{"id":2221317,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2221317/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260409081401.2060709-7-martin@strongswan.org>","date":"2026-04-09T08:14:01","name":"[v4,6/6] utils/generate-cyclonedx: generate vcs externalReferences for source repos","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"905c1b5fc55a7d810690ce0e49f8088c718c8569","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/1.0/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260409081401.2060709-7-martin@strongswan.org/mbox/","series":[{"id":499252,"url":"http://patchwork.ozlabs.org/api/1.0/series/499252/?format=json","date":"2026-04-09T08:13:57","name":"Extend CycloneDX metadata","version":4,"mbox":"http://patchwork.ozlabs.org/series/499252/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221317/checks/","tags":{},"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=RxkefK+U;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frt5P6YyDz1yD3\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 09 Apr 2026 18:14:49 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 80FCE41095;\n\tThu,  9 Apr 2026 08:14:37 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id bPb9Ie_soJMQ; Thu,  9 Apr 2026 08:14:36 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 717234108B;\n\tThu,  9 Apr 2026 08:14:36 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 0FABB1D6\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:27 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 0158182726\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:27 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id vGFDg7NSJs_z for <buildroot@buildroot.org>;\n Thu,  9 Apr 2026 08:14:26 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 3A4758254A\n for <buildroot@buildroot.org>; Thu,  9 Apr 2026 08:14:26 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id CC3A25A0009;\n Thu, 09 Apr 2026 10:14:22 +0200 (CEST)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Rfjj8BEnfQGl; Thu,  9 Apr 2026 10:14:21 +0200 (CEST)","from zbook.wlp.is (unknown [185.12.128.225])\n by mail.codelabs.ch (Postfix) with ESMTPSA id 2116A5A000A;\n Thu, 09 Apr 2026 10:14:18 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 717234108B","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3A4758254A"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775722476;\n\tbh=LOAG9Vutpu+JAn+l8nhtcXKaIY3Ij1XLoARUByXqP+Y=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=RxkefK+Utpsf808AxfqgKjVEbyqLQbbhthEaNBaA2W4uaDp4lgjcO5zUnef864VfC\n\t kvpoQIvWYki4onc5nEj353qFt7UY4/iUM4mkhnUdbW2dasKI1wu8K1a2WR9Pc6NExD\n\t a/6d2qilCSf8NhnUJHPNe9hRDlMYhq0G7OZcL11wxzt5mbF26+hqLqnG6uv4qbqoPk\n\t i1FQk80vXxdFwMejzdBNTjs4CLnkeRDjgblZqZaDAtx5r+hsKtQPPtmhfJoGyXOpAM\n\t sUWBY1ZgSmkApbrRjJMfND951YpithXess+CfXBPErm3afMkm3bhs7nq9Zai/pc+ZV\n\t TdTDggEgBMPnQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a02:168:860f:1::35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 3A4758254A","From":"Martin Willi <martin@strongswan.org>","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>","Date":"Thu,  9 Apr 2026 10:14:01 +0200","Message-ID":"<20260409081401.2060709-7-martin@strongswan.org>","In-Reply-To":"<20260409081401.2060709-1-martin@strongswan.org>","References":"<20260409081401.2060709-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1775722458;\n bh=V9sn0a/le4/vrYMMq8wy9/V5VX0paIycQzrEI/EJ6f8=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=CvaR2Ea3P7vqhDsJVxHQQCo/ZR6wsoXrIVYxkkYubth+NuPLmJSaIRkegvzcRk9Ub\n uenyHXYajdovX0N1EhhAORfLhAw9ZNFcPlvxxhWxqsfqdWhaJqReTIeC+pDQmRhpkC\n Iv3eKl2yyF86U9vrDZYyIMesf8czfavvVu35J0R+HvagTlzjsPoqnxv+4WAm+3SIL0\n sgJ7dOXYeRAC/lDnumt/g/qCYDPchDJju/p0ddEXDkJ+k9I6C5lJnEYt5XmVLgdgEW\n gaDOaW7z4U2Y1eibWYs//ymwID+aULI4SiVwGeuAZG2YSesRV0sac8LU5bqOPV8uGl\n 9VLaHwQ/n3Gcg==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=CvaR2Ea3"],"Subject":"[Buildroot] [PATCH v4 6/6] utils/generate-cyclonedx: generate vcs\n externalReferences for source repos","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"Some packages do not have a http/https download URL for a source tarball,\nbut are acquired over a version control system like git. If so, add\nexternalReferences of type \"vcs\" for such URLs.\n\nAs most git repositories use a https:// transport that may not indicated the\nrepository type, add a \"comment\" due to the lack of a better mechanism in\nCycloneDX.\n\nWhile the hashes are calculated over a tarball created locally, it still may\nbe useful, so add them for \"vcs\" externalReferences as well.\n\nSigned-off-by: Martin Willi <martin@strongswan.org>\n---\n .../tests/utils/test_generate_cyclonedx.py    | 30 ++++++++++++++++++-\n utils/generate-cyclonedx                      |  8 +++++\n 2 files changed, 37 insertions(+), 1 deletion(-)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex 84f94f050760..77690b1b98bc 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -147,6 +147,8 @@ class TestGenerateCycloneDX(unittest.TestCase):\n             {\n                 \"source\": \"foo-1.2.tar.gz\",\n                 \"uris\": [\n+                    \"git+git://git.example.org/foo\",\n+                    \"svn+https://svn.example.org/foo\",\n                     \"https+https://sources.buildroot.net/foo\",\n                     \"http|https+https://mirror.example.org/foo\",\n                 ],\n@@ -160,10 +162,20 @@ class TestGenerateCycloneDX(unittest.TestCase):\n         self.assertEqual(\n             foo[\"externalReferences\"],\n             [\n+                {\n+                    \"type\": \"vcs\",\n+                    \"url\": \"git://git.example.org/foo\",\n+                    \"comment\": \"git repository\",\n+                },\n+                {\n+                    \"type\": \"vcs\",\n+                    \"url\": \"https://svn.example.org/foo\",\n+                    \"comment\": \"svn repository\",\n+                },\n                 {\n                     \"type\": \"source-distribution\",\n                     \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n-                },\n+                }\n             ],\n         )\n \n@@ -183,6 +195,7 @@ class TestGenerateCycloneDX(unittest.TestCase):\n                 {\n                     \"source\": \"foo-1.2.tar.gz\",\n                     \"uris\": [\n+                        \"git+git://git.example.org/foo\",\n                         \"http|https+https://mirror.example.org/foo\",\n                     ],\n                 },\n@@ -194,6 +207,21 @@ class TestGenerateCycloneDX(unittest.TestCase):\n         self.assertEqual(\n             foo[\"externalReferences\"],\n             [\n+                {\n+                    \"type\": \"vcs\",\n+                    \"url\": \"git://git.example.org/foo\",\n+                    \"comment\": \"git repository\",\n+                    \"hashes\": [\n+                        {\n+                            \"alg\": \"SHA-256\",\n+                            \"content\": \"1111111111111111111111111111111111111111111111111111111111111111\",\n+                        },\n+                        {\n+                            \"alg\": \"SHA-1\",\n+                            \"content\": \"2222222222222222222222222222222222222222\",\n+                        },\n+                    ]\n+                },\n                 {\n                     \"type\": \"source-distribution\",\n                     \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex 382d91ce55af..4166abd9ff04 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -325,6 +325,7 @@ def cyclonedx_external_refs(comp):\n         dict: External reference information in CycloneDX format, or empty dict\n     \"\"\"\n     SOURCE_DIST_SCHEMES = {\"http\", \"https\"}\n+    VCS_SCHEMES = {\"git\", \"svn\", \"cvs\", \"hg\", \"bzr\"}\n \n     refs = []\n     for download in comp.get(\"downloads\", []):\n@@ -336,6 +337,13 @@ def cyclonedx_external_refs(comp):\n                     \"url\": f\"{uri}/{source}\",\n                     **cyclonedx_source_hashes(comp, source),\n                 })\n+            elif set(schemes) & VCS_SCHEMES:\n+                refs.append({\n+                    \"type\": \"vcs\",\n+                    \"url\": uri,\n+                    \"comment\": f\"{schemes[0]} repository\",\n+                    **cyclonedx_source_hashes(comp, source),\n+                })\n     if refs:\n         return {\"externalReferences\": refs}\n     return {}\n","prefixes":["v4","6/6"]}