI for <buildroot@buildroot.org>;\n Thu,  9 Apr 2026 08:14:24 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35])\n by smtp3.osuosl.org (Postfix) with ESMTPS id C163F60D92\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:23 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id 0591C5A0006;\n Thu, 09 Apr 2026 10:14:21 +0200 (CEST)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id tq0kokaAOGqC; Thu,  9 Apr 2026 10:14:19 +0200 (CEST)","from zbook.wlp.is (unknown [185.12.128.225])\n by mail.codelabs.ch (Postfix) with ESMTPSA id 0441D5A0007;\n Thu, 09 Apr 2026 10:14:18 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org D804940F33","OpenDKIM Filter v2.11.0 smtp3.osuosl.org C163F60D92"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775722471;\n\tbh=nzEEtXDIL3EP+yRxcPab0XK571xKe1PW9l3KdhMIJ9g=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=cU6LTEG7iDeP8PNaduRgc6m7JkCHF7A0vkywxYy6MGUsk1nevJcf7JXGFsTKafY80\n\t 7gxs5eKatfqnwUPBW2qv1S3Qt3Zh4aFcgtfSg9+/yEkYTffqnyPmSGppHtYC+64kIJ\n\t 5nJnKPqwIl7DoLJAlVRnZybQ5XxHxqSec2sh4hvdrlbNi04qGK3TUGaDXC7tOVsCDx\n\t Q5DkCLAUhonYC3z2CI+wzx/oM4GqCBAXN1NRe9FYgOdnmK7BgP0FbXxCBC0H+95jpu\n\t 7F4GLgsznKu9rgiG2ZtmPzEv0FEKnOWZX6Z4BjC2ssNRwvsm1Gv5S99QMnXbmdPdx6\n\t KwRrWODVwp1Ow==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a02:168:860f:1::35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org C163F60D92","From":"Martin Willi <martin@strongswan.org>","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>","Date":"Thu,  9 Apr 2026 10:13:58 +0200","Message-ID":"<20260409081401.2060709-4-martin@strongswan.org>","In-Reply-To":"<20260409081401.2060709-1-martin@strongswan.org>","References":"<20260409081401.2060709-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1775722458;\n bh=aO4qeil6ItUC8W9Jt1QjwxklpYtrvQlZvm2rJNsrnAY=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=QM64Rq/cWEyofI5QvcPDN5Rny3X0EIzOxz433MNU6cU/383jLPbwDgP4oJ4CHo4cS\n wK/zu5+SSnZJq6sfvsmA6DhUR6U9VmKDXtOnAFLlD9232uZDV1xBFHJ5/mOGnaAwEG\n 4i+65VjzzF01YQ4FkNXtmw/Ce+dmDjNPfMWtgRdI30nqGkm2Ggw8dA0lHgL8aqbUrg\n exwQiIpigOC20ab8WskmQfXCAq2t7PHb8qGbp4CMPBv35DNm+vBSdHsWMG1t6tTHUI\n SRYmFJrUGX7MC73OsLRHdS73NtOczgpZGLcx0LqYea1Pht+H5aheuTXT1zN6wChGDt\n o+BxE/TBwZDag==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=QM64Rq/c"],"Subject":"[Buildroot] [PATCH v4 3/6] utils/generate-cyclonedx: generate\n externalReferences with source-distribution","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"BSI TR-03183-2 5.4.2 [1] lists source code URIs under \"Additional data fields\nfor each component\", and as such \"MUST additionally be provided, if it exists\".\n\nIf a http or https source download URI is available from show-info, extract\nit and include it as an externalReference of type \"source-distribution\" in the\nCycloneDX output.\n\n[1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n\nSigned-off-by: Martin Willi <martin@strongswan.org>\n---\n .../tests/utils/test_generate_cyclonedx.py    | 26 ++++++++++\n utils/generate-cyclonedx                      | 47 +++++++++++++++++++\n 2 files changed, 73 insertions(+)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex bf1b8e099bf9..a071ff867923 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -140,3 +140,29 @@ class TestGenerateCycloneDX(unittest.TestCase):\n \n         foo_deps = next(d for d in result[\"dependencies\"] if d[\"ref\"] == \"package-foo\")\n         self.assertEqual(foo_deps[\"dependsOn\"], [\"package-bar\", \"skeleton-baz\"])\n+\n+    def test_external_references(self):\n+        info = self._make_show_info()\n+        info[\"package-foo\"][\"downloads\"] = [\n+            {\n+                \"source\": \"foo-1.2.tar.gz\",\n+                \"uris\": [\n+                    \"https+https://sources.buildroot.net/foo\",\n+                    \"http|https+https://mirror.example.org/foo\",\n+                ],\n+            },\n+        ]\n+\n+        result = self._run_script(show_info=info)\n+        foo = self._find_component(result, \"package-foo\")\n+\n+        self.assertIn(\"externalReferences\", foo)\n+        self.assertEqual(\n+            foo[\"externalReferences\"],\n+            [\n+                {\n+                    \"type\": \"source-distribution\",\n+                    \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n+                },\n+            ],\n+        )\ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex f4d5afd847e5..a3b7293f9a5e 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -14,6 +14,8 @@ import gzip\n import json\n import os\n from pathlib import Path\n+from typing import Iterator\n+import urllib.parse\n import urllib.request\n import subprocess\n import sys\n@@ -261,6 +263,50 @@ def cyclonedx_patches(patch_list: list[str]):\n     }\n \n \n+def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:\n+    \"\"\"Parse download URIs into (schemes, url) tuples.\n+\n+    Splits the Buildroot URI format \"scheme[|scheme]+url\" and yields all\n+    Buildroot schemes with the stripped URL, excluding\n+    sources.buildroot.net mirrors.\n+\n+    Args:\n+        uris (list): Array of URI strings from the show-info output.\n+    Yields:\n+        tuple[list[str], str]: (schemes, url) for each usable URI.\n+    \"\"\"\n+    for uri in uris:\n+        scheme, _, stripped_uri = uri.partition(\"+\")\n+        if stripped_uri:\n+            parsed = urllib.parse.urlparse(stripped_uri)\n+            if parsed.hostname != \"sources.buildroot.net\":\n+                yield scheme.split(\"|\"), stripped_uri\n+\n+\n+def cyclonedx_external_refs(comp):\n+    \"\"\"Create CycloneDX external references for a component.\n+\n+    Args:\n+        comp (dict): The component information from the show-info output.\n+    Returns:\n+        dict: External reference information in CycloneDX format, or empty dict\n+    \"\"\"\n+    SOURCE_DIST_SCHEMES = {\"http\", \"https\"}\n+\n+    refs = []\n+    for download in comp.get(\"downloads\", []):\n+        source = download.get(\"source\")\n+        for schemes, uri in parse_uris(download.get(\"uris\", [])):\n+            if set(schemes) & SOURCE_DIST_SCHEMES and source:\n+                refs.append({\n+                    \"type\": \"source-distribution\",\n+                    \"url\": f\"{uri}/{source}\",\n+                })\n+    if refs:\n+        return {\"externalReferences\": refs}\n+    return {}\n+\n+\n def cyclonedx_component(name, comp):\n     \"\"\"Translate a component from the show-info output, to a component entry in CycloneDX format.\n \n@@ -284,6 +330,7 @@ def cyclonedx_component(name, comp):\n         **({\n             \"cpe\": comp[\"cpe-id\"],\n         } if \"cpe-id\" in comp else {}),\n+        **cyclonedx_external_refs(comp),\n         **(cyclonedx_patches(comp[\"patches\"]) if comp.get(\"patches\") else {}),\n         \"properties\": [{\n             \"name\": \"BR_TYPE\",\n","prefixes":["v4","3/6"]}