43 Commits

Author SHA1 Message Date
Roman Azarenko
2ded629864 build: add explicit timezone in CycloneDX SBOM
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
the date/time when the BOM was created [1].

Before the change, the value generated by the package-metadata.pl
script would look like this:

	2024-06-03T15:51:10

CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
which defines the `date-time` format [2] as derived from RFC 3339,
section 5.6 [3]. In this format, the `time-offset` component is required,
however in the original version of package-metadata.pl it is omitted.

This is causing problems with OWASP Dependency-Track version 4.11.0 or
newer, where it now validates submitted SBOMs against the JSON schema
by default [4]. SBOMs with incorrect timestamp values are rejected with
the following error:

	{
	    "detail": "Schema validation failed",
	    "errors": [
	        "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time"
	    ],
	    "status": 400,
	    "title": "The uploaded BOM is invalid"
	}

Add explicit `Z` (UTC) timezone offset in the `timestamp` field
to satisfy the CycloneDX schema.

[1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
[2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
[3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
[4]: https://github.com/DependencyTrack/dependency-track/pull/3522

Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu>
2024-06-07 12:05:49 +02:00
Akshay Bhat
d8939ff2d5 build: fix version info in cyclonedx sbom
Prior e8725a932e16eaf6ec51add8c084d959cbe32ff2, version used to be
VERSION:=$(PKG_VERSION)-$(PKG_RELEASE)
After e8725a932e16eaf6ec51add8c084d959cbe32ff2, the version is:
VERSION:=$(PKG_VERSION)-r$(PKG_RELEASE)

Hence the gen_*_cyclonedxsbom functions need to be updated to remove
the trailing -r prefix in the version in order to generate correct
version info in the SBOM.

Signed-off-by: Akshay Bhat <nodeax@gmail.com>
2024-05-25 19:27:06 +02:00
Paul Spooren
d788ab376f build: add APK package build capabilities
A new option called `USE_APK` is added which generated APK packages
(.apk) instead of OPKG packages (.ipk).

Some features like fstools `snapshot` command are not yet ported

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-05-17 23:21:26 +03:00
Cedric DOURLENT
84331215e5 build: fix kernel component in CycloneDX SBOM
As stated in the cycloneDX documentation, the field "type" is mandatory for all components.

More details here (https://cyclonedx.org/docs/1.5/json/#components_items_type)

Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
2024-03-01 16:42:34 +01:00
Petr Štetiar
d604a07225
build: add CycloneDX SBOM JSON support
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.

So lets add support for CycloneDX SBOM for packages and images
manifests.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-11-01 11:14:41 +00:00
Petr Štetiar
8562c65ff8
package-metadata: add CPE information to JSON package manifests
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

In order for the information to be processed further, it should also be
available in JSON package manifests.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-11-01 11:14:39 +00:00
Felix Fietkau
ae88f00357 scripts/package-metadata.pl: strip already selected conditions from dependencies
When a dependency is pulled in via conditional depends, and the condition
is already selected earlier in the chain, drop the condition.
This avoids some corner cases that trigger recursive dependencies.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-01 19:30:32 +02:00
Felix Fietkau
6252c18d1c Revert "scripts/package-metadata.pl: fix handling transitive conditional dependencies"
This reverts commit 6c3eff9dd8bb8d0f268e8a0dbedbc6a33bdac796.
This appears to cause some regressions in generated config.
Will be replaced with a fixed version later

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-01 18:34:58 +02:00
Felix Fietkau
33303b5cec scripts/package-metadata.pl: sort dependency keys
This makes it easier to keep track of changes in the generated output,
when the script is modified

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-01 18:34:20 +02:00
Felix Fietkau
6c3eff9dd8 scripts/package-metadata.pl: fix handling transitive conditional dependencies
When a package foo depends on PACKAGE_foo:bar (in order to make build
dependencies conditional), tracking transitive dependencies can fail because
the internal seen flag is checked/set before eliminating the fake conditional
dependency. This can show up as a depends on not properly turned into a
select further down in the dependency chain

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-01 12:18:13 +02:00
Paul Spooren
3128dfc18a scripts: package-metadata add pkgmanifestjson call
The new `pkgmanifestjson` call prints all package manifest of a feed in
JSON format. This function can be used to print an overview of packages
information used for downstream tooling.

The script is entirely based on Petrs work on dependency visualisation.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-09-23 21:57:22 -10:00
Felix Fietkau
c921650382 build: drop ABI version from metadata
Preparation for supporting dynamic ABI versions that depend on the runtime
configuration. Read the suffix from the staging dir pkginfo version files.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00
Jo-Philipp Wich
27a4a71c24 metadata: handle ABI version rebuild tracking for transient dependencies
Extend the packageauxvars database to keep a list of possible package
dependencies for each provider, then utilize this information in buildroot
to resolve the ABI version dependencies of dependent packages up to five
levels deep.

This should properly trigger rebuilds for packages indirectly depending
on other packages whose ABI_VERSION changed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-21 12:03:43 +02:00
Jonas Gorski
1fd50531ca metadata: ensure one dependency provider to be y if a package is y
When there are multiple packages providing a meta-package, it is
possible to to create a config where a package is selected as =y, but
all of its dependency providers are just selected as =m. This is due to
the selection statement being just

  config PACKAGE_foo
    select PACKAGE_bar if !PACKAGE_baz

which is already fulfilled by PACKAGE_bar=m. Fix this by properly
comparing the selection states:

  config PACKAGE_foo
    select PACKAGE_bar if PACKAGE_baz<PACKAGE_foo

Also invert the select conditions to improve readability.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-20 14:18:25 +02:00
Eneas U de Queiroz
a41f474d17 build: add support to && in DEPENDS
Adds support to && operand in DEPENDS.  Also, fixes generation of ||
dependencies by scripts/package-metadata.pl.

The precedence order from higher to lower is && then ||.  Use of
parentheses to change the order is not supported. As before, they are
silently ignored.  Use them for readability only.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
2019-05-31 11:21:22 +02:00
Jo-Philipp Wich
60558790a2 build: extend ABI_VERSION suffixing to provides
When a library package specifies additional provides, e.g. libncurses
which provides libncursesw, we should also append the abi version
suffix to each provide, since there may be more than one package
providing the virtual library.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:29 +01:00
Jo-Philipp Wich
e3d5b384aa build: expose ABI version in .packageauxvars
Subdequent commits need this information to resolve the ABI version when
computing binary ipk dependencies.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:32:01 +01:00
Jo-Philipp Wich
2d9d57b9de build: rename .packagesubdirs to .packageauxvars
Subsequent commits will put more auxiliary information into this file,
such as the per-package ABI version, so rename the metadata script
subcommand and file names accordingly.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:56 +01:00
Jo-Philipp Wich
a405a93fa6 metadata: do not emit broken kconfig dependency statements
Prevent emitting broken dependency statements when resolving references
to non existing packages to an empty provider list.

Fixes: 47d6b05ad3 ("metadata: always resolve dependencies through provides list")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-14 19:00:06 +01:00
Matthias Schiffer
de0ccd3532
metadata: improve code readability by using (s)printf instead of string interpolation
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:45 +01:00
Matthias Schiffer
4bb54ed15e
build: remove obsolete "package feature" feature
Package "features" seem to be unused for some time. In any case, custom
Config.in snippets and package PROVIDES are a much more flexible way to
express similar options.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:45 +01:00
Matthias Schiffer
47d6b05ad3
metadata: always resolve dependencies through provides list
Instead of adding virtual packages to the normal package list, keep a
separate list for provides, make each package provide itself, and resolve
all dependencies through this list. This allows to use PROVIDES to replace
existing packages.

Fixes FS#837.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
565de8b8a8
metadata: simplify generation of build depends from runtime depends
Runtime depends cannot have a buildtype suffix, and they never refer to
source package names. In addition, this adds warnings about unsatisfiable
dependencies.

Furthermore, this change fixes the generation of conditional build
dependencies for virtual packages provided by different source packages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
5b479f7dcf
metadata: handle target build depends together with host build depends
Target build depends are similar to host build depends in that they refer
to source packages rather than binary packages. Therefore, it makes sense
to handle them together, rather than putting them in a list together with
runtime depends and trying to figure out if the entries refer to source or
to binary packages afterwards.

This does lead to PKG_BUILD_DEPENDS entries referring to binary package
names not working anymore, which requires some fixes in the package
repositories.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
3abf663c22
build: remove package preconfig feature
This feature has been unused for years, and its scope is too limited to be
actually useful.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
423ec18116
metadata: remove redundant fields from package hash
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
f0c702f124
metadata: replace %subdir hash with a path field in source packages
Every single reference to subdir was concatenated with the source package
name, so it makes sense to store the concatenated value instead.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
504cb913eb
metadata: change pkg->{src} field to hold a reference
We often want to access fields of a source packages through pkg->{src}.
Allow accessing them directly instead of resolving the source hash through
srcpackages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
47f292ff78
metadata: interate over source packages when generating Makefile
All build dependencies are between source packages. Interating over source
rather than binary packages simplifies parts of the code and prepares
further improvement.

As a side effect, this changes the implicit default variant of a few
packages (the first defined is used now instead of the lexicographically
first).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:44 +01:00
Matthias Schiffer
b2ab9c9d33
metadata: move 'builddepends' from binary to source packages
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:43 +01:00
Matthias Schiffer
39be6e7f19
metadata: move 'buildtypes' from binary to source packages
Build types are a property of source rather than binary packages. This is a
preparation for followup cleanup.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:43 +01:00
Matthias Schiffer
19577582e4
metadata: make srcpackage extensible
Turn the srcpackage values into hashes to allow storing more information
than just binary package names.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:43 +01:00
Matthias Schiffer
1a2b5eb7ac
metadata: remove 'base-files' special case
Nothing explicitly depends on base-files, and even if it would, it would
not cause any problems. Remove the unused special case.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-13 19:54:43 +01:00
Matthias Schiffer
0b28cc56d4
scripts/package-metadata.pl: remove broken detection of self-dependencies
A self-dependency is not an error worth a warning; rather, it is very
common: whenever there are dependencies between different binary packages
originating from the same source package, such dependencies occur. Not
actually generating dependency rules is correct, but already handled a few
lines below.

A typo prevented this redundant rule from working, which is the reason the
warning was not actually printed.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-01-04 17:18:16 +01:00
Jo-Philipp Wich
bf5d32af2a scripts/package-metadata.pl: inhibit compile deps on missing build types
When a package declares a PKG_BUILD_DEPENDENCY or HOST_BUILD_DEPENDENCY on
a not existing build type, the metadata script will emit a reference to an
unresolvable build target in tmp/.packagedeps, causing the make process to
fail hard in a way not catchable by the IGNORE_ERRORS mechanism.

In a situation where a package "test-a" declares a build dependency
"PKG_BUILD_DEPENDS:=test-b/host" while the Makefile of "test-b" does not
implement a HostBuild, make fails with an unrecoverable error in the form:

    make[1]: Entering directory '...'
    make[1]: *** No rule to make target 'package/test-b/host/compile',
                 needed by 'package/test-a/compile'.  Stop.
    make[1]: Leaving directory '...'
    .../toplevel.mk:200: recipe for target 'package/test-a/compile' failed
    make: *** [package/test-a/compile] Error 2

Extend the metadata generation script to catch such unresolved references
and emit a visable warning upon detection.

After this change, the script will emit a warning similar to:

    WARNING: Makefile "package/test-a/Makefile" has a build dependency on
    "test-b/host" but "package/test-b/Makefile" does not implement a
    "host" build type

Fixes a global build cluster outage which occured after the "python-cffi"
feed package removed its HostBuild which the "python-cryptography" package
build-depended on.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-07-27 00:37:05 +02:00
Yousong Zhou
80d9ec5d3d scripts/package-metadata.pl: parse and validate field Require-User
The script will now detect uid/gid collision and can generate a table of
current allocation

    ./scripts/package-metadata.pl usergroup tmp/.packageinfo \
	| sort -k 1,1r -k 3,3n \
	| column -t

This should ensure that no collision will happen for each single build

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-06-18 10:39:35 +08:00
Felix Fietkau
cfd83555fc scripts/package-metadata.pl: fix overriding conditional dependencies with conditional select
Conditional dependencies use the '(!cond) || dep' syntax, whereas
conditional select uses 'dep if cond'.
Add an extra check to suppress emitting a conditional if an equal
conditional select already exists.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-11 18:24:39 +01:00
Jo-Philipp Wich
12d15fa8a5 scripts/package-metadata.pl: honour DEFAULT_VARIANT
So far, package-metadata.pl always considered the first provider of a virtual
package to be the default variant which might deviate from what buildroot
considers to be the default.

Change the Kconfig dependency / select code generation for virtual package
providers to consider the DEFAULT_VARIANT to be the primary provider and only
fall back to the first provider if no default variant was explicitely tagged.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-02 02:02:44 +01:00
Jo-Philipp Wich
f64360c7ca scripts/package-metadata.pl: fix handling of virtual (PROVIDES) depends
Currently the code emitting dependencies for provide candidates is overwriting
the specification calculated by the previous conditional dependency handling
code, rendering dependencies on virtual PROVIDES packages in conjunction with
conditional dependencies unusable.

Instead of overwriting, append the PROVIDES dependency spec in order to fix
using DEPENDS on virtual provider packages in conjunction with conditions.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-02 01:01:34 +01:00
Zefir Kurtisi
cf458de382 scripts: fix build warning when overriding packages
If core packages are overridden, CONFIG_OVERRIDE_PKGS is set
based on the scan order of packages, which eventually causes
that config value to be modified on each build and with
that causes the build process to warn for configuration
being out of sync.

This commit changes the CONFIG_OVERRIDE_PKGS to be sorted
and prevents that false warning.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2016-10-15 11:36:51 +02:00
Matthias Schiffer
6177b649ca
scripts/package-metadata.pl: fix generation of dependencies on virtual packages
Dependencies on purely virtual packages (satisfied by PROVIDES) that were
not using "selects" ("+" flag) would be prepended with the prefix
"PACKAGE_" twice, breaking the first alternative.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-23 23:17:09 +02:00
Felix Fietkau
d8dbd33eba scripts/package-metadata.pl: fix kmod pakage dependencies within the SDK
Instead of ignoring all metadata for package/kernel/linux, process it
and only suppress emitting config data to tmp/.config-package.in

This ensures that packages that select kmod-* packages can inherit their
depdendencies.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-07 12:47:04 +02:00
Felix Fietkau
9ae952cf8c build: split scripts/metadata.pl into target-metadata.pl and package-metadata.pl
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:40 +02:00