Test layer demonstrating spdx-diff with various SBOM change scenarios.
core-image-minimal.bbappend- Enables spdx-diff with fixed reference SBOMkas/image-minimal.yml- Builds baseline core-image-minimalkas/spdx-diff.yml- Enables spdx-diff with fixed reference SBOM by applyingmeta-spdx-diff-test/recipes-core/images/core-image-minimal.bbappend.kas/test-*.yml- Test scenarios that compose with image-minimal.ymlmeta-recipes-test/- Demo layer providing packages for testingkernel-config/*.cfg- Kernel configuration test cases
test-new-package.yml- Add packages (example, i2c-tools)test-new-package-version.yml- Upgrade i2c-tools (4.3 → 4.4)test-new-packageconfig.yml- Modify package build features
test-kernelconfig-n-to-y.yml- Enable feature (n → y)test-kernelconfig-n-to-m.yml- Enable module (n → m)
# Clone
git clone https://github.com/bootlin/meta-spdx-diff-test.git meta-spdx-diff-test
cd meta-spdx-diff-test
# Build baseline
kas build kas/image-minimal.yml
# Build with changes
kas build kas/image-minimal.yml:kas/test-new-package.yml
# Build with changes and with spdx-diff enabled
kas build kas/image-minimal.yml:kas/spdx-diff.yml:kas/test-new-package.yml
# View diff
cat build/tmp-glibc/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.spdx-diff.jsoncore-image-minimal.bbappendinherits spdx-diff class- Reference SBOM is fetched from:
file://${TOPDIR}/../sbom-data/reference-sbom.spdx.json - After image build, spdx-diff compares new vs reference
- Diff results are deployed with human-readable summary
Packages - Added:
+ example: 0.1
+ i2c-tools: 4.3
Packages - Changed:
~ openssl: 3.0.13 -> 3.0.14
Kernel Config - Changed:
~ CONFIG_SECURITY_SELINUX: n -> y
All scenarios compose with image-minimal.yml:
To generate all test cases, executes: sbom-data/generate_sboms.sh
- meta-spdx-diff
- Scarthgap with OE-Core commit a172a0e8d5 or later
- KAS build tool
- spdx-diff tool: https://github.com/bootlin/spdx-diff
- meta-spdx-diff layer: https://github.com/bootlin/meta-spdx-diff