From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 20 Feb 2025 11:01:47 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f55.google.com (mail-oa1-f55.google.com [209.85.160.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 51KA1iIK007833 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 20 Feb 2025 11:01:45 +0100 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-2aa17a7d70dsf762044fac.1 for ; Thu, 20 Feb 2025 02:01:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1740045699; cv=pass; d=google.com; s=arc-20240605; b=eKFOJ9UZBoVGj02KZ3G+v4KfbNVFsRF98dtjVT3eHVYEUgVe2roh3TObWw8RnHNVqf FfCMN01tsLho9tLJOZFT9anyz2SCJbLIv8amNvhZSVqodMsryt2WEL0POQcl341pH7Fm XYCD7M7PqemBYVdcp7v77lIk9CSRqk8tzA2RjAaebj/bEyPyplnnymNWUqRXBiqXGdms 2fN4IUpOJAcXd4QrdHn3fwF6v869z2NZyAamLzo1rdYtwcl+QHiJrGHvreeGek/rQ8YP nyQR3tx2bcN+GsTf7HAbDZ73vXcWmRLg5JQPTv3/EGAvQS05sSQTDnPYEwOukMYO8KJC Yb1Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=; fh=oYnDuuen1/hlq6mh23aaGEOGjuGz1JuA+IXpHSf6PZM=; b=Jmg7kDeEjWUlSbD8RmnT0ChU5Nooca/nWMbZioHCj9B3TscF5GZY12uItLRZGaJz0E u7A5RcOnNuTUSlMB6U+ph4A4jL8pOxvj+2A8acRgmpFaAiaaq9EBcVhcD9MIXKbe4/gj VlaOSjxlTTEwT+BgwjSebnIIml/6cADaMMKghlOo0m8DUzOGmyo4EizSDCBgOUGPv/wv V+rW1x6irFyhiB79sKDZT58DlSl+D+rFFq4DH/G1n7e0/hP5Vgq34qm+s/7F8A03ObeD 6KpMT8sz7X49e2sjlydjTqFqjO5BNtIEsfUZqGbLhAtBn/21czeNvydIGQP7SsuD728q U9Ig==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd; spf=pass (google.com: domain of fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1740045699; x=1740650499; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=; b=Uo6DqrboCbqyAZo7eo6A1Ub914ZzPHa7eIOxpqjV6/d5p2N2e2RxxDRggElbzVVn6L 4if8RhRhkzumJbxfEvnV+L2J7nZhbHaOYLa+Qxwh1a2PQtBo4oV8iGLqXXmaWxk9dGsW eKhkVRpQ/z8T18HAkeyJsCNAE+i217eRl3iKgJIvPuoPnp0B1ItTNzSkj67VyTIqOrlT gv1wlbeCpjOvjrrpdIZZ0rcQiWdpQuc418KLFOzqX/rnIKOnBVKILCHR9YEEHcPRyJX4 yo051kVkrzrw4YZ+ZCllmpcJx2Dq4+gr+18yxqMTgHBVRM9wtyh50AeurvlsNlhgPZUE CllQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740045699; x=1740650499; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=; b=c03Z9WWcvfo5T3/UomstAbFhyOoUVMW/utPJRYOTcYl7qcFfiJvSjSOICVrhmkXpK0 7d46drZBE2/Tv27bhw0tCCDPCAb/yp9C53xvj+KsK+KdbP8EQs9/Q0jIlahoXU9RTKXq lZZFG3iNfp1E382rAkn6Lp+tclYcujLFyUTU+LJEPc3VrlmdYCR7DYLNdHKMUJmiFTiG 51p9aWaDpeJMCMKyrcch0DfZoAvr6MIUD2mCIkPaqMT2Fell0SmmofUGzyCgxz4Etcv6 pTm+Ig2NbwT9DO9ePQth9CbvL0SI8XfuP4ugN3rDsq0epvtWl9O6n+I8FuLwppzWaS+3 MXvw== X-Forwarded-Encrypted: i=2; AJvYcCWDVH0KlDV3vyZDCOKlLxEBR4sx5ZQNtT+hBOQbMrRmMMId/dzRaR7xdW2KW6Kd6U/1qFU8@ilbers.de X-Gm-Message-State: AOJu0YxDJ1qnhJW2mZ527VJdu/s7mHDq+7kklmaLuV+GeT5Oi2ZdOa8H vq675LLFGC/8xMFQ0T/9QoeBCAN719R9rdfXPD5DrWpva4UFDByk X-Google-Smtp-Source: AGHT+IHoBT7QEv8voSZZyFG/dEjwSCe1Tdm9yMfqcYjosOjmvPYnjIxysqCtyP6JCPqLli5X/s+zUA== X-Received: by 2002:a05:6870:e07:b0:29d:e45d:dc51 with SMTP id 586e51a60fabf-2bd2fb86387mr1863997fac.2.1740045698836; Thu, 20 Feb 2025 02:01:38 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h=Adn5yVGHJ/oYnV4kwztV5++yeaNKbI1li6vJ9AdEkX2+13XVxA== Received: by 2002:a05:6870:210:b0:2b8:9182:e0ff with SMTP id 586e51a60fabf-2bd2f8f19d5ls361711fac.1.-pod-prod-00-us; Thu, 20 Feb 2025 02:01:37 -0800 (PST) X-Received: by 2002:a05:6871:5813:b0:2b8:a5a9:c615 with SMTP id 586e51a60fabf-2bd2faa7d8emr2074954fac.3.1740045697611; Thu, 20 Feb 2025 02:01:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740045697; cv=none; d=google.com; s=arc-20240605; b=MW8RAxGHbJWe1+NM8uckRlY52zcw+gCoNvoTTAhpvwu3SkwIX82pVmjMC1gk5coOLE HT6NtR5iQeXFCgegENL1BdE7ae2/WM8NQMrafyU8CzE5oYKEyO4Jb6ub1mfKU/vrMWXR DGUclITXJ8Uh4pCRuHmlpILUyxxN52HsOiRRyrcHwzjqrc3+LLaghdb6rMQbuukjELOk Nxs4Yd6dR4HEswMfU27oDHq7A/etXqwNrkAPp9fUZPTYDiGR7CKwh5WUnA+CTf99DqJ5 dBO7NvPmnaqUMvw3m+d/tjrkJ5ibwKfKef4cSr6dRtqgRd9mdVemmj+jNAdccA81xVjM e8cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=k2Iqs69Zr58EKp4E/x6JTYXbTLsMAeF9Lq2jBl/eR7M=; fh=PpyLtIeScdGtM1qIVvjnfD1pEoqYOXRK4rwVDEPyj3g=; b=fddn4i9hs2K8sNei2tWCvIrd/4F/6EqczblsDbDajith1vYjLM9wxZjuJ1b2JFojxZ T/GtHJxaOGUhuqDBSFmyzO4shIbczBcndKv+cEMKcUpPjl/1PLnye7TjKjlrSxrgrNNd 5gwA8oqRQfmhO2lHjFsGBH+6y7NIuBsm++HNPmQ6AANBANFKt98xBKVXePC0sTqsmrY7 OnYav86j6clf+vWuPHU24FSTjcshipz7NlQGapLq5lAp06bIUn5yDWDHhgm2EuNKuLYl dRb4J+RrLuC6p+W2ZTbBeFgaDfskK9xULfa87XJ0EA7opn5WB8OCAWZ+EkFYssb1NHtD h1jg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd; spf=pass (google.com: domain of fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-2b9639d7b4bsi741658fac.4.2025.02.20.02.01.37 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Feb 2025 02:01:37 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202502201001356f58ab67d22743b0ba for ; Thu, 20 Feb 2025 11:01:35 +0100 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, gernot.hillier@siemens.com, Christoph Steiger Subject: [RFC PATCH 0/1] SBOM Generation for isar Date: Thu, 20 Feb 2025 10:59:43 +0100 Message-ID: <20250220095944.114203-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd; spf=pass (google.com: domain of fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: blvWu9VbcML9 From: Christoph Steiger This patch would add SBOM generation support for isar. We already generate a manifest as part of the do_rootfs task which is used by some people internally at Siemens to create SBOMs, but it has a proprietary format and is not documented. It also has become apparent that more information than in the manifest is required. To create the SBOMs we parse the dpkg status file in a given image and have some python scripts to build a valid SBOM for the two standard formats (CycloneDX and SPDX). The python scripts are a very minimal implementation to generate SBOMs, as all other tools have heavier dependencies that are not packaged in debian. As we also require only a small subset of these libraries (we only generate a specific version and format, using also only a small part of the data structures) I chose to quickly implement this myself. The current implementation also emits source package information in the SPDX format. Unfortunately the CDX standard does not allow to map the relationship between a debian source and binary package in a satisfactory way, so I omitted it for now. There is talks internally about how to represent this relationship, but it is probably a good idea to leave it empty for now. TODOs/next steps: - license/copyright parsing: debian has no machine-readable format for these, but they are very valuable for clearing purposes - tigther bitbake integration: if we hook into each recipe we could add more information and correctly represent vendor packages Please tell me what you think and how we could land SBOM generation here :-) Christoph Steiger (1): meta: add CycloneDX/SPDX SBOM generation meta/classes/create-sbom.bbclass | 49 ++++ meta/classes/image.bbclass | 2 + meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++++ meta/lib/sbom_cdx_types.py | 82 ++++++ meta/lib/sbom_spdx_types.py | 95 +++++++ 5 files changed, 674 insertions(+) create mode 100644 meta/classes/create-sbom.bbclass create mode 100644 meta/lib/sbom.py create mode 100644 meta/lib/sbom_cdx_types.py create mode 100644 meta/lib/sbom_spdx_types.py -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250220095944.114203-1-felix.moessbauer%40siemens.com.