From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com,
gernot.hillier@siemens.com, cedric.hombourger@siemens.com,
Christoph Steiger <christoph.steiger@siemens.com>
Subject: [PATCH 0/3] Add SBOM generation with debsbom
Date: Tue, 9 Sep 2025 10:05:25 +0200 [thread overview]
Message-ID: <20250909080528.95765-1-christoph.steiger@siemens.com> (raw)
This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.
The generation is itself is handled by a SBOM generator `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.
This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.
[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
Christoph Steiger (3):
meta: package python libraries for SBOM generation
meta: package python3-debsbom
meta: add SBOM generation with debsbom
meta/classes/image.bbclass | 2 +-
meta/classes/rootfs.bbclass | 6 +-
meta/classes/sbom.bbclass | 60 +++++++++++++++++++
meta/classes/sdk.bbclass | 2 +-
.../sbom-chroot/sbom-chroot.bb | 31 ++++++++++
.../python3-beartype/files/rules | 8 +++
.../python3-beartype_0.19.0.bb | 29 +++++++++
.../files/pybuild.testfiles | 1 +
.../python3-cyclonedx-python-lib/files/rules | 8 +++
.../python3-cyclonedx-python-lib_9.1.0.bb | 56 +++++++++++++++++
...icense-description-in-pyproject.toml.patch | 28 +++++++++
.../python3-debsbom/files/rules | 8 +++
.../python3-debsbom/python3-debsbom_0.0.1.bb | 54 +++++++++++++++++
.../python3-packageurl-python/files/rules | 8 +++
.../python3-packageurl-python_0.16.0.bb | 33 ++++++++++
.../python3-py-serializable/files/rules | 8 +++
.../python3-py-serializable_2.0.0.bb | 42 +++++++++++++
.../python3-spdx-tools/files/rules | 25 ++++++++
.../python3-spdx-tools_0.8.3.bb | 56 +++++++++++++++++
19 files changed, 462 insertions(+), 3 deletions(-)
create mode 100644 meta/classes/sbom.bbclass
create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
create mode 100644 meta/recipes-support/python3-beartype/files/rules
create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/pybuild.testfiles
create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/rules
create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/python3-cyclonedx-python-lib_9.1.0.bb
create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
create mode 100644 meta/recipes-support/python3-debsbom/files/rules
create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
create mode 100644 meta/recipes-support/python3-packageurl-python/files/rules
create mode 100644 meta/recipes-support/python3-packageurl-python/python3-packageurl-python_0.16.0.bb
create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250909080528.95765-1-christoph.steiger%40siemens.com.
next reply other threads:[~2025-09-09 8:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-09 8:05 'Christoph Steiger' via isar-users [this message]
2025-09-09 8:05 ` [PATCH 1/3] meta: package python libraries for SBOM generation 'Christoph Steiger' via isar-users
2025-09-09 8:05 ` [PATCH 2/3] meta: package python3-debsbom 'Christoph Steiger' via isar-users
2025-09-09 8:19 ` 'Christoph Steiger' via isar-users
2025-09-09 8:05 ` [PATCH 3/3] meta: add SBOM generation with debsbom 'Christoph Steiger' via isar-users
2025-09-11 10:07 ` 'MOESSBAUER, Felix' via isar-users
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250909080528.95765-1-christoph.steiger@siemens.com \
--to=isar-users@googlegroups.com \
--cc=cedric.hombourger@siemens.com \
--cc=christoph.steiger@siemens.com \
--cc=felix.moessbauer@siemens.com \
--cc=gernot.hillier@siemens.com \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox