Add SPDX_INCLUDE_COMPILED_SOURCES documentation

Adding documentation for the new feature to store in SPDX only the compiled sources. Merged in oe-core: c6a2f1fca76fae4c3ea471a0c63d0b453beea968 - spdx: add option to include only compiled sources CC: Antonin Godard <antonin.godard@bootlin.com> (From yocto-docs rev: 4dbc63ed1381fe47723d6ba5b7baf2a3b7fd19aa) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-05 05:04:44 +02:00 · 2025-06-19 15:22:57 +02:00 · 2025-06-19 15:22:57 +02:00 · 63fb85ec37
commit 63fb85ec37
parent 7d68886200
2 changed files with 25 additions and 0 deletions
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@ -60,6 +60,9 @@ more information in the output :term:`SPDX` data:
 -  Add a description of the source files used to generate host tools and target
   packages (:term:`SPDX_INCLUDE_SOURCES`)

+-  Add a description of the **compiled** source files used to generate host tools
+   and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
+
 -  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).

 Though the toplevel :term:`SPDX` output is available in
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@ -8762,6 +8762,28 @@ system and gives an overview of their function and contents.
      image), compared to just using the :ref:`ref-classes-create-spdx` class
      with no option.

+   :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+      This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including
+      only the sources used to compile the host tools and the target packages.
+      While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source
+      directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+      includes only the sources that are used to produce the binaries delivered
+      as packages. The source files that are not used during compilation are not
+      included in the SBOM. It uses debugsource information generated during
+      ``do_package`` to filter out source files.
+
+      This enables an external tool to use the SPDX information to disregard
+      vulnerabilities that are not compiled in the packages.
+
+      Enable this option as follows::
+
+         SPDX_INCLUDE_COMPILED_SOURCES = "1"
+
+      According to our tests, building ``core-image-minimal`` for the
+      ``qemux86-64`` machine, enabling this option compared with the
+      :term:`SPDX_INCLUDE_SOURCES` reduces the size of the  ``tmp/deploy/spdx``
+      directory from 2GB to 1.6GB.
+
   :term:`SPDX_NAMESPACE_PREFIX`
      This option could be used in order to change the prefix of ``spdxDocument``
      and the prefix of ``documentNamespace``. It is set by default to