[LINUX] Make it easy to check AGL release software using SW360 / SPDX Lite

This article is the 19th day article of OpenChain Advent Calender

Introduction

Discussions on the software used by AGL (Automotive Grade Linux) in the Automotive OSS community at OpenChain Using the ongoing SW360 and SPDX Lite to use the software used by AGL I will introduce a method that anyone can easily check The contents of this time will be introduced at the OpenChain booth in the AGL demo booth of 2020 CES. OpenChain and AGL Collaborate to Facilitate Open Source Compliance in Automotive Production

About AGL release software

AGL releases software twice a year, and the latest software, Icefish RC3 (v8.99.3), is being prepared for the official release at the beginning of the year. See this page for the AGL release notes. The pre-built software is also open to the public, and the license.manifest output when Yocto is built. -demo-platform-crosssdk-qemuarm64-20191206223152 / license.manifest), you can check what kind of software is used in AGL as follows.

af-binder


PACKAGE VERSION: master+gitAUTOINC+82a9d79621
RECIPE NAME: af-binder
LICENSE: Apache-2.0

in this way ·package name ·version ·license However, AGL uses software of about 1,500 to 1,600, and it is difficult to check license.manifest, so anyone can easily check AGL using SW360 / SPDX Lite. I would like to be able to check the release software of

Overall image of this environment

Since it is assumed that SPDX will be imported to SW360 and used, use meta-spdxscanner to create an SPDX file from the AGL release software. With SW360, SPDX Lite can be output using SW360tools, so anyone can easily check the AGL software using EXCEL. 無題.png

Setting up the environment

meta-spdxscanner

Since AGL supports meta-spdx scanner as shown below,

  <project name="dl9pf/meta-spdxscanner" path="external/meta-spdxscanner" remote="github" revision="483f79e66eb76b0f1bebe1e3a0a0327b0ba59f16" upstream="thud"/>

Set up the foss driver used by the spdx scanner. Please refer to the article Day 10 for the setup method. After the setup is completed, edit local.conf referring to https://github.com/dl9pf/meta-spdxscanner, execute bitbake, and output the SPDX file.

$ bitbake package_name -c spdx # will generate spdx of a specified package

SW360 For SW360 setup, refer to this article to set up. This time I want to output SPDX Lite (EXCEL) from SW360, so I will set up SW360tools additionally.

Output of SPDX Lite from import of SPDX file

After setting up the environment, import the generated SPDX file into SW360. 無題.png

When the import is completed, the software imported to SW360 will be displayed. 無題.png

By using SW360tools, it is possible to select the SPDX item to be output, and it is possible to output in csv format while minimizing only the necessary information such as SPDX Lite. 無題.png

Even in an environment where SW360 cannot be used, it is possible to easily refer to the file output by Excel at any time. 無題.png

at the end

Although it was introduced in a hurry, the following is what I felt as a problem when using it at the actual development site. -The time to output SPDX using meta-spdx scanner is longer than the build time of bitbake, and there is a problem in incorporating it into CI. -When importing SPDX files to SW360, if the number of files exceeds 100, a freeze may occur during reading. ・ Maintenance of Dockerfile is delayed, and it costs money to build the environment. I think there are other operational issues, but I would like to accumulate achievements while gradually FB in open places such as AGL.

Tomorrow's theme is ...

Tomorrow will be about "Points to keep in mind when building an OSS compliance system" Mr. Nonaka, a partner attorney of DLA Piper who also participates in Promotion SWG, will be in charge.

Recommended Posts

Make it easy to check AGL release software using SW360 / SPDX Lite
Try to make it using GUI and PyQt in Python
Try to make PC setting change software using TKinter (beginner)
Easy to make with syntax
Join csv normalized by Python pandas to make it easier to check