{"id":2215860,"url":"http://patchwork.ozlabs.org/api/patches/2215860/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260325133343.1008245-4-martin@strongswan.org/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260325133343.1008245-4-martin@strongswan.org>","list_archive_url":null,"date":"2026-03-25T13:33:41","name":"[v3,3/5] utils/generate-cyclonedx: generate externalReferences with source-distribution","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"b3bae4303b6e58ef3572714d4eeac5dfbd8f997b","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260325133343.1008245-4-martin@strongswan.org/mbox/","series":[{"id":497444,"url":"http://patchwork.ozlabs.org/api/series/497444/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=497444","date":"2026-03-25T13:33:39","name":"Extend CycloneDX metadata","version":3,"mbox":"http://patchwork.ozlabs.org/series/497444/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215860/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2215860/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=IlMnQSFt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgntb62zyz1xy3\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 26 Mar 2026 00:33:59 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 82CE461374;\n\tWed, 25 Mar 2026 13:33:57 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 8cZIpZkTnQrV; Wed, 25 Mar 2026 13:33:55 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 6A4FB61362;\n\tWed, 25 Mar 2026 13:33:55 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 09065F5\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:52 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id E28078230A\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:51 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pG7FT82Gy48Y for <buildroot@buildroot.org>;\n Wed, 25 Mar 2026 13:33:51 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [109.202.192.35])\n by smtp1.osuosl.org (Postfix) with ESMTPS id B6E1A8224A\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:50 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id D21635A0004;\n Wed, 25 Mar 2026 14:33:48 +0100 (CET)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 0RVGyHh38nfl; Wed, 25 Mar 2026 14:33:47 +0100 (CET)","from zbook.home (unknown [185.12.128.224])\n by mail.codelabs.ch (Postfix) with ESMTPSA id 470B75A0005;\n Wed, 25 Mar 2026 14:33:46 +0100 (CET)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6A4FB61362","OpenDKIM Filter v2.11.0 smtp1.osuosl.org B6E1A8224A"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1774445635;\n\tbh=G8MAU1AqdbRaWbgT/66F9kpXH4ShKSfbPcVzlTpjD8Y=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=IlMnQSFtYYnOjvuuOBpvZCn49QebMGFHnF8mK+XLnNGnuNvOl2th6HjbDoWyngouV\n\t ebEgl7YRXhzKpmlUCIennTOylGq7e+tCdKm0+yt/DCBa8ql0Xwcp7TpyFSg4gdxT1D\n\t Mo6b37NPmWUfc44mEXqPWU01uM7FI/gVNUrrZ3k6it+VrWTiwB6V7SQDI4pFUmVZzS\n\t ezhzCJcbIrgLqO3QONNLpnpLVPbPfxUppl6C062RygQrGFDpxCRXlupOsS/80K8SlS\n\t 2/KQtTMgYy+Qf5KoqgP1dfoUIbjkf6GuWjijuaGhxgPgHpgGOA8WsVt/eOkwKYXzHc\n\t rWqFI+wlJMNLw==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=109.202.192.35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org B6E1A8224A","From":"Martin Willi <martin@strongswan.org>","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>","Date":"Wed, 25 Mar 2026 14:33:41 +0100","Message-ID":"<20260325133343.1008245-4-martin@strongswan.org>","In-Reply-To":"<20260325133343.1008245-1-martin@strongswan.org>","References":"<20260325133343.1008245-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1774445626;\n bh=s8cI2l7vsRTFraMZPpRAV1O4dKAMLBwkSVPUmwKHoFY=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=q5WU8XElFXWMRZGIr6n4tOIq+YOaF6YkBuAIkoTrhDB6kGTK1dfNGEO4aJ+mGvonC\n IV0Mwk5HuUNmeEmLH7bwfvjhW7QJk83/WQGPULAz6Epwbf/jDEhG32VGX0Pixxe8G/\n PxYVIyO9WyJDelZig88GhWqqboCQ8UGV/K85H4I93zKfc8qCy/QuVq7B9j3EEHASaR\n 7IKefPMPCzuOdFQzPDeAGJJJI7Ce2RdaCYaqvejJmbweKM2eDjHNDL7MXAtYF46b7w\n P+NBWxwUbV+EUfBDhK9e7UV51atOL9dfrCT8bVRySm+tlMnCiVfqRw/gXAvoGjJu6k\n uj2e45+OVjRAw==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=q5WU8XEl"],"Subject":"[Buildroot] [PATCH v3 3/5] utils/generate-cyclonedx: generate\n externalReferences with source-distribution","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"BSI TR-03183-2 5.4.2 [1] lists source code URIs under \"Additional data fields\nfor each component\", and as such \"MUST additionally be provided, if it exists\".\n\nIf a http or https source download URI is available from show-info, extract\nit and include it as an externalReference of type \"source-distribution\" in the\nCycloneDX output.\n\n[1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n\nSigned-off-by: Martin Willi <martin@strongswan.org>\n---\n .../tests/utils/test_generate_cyclonedx.py    | 27 +++++++++++++\n utils/generate-cyclonedx                      | 40 +++++++++++++++++++\n 2 files changed, 67 insertions(+)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex 9b041ffb61fb..9c2bd2bc9180 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -137,3 +137,30 @@ class TestGenerateCycloneDX(unittest.TestCase):\n \n         foo_deps = next(d for d in result[\"dependencies\"] if d[\"ref\"] == \"package-foo\")\n         self.assertEqual(foo_deps[\"dependsOn\"], [\"package-bar\", \"package-virtual\", \"skeleton-baz\"])\n+\n+    def test_external_references(self):\n+        info = self._make_show_info()\n+        info[\"package-foo\"][\"downloads\"] = [\n+            {\n+                \"source\": \"foo-1.2.tar.gz\",\n+                \"uris\": [\n+                    \"git+https://git.example.org/foo\",\n+                    \"https+https://sources.buildroot.net/foo\",\n+                    \"http|https+https://mirror.example.org/foo\",\n+                ],\n+            },\n+        ]\n+\n+        result = self._run_script(show_info=info)\n+        foo = self._find_component(result, \"package-foo\")\n+\n+        self.assertIn(\"externalReferences\", foo)\n+        self.assertEqual(\n+            foo[\"externalReferences\"],\n+            [\n+                {\n+                    \"type\": \"source-distribution\",\n+                    \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n+                }\n+            ],\n+        )\ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex 70abd7af7c89..3946380ae3ef 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -14,6 +14,8 @@ import gzip\n import json\n import os\n from pathlib import Path\n+from typing import Iterator\n+import urllib.parse\n import urllib.request\n import subprocess\n import sys\n@@ -261,6 +263,43 @@ def cyclonedx_patches(patch_list: list[str]):\n     }\n \n \n+def usable_download_uris(uris: list[str]) -> Iterator[str]:\n+    \"\"\"Filter the download URIs to find usable HTTP/HTTPS URLs.\n+\n+    Args:\n+        uris (list): Array of URI strings from the show-info output.\n+    Returns:\n+        Iterator[str]: An iterator over usable HTTP/HTTPS URLs.\n+    \"\"\"\n+    for uri in uris:\n+        parts = uri.split(\"+\", 1)\n+        if len(parts) == 2 and {\"http\", \"https\"} & set(parts[0].split(\"|\")):\n+            if urllib.parse.urlparse(parts[1]).hostname != \"sources.buildroot.net\":\n+                yield parts[1]\n+\n+\n+def cyclonedx_external_refs(comp):\n+    \"\"\"Create CycloneDX external references for a component.\n+\n+    Args:\n+        comp (dict): The component information from the show-info output.\n+    Returns:\n+        dict: External reference information in CycloneDX format, or empty dict\n+    \"\"\"\n+    for download in comp.get(\"downloads\", []):\n+        for uri in usable_download_uris(download.get(\"uris\", [])):\n+            if source := download.get(\"source\"):\n+                return {\n+                    \"externalReferences\": [\n+                        {\n+                            \"type\": \"source-distribution\",\n+                            \"url\": f\"{uri}/{source}\",\n+                        }\n+                    ]\n+                }\n+    return {}\n+\n+\n def cyclonedx_component(name, comp):\n     \"\"\"Translate a component from the show-info output, to a component entry in CycloneDX format.\n \n@@ -284,6 +323,7 @@ def cyclonedx_component(name, comp):\n         **({\n             \"cpe\": comp[\"cpe-id\"],\n         } if \"cpe-id\" in comp else {}),\n+        **cyclonedx_external_refs(comp),\n         **(cyclonedx_patches(comp[\"patches\"]) if comp.get(\"patches\") else {}),\n         \"properties\": [{\n             \"name\": \"BR_TYPE\",\n","prefixes":["v3","3/5"]}