Add yocto PURL injection for SPDX 2.2 and SPDX 3#171
Conversation
Older Yocto versions (<5.0) don't add PURLs to SPDX output. This adds automatic detection and injection of pkg:yocto/<name>@<version> PURLs into both SPDX 2.2 and SPDX 3 formats during the yocto pipeline, before augmentation/enrichment so enrichment can leverage the PURLs. The injection is idempotent — existing yocto PURLs are preserved and non-yocto PURLs are left untouched. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds Yocto-specific Package URL (PURL) injection so older Yocto-generated SPDX SBOMs (missing PURLs) can be augmented/enriched downstream with consistent pkg:yocto/<name>@<version> identifiers, supporting both SPDX 2.2 and SPDX 3.
Changes:
- Introduces Yocto PURL generation plus SPDX 2.2 (
externalRefs) and SPDX 3 (packageUrl) injection helpers. - Calls PURL injection early in the Yocto pipeline (both SPDX 2.2 archive flow and SPDX 3 single-file flow).
- Adds unit and pipeline integration tests covering generation, detection, injection, and pipeline invocation.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
sbomify_action/_yocto/purl.py |
New Yocto PURL generator and SPDX 2.2/SPDX 3 injection routines that rewrite SBOM JSON in-place when injecting. |
sbomify_action/_yocto/pipeline.py |
Invokes injection before augmentation/enrichment in both pipeline paths. |
sbomify_action/_yocto/__init__.py |
Exports new PURL utilities from the Yocto package. |
tests/test_yocto_purl.py |
Adds unit tests for PURL generation and SPDX 2.2/SPDX 3 injection behavior. |
tests/test_yocto_pipeline.py |
Adds tests asserting injection is called in both SPDX 2.2 and SPDX 3 pipeline paths. |
Comments suppressed due to low confidence (1)
tests/test_yocto_purl.py:13
- The imported names in this
from sbomify_action._yocto.purl import (...)block are not ordered consistently; if Ruff/isort is run on tests, this can fail lint. Sort the imported names in a stable order.
from sbomify_action._yocto.purl import (
_has_yocto_purl_spdx22,
generate_yocto_purl,
inject_yocto_purls_spdx3,
inject_yocto_purls_spdx22,
)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Avoid mutating the user's input file on disk when --dry-run is set. The SPDX 2.2 path is unaffected since it operates on temp dir files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use encoding="utf-8" for all JSON open() calls in purl.py - Move SPDX 2.2 PURL injection after dry-run check to avoid unnecessary file I/O (mirrors the SPDX 3 path fix from c91d44a) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
pkg:yocto/<name>@<version>PURL injection for Yocto SBOMs where PURLs are missing (older Yocto <5.0 doesn't generate them natively)externalRefs) and SPDX 3 (packageUrl) formatsTest plan
TestGenerateYoctoPurl)TestHasYoctoPurlSpdx22,TestInjectYoctoPurlsSpdx22)TestInjectYoctoPurlsSpdx3)🤖 Generated with Claude Code