west: spdx: allow to generate for different SPDX version

kartben · kartben · commit bba9d6332178 · 2025-05-28T17:16:23.000+02:00
When support for SPDX 2.3 was added, it effectively dropped support for
SPDX 2.2, which in retrospect was a bad idea since SPDX 2.2 is the
version that is the current ISO/IEC standard.
This commit adds a `--spdx-version` option to the `west spdx` command
so that users can generate SPDX 2.2 documents if they want.
Default is 2.3 given that's effectively what shipped for a few releases
now, including latest LTS.

Signed-off-by: Benjamin Cabé &lt;benjamin@zephyrproject.org&gt;
diff --git a/doc/develop/west/zephyr-cmds.rst b/doc/develop/west/zephyr-cmds.rst
@@ -75,7 +75,7 @@ See :zephyr_file:`share/zephyr-package/cmake` for details.
 Software bill of materials: ``west spdx``
 *****************************************
 
-This command generates SPDX 2.3 tag-value documents, creating relationships
+This command generates SPDX 2.2 or 2.3 tag-value documents, creating relationships
 from source files to the corresponding generated build files.
 ``SPDX-License-Identifier`` comments in source files are scanned and filled
 into the SPDX documents.
@@ -105,6 +105,12 @@ To use this command:
 
       west spdx -d BUILD_DIR
 
+   By default, this generates SPDX 2.3 documents. To generate SPDX 2.2 documents instead:
+
+   .. code-block:: bash
+
+      west spdx -d BUILD_DIR --spdx-version 2.2
+
 .. note::
 
    When building with :ref:`sysbuild`, make sure you target the actual application
@@ -144,6 +150,10 @@ source files that are compiled to generate the built library files.
 - ``-s SPDX_DIR``: specifies an alternate directory where the SPDX documents
   should be written instead of :file:`BUILD_DIR/spdx/`.
 
+- ``--spdx-version {2.2,2.3}``: specifies which SPDX specification version to use.
+  Defaults to ``2.3``. SPDX 2.3 includes additional fields like ``PrimaryPackagePurpose``
+  that are not available in SPDX 2.2.
+
 - ``--analyze-includes``: in addition to recording the compiled source code
   files (e.g. ``.c``, ``.S``) in the bills-of-materials, also attempt to
   determine the specific header files that are included for each ``.c`` file.
diff --git a/scripts/west_commands/spdx.py b/scripts/west_commands/spdx.py
@@ -6,11 +6,11 @@
 import uuid
 
 from west.commands import WestCommand
-
+from zspdx.version import parse
 from zspdx.sbom import SBOMConfig, makeSPDX, setupCmakeQuery
 
 SPDX_DESCRIPTION = """\
-This command creates an SPDX 2.2 tag-value bill of materials
+This command creates an SPDX 2.2 or 2.3 tag-value bill of materials
 following the completion of a Zephyr build.
 
 Prior to the build, an empty file must be created at
@@ -41,6 +41,8 @@ def do_add_parser(self, parser_adder):
                 help="namespace prefix")
         parser.add_argument('-s', '--spdx-dir',
                 help="SPDX output directory")
+        parser.add_argument('--spdx-version', choices=['2.2', '2.3'], default='2.3',
+                help="SPDX specification version to use (default: 2.3)")
         parser.add_argument('--analyze-includes', action="store_true",
                 help="also analyze included header files")
         parser.add_argument('--include-sdk', action="store_true",
@@ -55,6 +57,7 @@ def do_run(self, args, unknown_args):
         self.dbg(f"  --build-dir is", args.build_dir)
         self.dbg(f"  --namespace-prefix is", args.namespace_prefix)
         self.dbg(f"  --spdx-dir is", args.spdx_dir)
+        self.dbg(f"  --spdx-version is", args.spdx_version)
         self.dbg(f"  --analyze-includes is", args.analyze_includes)
         self.dbg(f"  --include-sdk is", args.include_sdk)
 
@@ -85,6 +88,11 @@ def do_run_spdx(self, args):
         # create the SPDX files
         cfg = SBOMConfig()
         cfg.buildDir = args.build_dir
+        try:
+            version_obj = parse(args.spdx_version)
+        except Exception:
+            self.die(f"Invalid SPDX version: {args.spdx_version}")
+        cfg.spdxVersion = version_obj
         if args.namespace_prefix:
             cfg.namespacePrefix = args.namespace_prefix
         else:
diff --git a/scripts/west_commands/zspdx/sbom.py b/scripts/west_commands/zspdx/sbom.py
@@ -9,6 +9,7 @@
 from zspdx.walker import WalkerConfig, Walker
 from zspdx.scanner import ScannerConfig, scanDocument
 from zspdx.writer import writeSPDX
+from zspdx.version import SPDX_VERSION_2_3
 
 
 # SBOMConfig contains settings that will be passed along to the various
@@ -26,6 +27,9 @@ def __init__(self):
         # location of SPDX document output directory
         self.spdxDir = ""
 
+        # SPDX specification version to use
+        self.spdxVersion = SPDX_VERSION_2_3
+
         # should also analyze for included header files?
         self.analyzeIncludes = False
 
@@ -76,6 +80,7 @@ def makeSPDX(cfg):
     walkerCfg = WalkerConfig()
     walkerCfg.namespacePrefix = cfg.namespacePrefix
     walkerCfg.buildDir = cfg.buildDir
+    walkerCfg.spdxVersion = cfg.spdxVersion
     walkerCfg.analyzeIncludes = cfg.analyzeIncludes
     walkerCfg.includeSDK = cfg.includeSDK
 
@@ -101,31 +106,33 @@ def makeSPDX(cfg):
 
     # write SDK document, if we made one
     if cfg.includeSDK:
-        retval = writeSPDX(os.path.join(cfg.spdxDir, "sdk.spdx"), w.docSDK)
+        retval = writeSPDX(os.path.join(cfg.spdxDir, "sdk.spdx"), w.docSDK, cfg.spdxVersion)
         if not retval:
             log.err("SPDX writer failed for SDK document; bailing")
             return False
 
     # write app document
-    retval = writeSPDX(os.path.join(cfg.spdxDir, "app.spdx"), w.docApp)
+    retval = writeSPDX(os.path.join(cfg.spdxDir, "app.spdx"), w.docApp, cfg.spdxVersion)
     if not retval:
         log.err("SPDX writer failed for app document; bailing")
         return False
 
     # write zephyr document
-    retval = writeSPDX(os.path.join(cfg.spdxDir, "zephyr.spdx"), w.docZephyr)
+    retval = writeSPDX(os.path.join(cfg.spdxDir, "zephyr.spdx"), w.docZephyr, cfg.spdxVersion)
     if not retval:
         log.err("SPDX writer failed for zephyr document; bailing")
         return False
 
     # write build document
-    retval = writeSPDX(os.path.join(cfg.spdxDir, "build.spdx"), w.docBuild)
+    retval = writeSPDX(os.path.join(cfg.spdxDir, "build.spdx"), w.docBuild, cfg.spdxVersion)
     if not retval:
         log.err("SPDX writer failed for build document; bailing")
         return False
 
     # write modules document
-    retval = writeSPDX(os.path.join(cfg.spdxDir, "modules-deps.spdx"), w.docModulesExtRefs)
+    retval = writeSPDX(
+        os.path.join(cfg.spdxDir, "modules-deps.spdx"), w.docModulesExtRefs, cfg.spdxVersion
+    )
     if not retval:
         log.err("SPDX writer failed for modules-deps document; bailing")
         return False
diff --git a/scripts/west_commands/zspdx/version.py b/scripts/west_commands/zspdx/version.py
@@ -0,0 +1,19 @@
+# Copyright (c) 2025 The Linux Foundation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+from packaging.version import Version
+
+SPDX_VERSION_2_2 = Version("2.2")
+SPDX_VERSION_2_3 = Version("2.3")
+
+SUPPORTED_SPDX_VERSIONS = [
+    SPDX_VERSION_2_2,
+    SPDX_VERSION_2_3,
+]
+
+def parse(version_str):
+    v = Version(version_str)
+    if v not in SUPPORTED_SPDX_VERSIONS:
+        raise ValueError(f"Unsupported SPDX version: {version_str}")
+    return v
diff --git a/scripts/west_commands/zspdx/walker.py b/scripts/west_commands/zspdx/walker.py
@@ -14,6 +14,7 @@
 from zspdx.datatypes import DocumentConfig, Document, File, PackageConfig, Package, RelationshipDataElementType, RelationshipData, Relationship
 from zspdx.getincludes import getCIncludes
 import zspdx.spdxids
+from zspdx.version import SPDX_VERSION_2_3
 
 # WalkerConfig contains configuration data for the Walker.
 class WalkerConfig:
@@ -26,6 +27,9 @@ def __init__(self):
         # location of build directory
         self.buildDir = ""
 
+        # SPDX specification version to use (e.g., "2.2" or "2.3")
+        self.spdxVersion = "2.3"
+
         # should also analyze for included header files?
         self.analyzeIncludes = False
 
@@ -189,7 +193,9 @@ def setupAppDocument(self):
         cfgPackageApp = PackageConfig()
         cfgPackageApp.name = "app-sources"
         cfgPackageApp.spdxID = "SPDXRef-app-sources"
-        cfgPackageApp.primaryPurpose = "SOURCE"
+        # PrimaryPackagePurpose is only available in SPDX 2.3 and later
+        if self.cfg.spdxVersion == SPDX_VERSION_2_3:
+            cfgPackageApp.primaryPurpose = "SOURCE"
         # relativeBaseDir is app sources dir
         cfgPackageApp.relativeBaseDir = self.cm.paths_source
         pkgApp = Package(cfgPackageApp, self.docApp)
@@ -250,7 +256,7 @@ def setupZephyrDocument(self, zephyr, modules):
         purl = None
         zephyr_tags = zephyr.get("tags", "")
         if zephyr_tags:
-            # Find tag vX.Y.Z
+            # Find tag vX.Y.Z
             for tag in zephyr_tags:
                 version = re.fullmatch(r'^v(?P<version>\d+\.\d+\.\d+)$', tag)
                 purl = self._build_purl(zephyr_url, tag)
@@ -286,7 +292,8 @@ def setupZephyrDocument(self, zephyr, modules):
             cfgPackageZephyrModule.name = module_name + "-sources"
             cfgPackageZephyrModule.spdxID = "SPDXRef-" + module_name + "-sources"
             cfgPackageZephyrModule.relativeBaseDir = module_path
-            cfgPackageZephyrModule.primaryPurpose = "SOURCE"
+            if self.cfg.spdxVersion == SPDX_VERSION_2_3:
+                cfgPackageZephyrModule.primaryPurpose = "SOURCE"
 
             if module_revision:
                 cfgPackageZephyrModule.revision = module_revision
@@ -401,10 +408,11 @@ def walkTargets(self):
             if len(cfgTarget.target.artifacts) > 0:
                 # add its build file
                 bf = self.addBuildFile(cfgTarget, pkg)
-                if pkg.cfg.name == "zephyr_final":
-                    pkg.cfg.primaryPurpose = "APPLICATION"
-                else:
-                    pkg.cfg.primaryPurpose = "LIBRARY"
+                if self.cfg.spdxVersion == SPDX_VERSION_2_3:
+                    if pkg.cfg.name == "zephyr_final":
+                        pkg.cfg.primaryPurpose = "APPLICATION"
+                    else:
+                        pkg.cfg.primaryPurpose = "LIBRARY"
 
                 # get its source files if build file is found
                 if bf:
diff --git a/scripts/west_commands/zspdx/writer.py b/scripts/west_commands/zspdx/writer.py
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 from datetime import datetime
+from zspdx.version import SPDX_VERSION_2_3
 
 from west import log
 
@@ -65,11 +66,12 @@ def generateDowloadUrl(url, revision):
 
     return f'git+{url}@{revision}'
 
-# Output tag-value SPDX 2.3 content for the given Package object.
+# Output tag-value SPDX content for the given Package object.
 # Arguments:
 #   1) f: file handle for SPDX document
 #   2) pkg: Package object being described
-def writePackageSPDX(f, pkg):
+#   3) spdx_version: SPDX specification version
+def writePackageSPDX(f, pkg, spdx_version=SPDX_VERSION_2_3):
     spdx_normalized_name = _normalize_spdx_name(pkg.cfg.name)
     spdx_normalize_spdx_id = _normalize_spdx_name(pkg.cfg.spdxID)
 
@@ -83,7 +85,8 @@ def writePackageSPDX(f, pkg):
 PackageCopyrightText: {pkg.cfg.copyrightText}
 """)
 
-    if pkg.cfg.primaryPurpose != "":
+    # PrimaryPackagePurpose is only available in SPDX 2.3 and later
+    if spdx_version >= SPDX_VERSION_2_3 and pkg.cfg.primaryPurpose != "":
         f.write(f"PrimaryPackagePurpose: {pkg.cfg.primaryPurpose}\n")
 
     if len(pkg.cfg.url) > 0:
@@ -140,14 +143,15 @@ def writeOtherLicenseSPDX(f, lic):
 LicenseComment: Corresponds to the license ID `{lic}` detected in an SPDX-License-Identifier: tag.
 """)
 
-# Output tag-value SPDX 2.3 content for the given Document object.
+# Output tag-value SPDX content for the given Document object.
 # Arguments:
 #   1) f: file handle for SPDX document
 #   2) doc: Document object being described
-def writeDocumentSPDX(f, doc):
+#   3) spdx_version: SPDX specification version
+def writeDocumentSPDX(f, doc, spdx_version=SPDX_VERSION_2_3):
     spdx_normalized_name = _normalize_spdx_name(doc.cfg.name)
 
-    f.write(f"""SPDXVersion: SPDX-2.3
+    f.write(f"""SPDXVersion: SPDX-{spdx_version}
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: {spdx_normalized_name}
@@ -173,7 +177,7 @@ def writeDocumentSPDX(f, doc):
 
     # write packages
     for pkg in doc.pkgs.values():
-        writePackageSPDX(f, pkg)
+        writePackageSPDX(f, pkg, spdx_version)
 
     # write other license info, if any
     if len(doc.customLicenseIDs) > 0:
@@ -185,12 +189,13 @@ def writeDocumentSPDX(f, doc):
 # Arguments:
 #   1) spdxPath: path to write SPDX document
 #   2) doc: SPDX Document object to write
-def writeSPDX(spdxPath, doc):
+#   3) spdx_version: SPDX specification version
+def writeSPDX(spdxPath, doc, spdx_version=SPDX_VERSION_2_3):
     # create and write document to disk
     try:
-        log.inf(f"Writing SPDX document {doc.cfg.name} to {spdxPath}")
+        log.inf(f"Writing SPDX {spdx_version} document {doc.cfg.name} to {spdxPath}")
         with open(spdxPath, "w") as f:
-            writeDocumentSPDX(f, doc)
+            writeDocumentSPDX(f, doc, spdx_version)
     except OSError as e:
         log.err(f"Error: Unable to write to {spdxPath}: {str(e)}")
         return False
