From nobody Thu Apr 2 17:16:39 2026 Received: from mailgw01.zimbra-vnc.de (mailgw01.zimbra-vnc.de [148.251.101.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E69A13346B8; Tue, 10 Feb 2026 20:55:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.251.101.236 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770756934; cv=none; b=hUDbqtcqwPnU9OCY9ORVSfFTTsc4zw6zMmjkQ1jF8F9gZMtVN6R878qg6QqiGacSouGVbr/ERcVMfzzWCNLTVd4hD3g1KrE2lim1JnO5hWmjXI75W9oH2Ia0Aie/HQ6OT+Ng9WWCiqQpHP+mA6NpUA38TV7EUppUgDhrr1Y0DJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770756934; c=relaxed/simple; bh=WMaT1hdlr+zxmDD8B7mUKEIIYGJT31hyJqCaKOhsl2c=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qDGk4spFuLc+wH+rF2wbtg4VfBfsWfXx1XMvBgm5xvu/btLk1V+OgbOZroSK8rby2MTNX04L5Qt2FlStLiE61h75VBhCIQgahf41ZM+7P9e+Cm6YrAVdvx8rOwerf8WGVBd6C3V8rDXajWfdm7cZ75S0ZuiAW6u0C2T9FpVdVo8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tngtech.com; spf=pass smtp.mailfrom=tngtech.com; dkim=pass (2048-bit key) header.d=tngtech.com header.i=@tngtech.com header.b=CIo2/mhA; arc=none smtp.client-ip=148.251.101.236 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tngtech.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tngtech.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=tngtech.com header.i=@tngtech.com header.b="CIo2/mhA" Received: from zmproxy.tng.vnc.biz (zimbra-vnc.tngtech.com [35.234.71.156]) by mailgw01.zimbra-vnc.de (Postfix) with ESMTPS id 5CD653FAF3; Tue, 10 Feb 2026 21:55:22 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by zmproxy.tng.vnc.biz (Postfix) with ESMTP id 309371FA864; Tue, 10 Feb 2026 21:55:22 +0100 (CET) Received: from zmproxy.tng.vnc.biz ([127.0.0.1]) by localhost (zmproxy.tng.vnc.biz [127.0.0.1]) (amavis, port 10032) with ESMTP id T_Y4VEPtJO5Z; Tue, 10 Feb 2026 21:55:21 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by zmproxy.tng.vnc.biz (Postfix) with ESMTP id 8F3E11FA944; Tue, 10 Feb 2026 21:55:21 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.10.3 zmproxy.tng.vnc.biz 8F3E11FA944 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tngtech.com; s=B14491C6-869D-11EB-BB6C-8DD33D883B31; t=1770756921; bh=OEm0QHBgKRnVpZ60MN5ZEh8tvrYfq6QX/3jO1LSQ5Fc=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=CIo2/mhAdfVyF+68Pr9yx/ioO4oJhDvJWKhiRRhApeslSjiavIS/7ZNCcw5AXNcKK ImbWSdwPircTWq4pt+6K7ODixaJ9g3glMtySjhV8OmSp+8CeX5KMZ6D/VcBaqwizIQ y+v6bft67hfnw+oCdoo3/7r3CgQvX2ajUvlK7tdNgiM1yUYHAkn4HILg37Ees5qvqv N4x6igtnmB8VpVKB3c21h6YB3geAPyJ47ho8nrB96Wnp4CngX5/5NsrbSOQYAB+fQd Sg+zW6v/z6vKpC9ISVqH2e8/Mh2/oIGJ37PWTP2Dim5W9G7oAAAZCoK1ruI5HTazQJ OB41Cimcz4CAw== X-Virus-Scanned: amavis at zmproxy.tng.vnc.biz Received: from zmproxy.tng.vnc.biz ([127.0.0.1]) by localhost (zmproxy.tng.vnc.biz [127.0.0.1]) (amavis, port 10026) with ESMTP id LTVjBZLZILm2; Tue, 10 Feb 2026 21:55:21 +0100 (CET) Received: from DESKTOP-0O0JV6I.localdomain (ipservice-092-208-231-176.092.208.pools.vodafone-ip.de [92.208.231.176]) by zmproxy.tng.vnc.biz (Postfix) with ESMTPSA id 25BF91FA864; Tue, 10 Feb 2026 21:55:21 +0100 (CET) From: Luis Augenstein To: nathan@kernel.org, nsc@kernel.org Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, akpm@linux-foundation.org, gregkh@linuxfoundation.org, kstewart@linuxfoundation.org, maximilian.huber@tngtech.com, Luis Augenstein Subject: [PATCH 12/15] scripts/sbom: add SPDX source graph Date: Tue, 10 Feb 2026 21:54:21 +0100 Message-Id: <20260210205424.11195-13-luis.augenstein@tngtech.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260210205424.11195-1-luis.augenstein@tngtech.com> References: <20260210205424.11195-1-luis.augenstein@tngtech.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Implement the SPDX source graph which contains all source files involved during the build, along with the licensing information for each file. Assisted-by: Claude Sonnet 4.5 Assisted-by: GLM-4.7 Co-developed-by: Maximilian Huber Signed-off-by: Maximilian Huber Signed-off-by: Luis Augenstein --- .../sbom/sbom/spdx_graph/build_spdx_graphs.py | 8 ++ .../sbom/sbom/spdx_graph/spdx_source_graph.py | 126 ++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 scripts/sbom/sbom/spdx_graph/spdx_source_graph.py diff --git a/scripts/sbom/sbom/spdx_graph/build_spdx_graphs.py b/scripts/sb= om/sbom/spdx_graph/build_spdx_graphs.py index 2af0fbe6cdbe..a61257a905f3 100644 --- a/scripts/sbom/sbom/spdx_graph/build_spdx_graphs.py +++ b/scripts/sbom/sbom/spdx_graph/build_spdx_graphs.py @@ -10,6 +10,7 @@ from sbom.path_utils import PathStr from sbom.spdx_graph.kernel_file import KernelFileCollection from sbom.spdx_graph.spdx_graph_model import SpdxGraph, SpdxIdGeneratorCol= lection from sbom.spdx_graph.shared_spdx_elements import SharedSpdxElements +from sbom.spdx_graph.spdx_source_graph import SpdxSourceGraph from sbom.spdx_graph.spdx_output_graph import SpdxOutputGraph =20 =20 @@ -54,4 +55,11 @@ def build_spdx_graphs( KernelSpdxDocumentKind.OUTPUT: output_graph, } =20 + if len(kernel_files.source) > 0: + spdx_graphs[KernelSpdxDocumentKind.SOURCE] =3D SpdxSourceGraph.cre= ate( + source_files=3Dlist(kernel_files.source.values()), + shared_elements=3Dshared_elements, + spdx_id_generators=3Dspdx_id_generators, + ) + return spdx_graphs diff --git a/scripts/sbom/sbom/spdx_graph/spdx_source_graph.py b/scripts/sb= om/sbom/spdx_graph/spdx_source_graph.py new file mode 100644 index 000000000000..16176c4ea5ee --- /dev/null +++ b/scripts/sbom/sbom/spdx_graph/spdx_source_graph.py @@ -0,0 +1,126 @@ +# SPDX-License-Identifier: GPL-2.0-only OR MIT +# Copyright (C) 2025 TNG Technology Consulting GmbH + +from dataclasses import dataclass +from sbom.spdx import SpdxIdGenerator +from sbom.spdx.core import Element, NamespaceMap, Relationship, SpdxDocume= nt +from sbom.spdx.simplelicensing import LicenseExpression +from sbom.spdx.software import File, Sbom +from sbom.spdx_graph.kernel_file import KernelFile +from sbom.spdx_graph.shared_spdx_elements import SharedSpdxElements +from sbom.spdx_graph.spdx_graph_model import SpdxGraph, SpdxIdGeneratorCol= lection + + +@dataclass +class SpdxSourceGraph(SpdxGraph): + """SPDX graph representing source files""" + + @classmethod + def create( + cls, + source_files: list[KernelFile], + shared_elements: SharedSpdxElements, + spdx_id_generators: SpdxIdGeneratorCollection, + ) -> "SpdxSourceGraph": + """ + Args: + source_files: List of files within the kernel source tree. + shared_elements: Shared SPDX elements used across multiple doc= uments. + spdx_id_generators: Collection of SPDX ID generators. + + Returns: + SpdxSourceGraph: The SPDX source graph. + """ + # SpdxDocument + source_spdx_document =3D SpdxDocument( + spdxId=3Dspdx_id_generators.source.generate(), + profileConformance=3D["core", "software", "simpleLicensing"], + namespaceMap=3D[ + NamespaceMap(prefix=3Dgenerator.prefix, namespace=3Dgenera= tor.namespace) + for generator in [spdx_id_generators.source, spdx_id_gener= ators.base] + if generator.prefix is not None + ], + ) + + # Sbom + source_sbom =3D Sbom( + spdxId=3Dspdx_id_generators.source.generate(), + software_sbomType=3D["source"], + ) + + # Src Tree Elements + src_tree_element =3D File( + spdxId=3Dspdx_id_generators.source.generate(), + name=3D"$(src_tree)", + software_fileKind=3D"directory", + ) + src_tree_contains_relationship =3D Relationship( + spdxId=3Dspdx_id_generators.source.generate(), + relationshipType=3D"contains", + from_=3Dsrc_tree_element, + to=3D[], + ) + + # Source file elements + source_file_elements: list[Element] =3D [file.spdx_file_element fo= r file in source_files] + + # Source file license elements + source_file_license_identifiers, source_file_license_relationships= =3D source_file_license_elements( + source_files, spdx_id_generators.source + ) + + # Update relationships + source_spdx_document.rootElement =3D [source_sbom] + source_sbom.rootElement =3D [src_tree_element] + source_sbom.element =3D [ + src_tree_element, + src_tree_contains_relationship, + *source_file_elements, + *source_file_license_identifiers, + *source_file_license_relationships, + ] + src_tree_contains_relationship.to =3D source_file_elements + + source_graph =3D SpdxSourceGraph( + source_spdx_document, + shared_elements.agent, + shared_elements.creation_info, + source_sbom, + ) + return source_graph + + +def source_file_license_elements( + source_files: list[KernelFile], spdx_id_generator: SpdxIdGenerator +) -> tuple[list[LicenseExpression], list[Relationship]]: + """ + Creates SPDX license expressions and links them to the given source fi= les + via hasDeclaredLicense relationships. + + Args: + source_files: List of files within the kernel source tree. + spdx_id_generator: Generator for unique SPDX IDs. + + Returns: + Tuple of (license expressions, hasDeclaredLicense relationships). + """ + license_expressions: dict[str, LicenseExpression] =3D {} + for file in source_files: + if file.license_identifier is None or file.license_identifier in l= icense_expressions: + continue + license_expressions[file.license_identifier] =3D LicenseExpression( + spdxId=3Dspdx_id_generator.generate(), + simplelicensing_licenseExpression=3Dfile.license_identifier, + ) + + source_file_license_relationships =3D [ + Relationship( + spdxId=3Dspdx_id_generator.generate(), + relationshipType=3D"hasDeclaredLicense", + from_=3Dfile.spdx_file_element, + to=3D[license_expressions[file.license_identifier]], + ) + for file in source_files + if file.license_identifier is not None + ] + return ([*license_expressions.values()], source_file_license_relations= hips) --=20 2.34.1