Skip to content

classify deps by source type: referenced, remote, vendored, custom#15

Open
jtrinidad-fossa wants to merge 1 commit into
mickledorefrom
jt/referenced-deps
Open

classify deps by source type: referenced, remote, vendored, custom#15
jtrinidad-fossa wants to merge 1 commit into
mickledorefrom
jt/referenced-deps

Conversation

@jtrinidad-fossa
Copy link
Copy Markdown

@jtrinidad-fossa jtrinidad-fossa commented May 21, 2026

Summary

  • Git-sourced packages are now emitted as referenced-dependencies (type: git) with HTTPS URLs and git refs extracted from PKGV
  • HTTP/HTTPS tarball packages become remote-dependencies with clean URLs (BitBake fetcher options stripped) and optional description/homepage metadata
  • Local-only packages (all file:// SRC_URI) fall back to vendored-dependency when FOSSA_LICENSE_SCAN=1 and source is captured, otherwise custom-dependency

Previously everything was emitted as custom-dependency (or vendored-dependency only when license scan was enabled). This change makes the dependency graph richer and allows FOSSA to resolve upstream sources directly.

New helpers in fossa_utils.bbclass

  • find_primary_remote_url(src_uri) — returns first non-file:// URI from SRC_URI
  • is_git_uri(uri) — detects git:// / gitsm:// fetchers
  • git_uri_to_https(uri) — converts BitBake git URI + protocol=https option to a plain HTTPS URL
  • extract_git_version(full_version) — extracts commit hash from 2.39+git0+ce65d944e3-r0 or uses version string as a tag ref
  • mk_referenced_git_dependency(dep, url) — builds a referenced-dependency entry
  • mk_remote_dependency(dep, url, recipe) — builds a remote-dependency entry

Test plan

  • Verify fossa analyze runs cleanly against a fossa-deps.yml generated from the new logic
  • Confirm git-sourced packages (e.g. systemd, busybox, curl) appear as referenced-dependencies in the FOSSA UI
  • Confirm tarball-sourced packages appear as remote-dependencies
  • Confirm local-only packages (base-files, packagegroup-*) appear as custom-dependencies without FOSSA_LICENSE_SCAN, and vendored-dependencies with it

🤖 Generated with Claude Code

@jtrinidad-fossa @claude
classify deps by source type: referenced, remote, vendored, custom
bfd52d3 
Packages fetched from git repositories are now emitted as
referenced-dependencies (type: git) with HTTPS URLs and git refs
extracted from PKGV. Packages fetched via HTTP/HTTPS tarballs become
remote-dependencies. Local-only packages fall back to vendored-dependency
(when FOSSA_LICENSE_SCAN=1) or custom-dependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jtrinidad-fossa jtrinidad-fossa requested a review from a team as a code owner May 21, 2026 19:12
@jtrinidad-fossa jtrinidad-fossa requested review from GauravB159 and removed request for a team May 21, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GauravB159 GauravB159 Awaiting requested review from GauravB159 GauravB159 is a code owner automatically assigned from fossas/analysis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jtrinidad-fossa