From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 09 Sep 2025 10:05:52 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wr1-f58.google.com (mail-wr1-f58.google.com [209.85.221.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58985pWJ007101 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 9 Sep 2025 10:05:51 +0200 Received: by mail-wr1-f58.google.com with SMTP id ffacd0b85a97d-3e424a186fcsf1677780f8f.0 for ; Tue, 09 Sep 2025 01:05:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1757405146; cv=pass; d=google.com; s=arc-20240605; b=NAHPGfDGkYPB+O9ZFq9yQJ7gyE4tdfZUpgveJAG7riJxWmsBK76ZMtdyqxvx6hB2D9 P0S+NVwTnzzs7CsdyifMrUgqc2hI41CcqIceyam9LYe1bgy4Ay56tUxuw7hTzr1MGmIS jntl2HpR9ovKtiwdNJndgwekxUosbMHhVFh6EgRssvgkLbLP4LUZ/B3eljJ+ia8Ysgkf gQD4MYrc0Jvbd/drMVF8Z4PFXLDHfLFjhUp/rKQif4O2HHrNCXxsm9e2ZR1/fd+ySkoY vZhtrcxmrw2wYRKJFckAfqfVyFJeGwGaMlIqInVxnIF2oyWhi3t4HyavaDbsNkpSezNw Cxmg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; fh=8xfJGHOjjsZ264jpawaeebIwds25R4ONLiRXor3JM4Y=; b=KyywB3SOYQAO+RIv9gj7x/eEQZhFC+ASlSy3bWQslutr3U60Fne33D3d2Jbc/NGvUk oKvXYxEWaFZiLmI8b3dLj4VP2G6QZURyAw/px4AIV6BnqOryadTW6IM139BOf0s1ZVhN uMaIQvmT6qXFvb76mifREtHuBOn4g3rMpgMrkSeKmGGUUQHUWX956kF8p3jMVUBaU8rf X/i8svJeC5PMbzfwpl86joYiam4+tZBRXcYypXy+PVO6tkXxZ0qPt4udadXC1fSEjjNH sysoXI0+QhSKpdPb+ALJDEnHDr221SOF+T8b8w4We+S4U6afuJgRqj712pVqxbMJ6uxk AO5A==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1757405146; x=1758009946; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; b=jm584PLSV+rLfru9OehmWtIrFx4Dd08Sbs6iGcLsFxSruxcveAbN1hammtlD2Z9MtV q4dJjSDFEmdxoCR7eesMt5dC9l+1EpHmvKxe4lc62vPRiKhsFZ/m2TTyRV256KI6lGHq EhaqEryjo6ikVc+rMW26X4AL1HrH1UBJWFVFFiAvNRgqJ9UfaiI4RJfuAEpfFwfxa3DY KlJbvpCtMgTtQ2BJDPTZE9XdVxoUUA8rVfGLKTYWd9kqL5J08ib99cVMiKpQ8s0DpBS+ 4KtaXfpxWpVVWLpLczeLnSzmCDMjBiHSmRNAPJiBCQS1ny3StKNAPMCysDdhoTI0+oOD ISSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757405146; x=1758009946; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; b=lYNDggfcC47K3lDmGI8CiuTNE2/NqB0BB0GMZReLlLaA1ETngYCpU0Sd61isJrG6wk o0dhhpBR0Vl5TJGVy75madALb1xv/vrmYcmBxjttqD1V4My3Wgg769SLRINGAM+BgrNJ S7BcZlnecBRpDq78W41scc+owdyNuRnKcF1vB+lWj9LSs6gY9V2lQTKMkRFylq8iyrb2 0eBrzu7AhlkJ9NoPSXFv9NlWSJ0WZhNVrYSpcl17hMrH9UZ4gqHClagtdOhOWbfN4zBH eq4I9yU1KKW79pd05h359K1K/wWFL2BCQSbOheZMW14BpY7UTmFGnL8hQ3lOhxc9Bl7C bFiA== X-Forwarded-Encrypted: i=2; AJvYcCWNsWmVQTgd5UieDKLjckfHbrZi9zLT6aC/EIDECgJP9g1/nv9WhYliTg4q8QcHSgAkXXdE@ilbers.de X-Gm-Message-State: AOJu0Yw+HaAtvuPFtF0OlejH0Cx0MNFo9j6aAcg0Rv3GAj8nnAQ77dCq 04kiOPU4DXKjIVT+EiYVAyUyhm65JnY3E6p46NfbmR4OvA9UCUTMJQbL X-Google-Smtp-Source: AGHT+IEfx1J6xB9mBuoCBl7aGMZOEZ2xbnsFXf0jxBcHxXTRFcUWZ0ozuY9xb3xxqpaHU97cQUUImg== X-Received: by 2002:a05:600c:1e8c:b0:455:f187:6203 with SMTP id 5b1f17b1804b1-45dddef01e4mr78665555e9.27.1757405144169; Tue, 09 Sep 2025 01:05:44 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcgTrGIKxop+WAuJCO5yf5zRyT+feE83drYN1Zia/Joew== Received: by 2002:a05:600c:628d:b0:45d:d5d8:c718 with SMTP id 5b1f17b1804b1-45dd85172dals24503095e9.1.-pod-prod-06-eu; Tue, 09 Sep 2025 01:05:40 -0700 (PDT) X-Received: by 2002:a05:600c:4452:b0:45d:d291:5dc1 with SMTP id 5b1f17b1804b1-45dddec28demr98946705e9.15.1757405140178; Tue, 09 Sep 2025 01:05:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1757405140; cv=none; d=google.com; s=arc-20240605; b=cPRZrYEqcbhcs/tlVWrPX5kYdZ03Mfxp2AJvhah3bMGXaMdxEi6o8BPabXLW2yZrjW FCsJ+RoJGaKvSwd/mG7sLk8xZuD+53weMEvzfgzC/mZINUF2DB7wiuLSbYPtYVE4lv7i thMv3EDx56LTWjz4yqv4TZlUDKaSlrRgVubmoG20jweLtuTTLPsXYx1DztieYZskESSz 1ZlCTPedYPO0dE/Qcm77eeqea9Bf3yPcUsv8+SoY5KoBxIqL9hea9M4ujYOnzn4vCPiK xNp1Q1ZXGAdlgh5wtP6URNmSHGGZiOX+lukATK8Jgjn5eIxX/rOlyHn6S5v2KO2Wd1OG CPrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=3dn1Zzg08sIgopK6+l2QalZ7LfreR5C7miU7L07NBXg=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=KRwLS7i3FVjxa+mfQrCXY7DYmNDspBEkCOwPJSQD2SpTIZ3IR6mu+mUVHifzPijCuX o8lp6HW17i8WR0Zm/go+i9jtTBHlfpNbjqInH9SkPyJ/HmJc/UaxB7648ZNA19JbP6RP WYKsfZhcyVzSqnYJa/fANLr7kRMdpOYYKNrGueYm6jHgq0Xd91EjFcCkjUap/9H4/pr0 tEz+CbBccLS67BdBpCXGELaXlAcAcLIykRxEZ5nGk1PpRakxK92giCrk6WqlF4TtOSnx JJ0YR1vkkehqgy+ZozQlk/9/0iN0+oB3bbhvrmAsBh7mye4htkdq1Z+eblBACvwhlsh3 AjMA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-45defa06cb8si103365e9.0.2025.09.09.01.05.40 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Sep 2025 01:05:40 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250909080539298105e13e000207e3 for ; Tue, 09 Sep 2025 10:05:39 +0200 From: "'Christoph Steiger' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH 0/3] Add SBOM generation with debsbom Date: Tue, 9 Sep 2025 10:05:25 +0200 Message-Id: <20250909080528.95765-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 6XFZtu9ck1hz This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom meta/classes/image.bbclass | 2 +- meta/classes/rootfs.bbclass | 6 +- meta/classes/sbom.bbclass | 60 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 31 ++++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-python-lib/files/rules | 8 +++ .../python3-cyclonedx-python-lib_9.1.0.bb | 56 +++++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 +++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.0.1.bb | 54 +++++++++++++++++ .../python3-packageurl-python/files/rules | 8 +++ .../python3-packageurl-python_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 42 +++++++++++++ .../python3-spdx-tools/files/rules | 25 ++++++++ .../python3-spdx-tools_0.8.3.bb | 56 +++++++++++++++++ 19 files changed, 462 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/python3-cyclonedx-python-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb create mode 100644 meta/recipes-support/python3-packageurl-python/files/rules create mode 100644 meta/recipes-support/python3-packageurl-python/python3-packageurl-python_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250909080528.95765-1-christoph.steiger%40siemens.com.