Thanks for confirming. I wouldn't expect OE to be able to have any knowledge of "sneaky" downloads of additional packages.
I have an idea to enhance create-spdx.bbclass so sneaky recipes can fess-up and tell create-spdx about any additional packages they downloaded. If you could implement something like the following, it would help me. If not, I'll just have to combine the OE-produced SBOM with my own custom-produced SBOMs. The idea is: Idea: Enhance create-spdx.bbclass so a recipe can add multiple additional SBOM entries. For example, if recipeX is sneaky and downloads componentY without bitbake or OE knowing about it, then the recipe will have some way to tell create-spdx that it downloaded componentY at versionZ and also give its license information. If I had this, then I think we could enhance our webui-vue recipe to use this to report all the NPM packages.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177219): https://lists.openembedded.org/g/openembedded-core/message/177219 Mute This Topic: https://lists.openembedded.org/mt/96969479/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
