collect_manifest plugin

Collect Manifest Element

A buildstream plugin used to produce a manifest file containing a list of elements for a given dependency.

The manifest contains useful information such as:

• CPE data, such as CVE patches

• Package name

• Version

• Sources

  • Source locations

  • SHAs

  • Patch files

The manifest file is exported as a json file to the path provided under the “path” variable defined in the .bst file.

Dependency elements can manually declare CPE data in their public section. For example:

public:
  cpe:
    product: gnutls
    vendor: gnu
    version: '1.0'

This data will be set in the x-cpe field of the entry.

If not present, product will be automatically be inferred from the name of the element.

If not present, version will be taken from first git, git_tag, tar or zip source which filename (for tar and zip) or reference (for git and git_tag) contains a substring matching a version regular expression. That matched substring will be the version.

The default version regular expression is \d+\.\d+(?:\.\d+)? (2 or 3 numerical components separated by dots). It is possible to change the version regular expression with field version-match.

The version regular exression must follow Python regular expression syntax. A version regular expression with no group will match exactly the version. A version regular expression with groups will match components of the version with each groups. The components will then be concatenated using . (dot) as a separator.

version-match in the cpe public data will never be exported in the x-cpe field of the manifest.

Here is an example of version-match where the filename is openssl1_1_1d.tar.gz, the result version will be 1.1.1d.

public:
  cpe:
    version-match: '(\d+)_(\d+)_(\d+[a-z]?)'