|
|
@@ -8762,6 +8762,28 @@ system and gives an overview of their function and contents.
|
|
|
image), compared to just using the :ref:`ref-classes-create-spdx` class
|
|
|
with no option.
|
|
|
|
|
|
+ :term:`SPDX_INCLUDE_COMPILED_SOURCES`
|
|
|
+ This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including
|
|
|
+ only the sources used to compile the host tools and the target packages.
|
|
|
+ While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source
|
|
|
+ directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES`
|
|
|
+ includes only the sources that are used to produce the binaries delivered
|
|
|
+ as packages. The source files that are not used during compilation are not
|
|
|
+ included in the SBOM. It uses debugsource information generated during
|
|
|
+ ``do_package`` to filter out source files.
|
|
|
+
|
|
|
+ This enables an external tool to use the SPDX information to disregard
|
|
|
+ vulnerabilities that are not compiled in the packages.
|
|
|
+
|
|
|
+ Enable this option as follows::
|
|
|
+
|
|
|
+ SPDX_INCLUDE_COMPILED_SOURCES = "1"
|
|
|
+
|
|
|
+ According to our tests, building ``core-image-minimal`` for the
|
|
|
+ ``qemux86-64`` machine, enabling this option compared with the
|
|
|
+ :term:`SPDX_INCLUDE_SOURCES` reduces the size of the ``tmp/deploy/spdx``
|
|
|
+ directory from 2GB to 1.6GB.
|
|
|
+
|
|
|
:term:`SPDX_NAMESPACE_PREFIX`
|
|
|
This option could be used in order to change the prefix of ``spdxDocument``
|
|
|
and the prefix of ``documentNamespace``. It is set by default to
|
Daniel Turull