arch: migrate to SPDX identifier

[jerpelea]

Summary

Most tools used for compliance and SBOM generation use SPDX identifiers
This change brings us a step closer to an easy SBOM generation.

Impact

SBOM

Testing

CI

[nuttxpr]

[Experimental Bot, please feedback here]

No, this PR description does not fully meet the NuttX requirements. While it touches on some points, it lacks crucial details. Here's a breakdown:

Missing/Insufficient Information:

• Summary:

  • While the "why" is stated, it's too general. What specific problem does the lack of SPDX identifiers cause? Be explicit.
  • The "what" and "how" are missing entirely. Which files are changed? How are SPDX identifiers being added (e.g., new config option, direct modification of source files, new build system logic)?
  • Issue references are missing.

• Impact: "SBOM" is not sufficient. You must answer all the yes/no questions explicitly. For example:

  • Is new feature added? Likely YES (SBOM generation capability, even if indirect)
  • Is existing feature changed? Possibly YES, depending on implementation.
  • Impact on user? Potentially YES if any build options or configuration changes are required.
  • Impact on build? Likely YES if the build system needs changes to handle SPDX information.
  • Impact on hardware? Likely NO.
  • Impact on documentation? Likely YES, if any user-facing changes occur.
  • Impact on security? Potentially YES or NO. Justify your answer. Adding SPDX identifiers themselves might not directly change security, but the process of generating SBOMs might expose vulnerabilities if not done carefully.
  • Impact on compatibility? Likely NO, but specify.

• Testing: "CI" is insufficient. List the specific build hosts and targets tested locally. Don't just rely on CI. Provide actual log snippets showcasing the difference in behavior before and after the change. What did you observe that confirms the SPDX identifiers are being correctly handled? For example, did you generate an SBOM and verify its contents?

Example of how to improve the summary:

"Many compliance and SBOM generation tools require SPDX identifiers. Currently, NuttX lacks these identifiers, making automated SBOM generation difficult. This change adds SPDX license identifiers to all applicable source files within the drivers/sensors directory by modifying the file headers. This lays the groundwork for future automated SBOM generation and improves compliance efforts. Relates to NuttX Issue #1234." (Replace #1234 with the actual issue number).

Example of how to improve the testing section:

• Build Host(s): Linux (Ubuntu 22.04), x86_64, GCC 11.2
• Target(s): sim:nsh

Testing logs before change (output of sbom-tool):

No SPDX identifiers found.

Testing logs after change (output of sbom-tool):

Component: drivers/sensors/xyz_sensor.c
License: Apache-2.0
... other components ...

(Replace sbom-tool with the actual tool used and provide realistic log snippets)

By providing this level of detail, reviewers can quickly understand the change, its impact, and its verification, leading to faster and more effective code reviews.