| Message ID | 20250426073305.1189443-1-thomas.perale@mind.be |
|---|---|
| State | New |
| Headers | show |
| Series | [1/1] package/nodejs: make target nodejs package virtual | expand |
Hi, Tested on 2024.02 branch. Makes "Dependency-Track" happy :-) Tested-by: johan.derycke@barco.com Op za 26 apr 2025 om 09:34 schreef Thomas Perale via buildroot < buildroot@buildroot.org>: > Since commit [1], the host-nodejs package was turned into a virtual > package. However, the target nodejs package was intentionally not > turned into a virtual package and became an empty package. > The reason for this is: > > - No alternatives providers were introduced for the target nodejs > package. > - The Config.in remained unchaged for the target package. > > As a result, running `make show-info` with a config that includes the > target nodejs package, outputs an entry for the empty package: > > ``` > "nodejs": { > "type": "target", > "name": "nodejs", > "virtual": false, > "version": "", > ... > "cpe-id": "cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*" > }, > ``` > > This can be an issue because the CPE ID of the empty nodejs package > is the following `cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*`. > Reporting such a CPE ID can be an issue for certain software that consume > the SBOM and could be interpreted as CPE that matches with every versions > of the package. > > This patch converts the target nodejs package into a virtual package to > prevents the empty package from being included in the SBOM. > > [1] 4cbc2af604 package/nodejs: rename to nodejs-src and convert to virtual > package > > Signed-off-by: Thomas Perale <thomas.perale@mind.be> > --- > package/nodejs/Config.in | 4 ++++ > package/nodejs/nodejs-src/nodejs-src.mk | 1 + > package/nodejs/nodejs.mk | 3 +-- > 3 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in > index 50d1360715..2a0074b5a4 100644 > --- a/package/nodejs/Config.in > +++ b/package/nodejs/Config.in > @@ -87,4 +87,8 @@ config BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS > > endif > > +config BR2_PACKAGE_PROVIDES_NODEJS > + string > + default "nodejs-src" > + > source "package/nodejs/nodejs-src/Config.in" > diff --git a/package/nodejs/nodejs-src/nodejs-src.mk > b/package/nodejs/nodejs-src/nodejs-src.mk > index 8f934202b0..30e72743a1 100644 > --- a/package/nodejs/nodejs-src/nodejs-src.mk > +++ b/package/nodejs/nodejs-src/nodejs-src.mk > @@ -14,6 +14,7 @@ NODEJS_SRC_LICENSE_FILES = $(NODEJS_LICENSE_FILES) > NODEJS_SRC_CPE_ID_VENDOR = $(NODEJS_CPE_ID_VENDOR) > NODEJS_SRC_CPE_ID_PRODUCT = $(NODEJS_CPE_ID_PRODUCT) > > +NODEJS_SRC_PROVIDES = nodejs > HOST_NODEJS_SRC_PROVIDES = host-nodejs > > NODEJS_SRC_DEPENDENCIES = \ > diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk > index 6dc0e501b4..752971c4a6 100644 > --- a/package/nodejs/nodejs.mk > +++ b/package/nodejs/nodejs.mk > @@ -32,8 +32,7 @@ PNPM = $(NODEJS_BIN_ENV) $(HOST_DIR)/bin/pnpm > YARN = $(NODEJS_BIN_ENV) $(HOST_DIR)/bin/yarn > endif > > -NODEJS_DEPENDENCIES = nodejs-src > -$(eval $(generic-package)) > +$(eval $(virtual-package)) > $(eval $(host-virtual-package)) > > include $(sort $(wildcard package/nodejs/*/*.mk)) > -- > 2.49.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot >
diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in index 50d1360715..2a0074b5a4 100644 --- a/package/nodejs/Config.in +++ b/package/nodejs/Config.in @@ -87,4 +87,8 @@ config BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS endif +config BR2_PACKAGE_PROVIDES_NODEJS + string + default "nodejs-src" + source "package/nodejs/nodejs-src/Config.in" diff --git a/package/nodejs/nodejs-src/nodejs-src.mk b/package/nodejs/nodejs-src/nodejs-src.mk index 8f934202b0..30e72743a1 100644 --- a/package/nodejs/nodejs-src/nodejs-src.mk +++ b/package/nodejs/nodejs-src/nodejs-src.mk @@ -14,6 +14,7 @@ NODEJS_SRC_LICENSE_FILES = $(NODEJS_LICENSE_FILES) NODEJS_SRC_CPE_ID_VENDOR = $(NODEJS_CPE_ID_VENDOR) NODEJS_SRC_CPE_ID_PRODUCT = $(NODEJS_CPE_ID_PRODUCT) +NODEJS_SRC_PROVIDES = nodejs HOST_NODEJS_SRC_PROVIDES = host-nodejs NODEJS_SRC_DEPENDENCIES = \ diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 6dc0e501b4..752971c4a6 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -32,8 +32,7 @@ PNPM = $(NODEJS_BIN_ENV) $(HOST_DIR)/bin/pnpm YARN = $(NODEJS_BIN_ENV) $(HOST_DIR)/bin/yarn endif -NODEJS_DEPENDENCIES = nodejs-src -$(eval $(generic-package)) +$(eval $(virtual-package)) $(eval $(host-virtual-package)) include $(sort $(wildcard package/nodejs/*/*.mk))
Since commit [1], the host-nodejs package was turned into a virtual package. However, the target nodejs package was intentionally not turned into a virtual package and became an empty package. The reason for this is: - No alternatives providers were introduced for the target nodejs package. - The Config.in remained unchaged for the target package. As a result, running `make show-info` with a config that includes the target nodejs package, outputs an entry for the empty package: ``` "nodejs": { "type": "target", "name": "nodejs", "virtual": false, "version": "", ... "cpe-id": "cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*" }, ``` This can be an issue because the CPE ID of the empty nodejs package is the following `cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*`. Reporting such a CPE ID can be an issue for certain software that consume the SBOM and could be interpreted as CPE that matches with every versions of the package. This patch converts the target nodejs package into a virtual package to prevents the empty package from being included in the SBOM. [1] 4cbc2af604 package/nodejs: rename to nodejs-src and convert to virtual package Signed-off-by: Thomas Perale <thomas.perale@mind.be> --- package/nodejs/Config.in | 4 ++++ package/nodejs/nodejs-src/nodejs-src.mk | 1 + package/nodejs/nodejs.mk | 3 +-- 3 files changed, 6 insertions(+), 2 deletions(-)