collect_manifest plugin
Collect Manifest Element
A buildstream plugin used to produce a manifest file containing a list of elements for a given dependency.
- The manifest contains useful information such as:
CPE data, such as CVE patches
Package name
Version
Sources
Source locations
SHAs
Patch files
The manifest file is exported as a json file to the path provided under the “path” variable defined in the .bst file.
Dependency elements can manually declare CPE data in their public section. For example:
public:
cpe:
product: gnutls
vendor: gnu
version: '1.0'
This data will be set in the x-cpe
field of the entry.
If not present, product
will be automatically be inferred from the
name of the element.
For version resolution source plugin must opt-in to export_manifest protocol by setting BST_EXPORT_MANIFEST and implementing export_manifest method.
Currently allowed outputs are:
{
"type": "git",
"url": "https://foo.bar/repo.git",
"commit": "hash/git-describe"
}
{
"type": "archive",
"url": "https://path/to/package.tgz",
"sha256": "checksum"
}
{
"type": "patch",
"path": "path/to/patches"
}
Version will be calculated from commit for git and from basename of URL for archive.
The default version regular expression is
(\d+)(?:\.|_|-)(\d+)(?:\.|_|-)?(\d+)?
(1, 2 or 3 numerical components
separated by dots, underscores or dashes). It is possible to change the version
regular expression with the field version-match
.
The version regular expression must follow Python regular expression
syntax. A version regular expression with no group will match exactly
the version. A version regular expression with groups will match
components of the version with each groups. The components will then
be concatenated using .
(dot) as a separator.
version-match
in the cpe
public data will never be exported in
the x-cpe
field of the manifest.
Here is an example of version-match
where the filename is
openssl1_1_1d.tar.gz
, the result version will be 1.1.1d
.
public:
cpe:
version-match: '(\d+)_(\d+)_(\d+[a-z]?)'