From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 17 Sep 2025 08:33:55 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f55.google.com (mail-wm1-f55.google.com [209.85.128.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58H6XsDp022723 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 08:33:54 +0200 Received: by mail-wm1-f55.google.com with SMTP id 5b1f17b1804b1-45f2d7bf37csf1953645e9.1 for ; Tue, 16 Sep 2025 23:33:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758090829; cv=pass; d=google.com; s=arc-20240605; b=Z11kpvMq0ONWVbop/ARMoYyO4Z7//CrHuP/vV+u9reO51pT++pzE3yEHI2DlHZjBb7 WSzvTQ3XkoHhEjY3PaRNsjhgUBJ1+T/UH1Er27Ua+meB/W06wa88T8rg3P7/Yu/6dcIK C53nUGkoNSQX3EbN9ESIubFaeHAaEILnQqPBnp7rLg41+zlTA7tnjzR/l4As34yN+V5u mqdDF6c8SgOTbiAkwCXYUmZia6z0ecIjk78WGunCUSDjx+Jph7Gr4HfbuZ9yX3k4V6Ef DJtAhEF2MtdAvskxkF6COHmTLgmTBAOmp2lk+lGwYDjV1xzYD4JlANWQl9i5fSHX2bVa lNHQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; fh=ba8UwnreTdm8Zy5ydDVf/4cY6gculgropPTm/IwvuiM=; b=eeQnxVS0NnmVxyTfpNXn48YzBqOhAJ/EqG8KtK8niVq4WpSPuwGnZAynCaNHGKeSKt AQuOBifuFneawhYa7iE6xzDNk8E50FCE17EzOw/Vp67fVBAfNawXwJX8fg95vjDKSbvv s6BYCSON+CYVXVhjaxWK1v192ArbfyQxu4ZI5q6W9ETeYUJQ6qbjMe0qsyZIC40h+ShS y5FyqLDWcHU+tlHCISqcezZrHp4lbfL2OyGWIrC6bUQgSrfxJ3pz5HpaymCl5cgK7lGw gNlnKJga+R3vR34scatRuitEEu5/RhVTtBmWIS1ViulZR58h5hvGWC1Sk5E75RerQQf9 IDnA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758090829; x=1758695629; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; b=cXoq3Qf91nQc1jbtv/cj2UVHkL3kjFk4X80qVNyQ+YlWBsH3M167Vl4QGCp/vAKu8/ V5pfGrx5BPNrxa20n2LJcGvADa6Lh0WUpmTHOWmouQY/9t5EWw+IH/thShrg0NM8jgU/ ZgpQXrLy9nJd5Oaj3a2Bb5JAc+iuT+2dUvJoDoNJb5eweEKsFiaUIr867NuPQo6Y7Gs7 I9TAvDmfRfHRzfiKvktPI2GgdXGao4m+TifGneMEScRqMTLp0pxIEhLMlQGLc7cQtm7i 4kPsz5w+UqZrJmlD5dxTttc62GopwxYi/D54eGS7JhUiVOs+ageNcoaOSBk1texS9LQm jcCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758090829; x=1758695629; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; b=m07XP4vS5OWsToOEfxKQC6MVcEL3NIj6IhEgzNc+GsYzslsEtxlP0Tv5U2HO2KtEx6 xioBu5tlvwJlGCofnfBGXXhnEu8FhWP+UYR1lhES/mHc039OK9Z3Ke/9y+H56Uvviq/6 dSK79okoZWs4AYWVoWopuLtdO92UAgDgz7l4r8VToeQ5Cp+VQht97fDWTs7PLt4lWcJA lzt69JqsbPuCCbKnU7wfdAMrCUVSbgZkNSH2tF39dsalhKF5jiy8fiB9bJLMv9KuVVgn Xxo+WyJUcbf3JRqatFw5jXcbkJR8ES80d1LG31TF7etc3cNAzI5YOs0ZT4mKDo24fhPi 9dDQ== X-Forwarded-Encrypted: i=2; AJvYcCUovaBLXkWB+J/dbcqpWIisfJTUV8M9U5G7hjj0Eem/Z17NRmynY9cbmvk2dSLfs4RVFSZx@ilbers.de X-Gm-Message-State: AOJu0Yy6NidvRKQXe80SCbPUJvE+s6wCWoYFwiKgn0/RV8viEqV4CjWL GAA79vZC3I3KY3j7YQDp9ZLdCl5dd8riozSR9crpaiOQ53AetktVEXPB X-Google-Smtp-Source: AGHT+IEQucUcj6jAm6yvJboyIxIjl8y8TS0tAtdhxZnfA4d4QW4BII0rOT+Bl0vzFHxf6uk+K/UalA== X-Received: by 2002:a05:600c:3b84:b0:45d:ec41:e0d2 with SMTP id 5b1f17b1804b1-462058f2b32mr4191325e9.3.1758090828229; Tue, 16 Sep 2025 23:33:48 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=ARHlJd4QEhmtqUg2YIuq2Itp0iCKukOoXuNTELD0wXNi/xGQsA== Received: by 2002:a05:600c:64c6:b0:456:241d:50bd with SMTP id 5b1f17b1804b1-4603b053f7els9385525e9.2.-pod-prod-04-eu; Tue, 16 Sep 2025 23:33:45 -0700 (PDT) X-Received: by 2002:a05:600c:45d1:b0:45d:d9ab:b86d with SMTP id 5b1f17b1804b1-46207d636demr6789215e9.31.1758090825644; Tue, 16 Sep 2025 23:33:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758090825; cv=none; d=google.com; s=arc-20240605; b=hj5L5y60CEkZ8w6AWjjFyllOCRISvR7n3ar5wH4j8nWffPI/RPxS70tPEVHuvNy9yR 70HvZv9Q8tqezJmp9BV6LIkfQSCQtJ4SzlghSqp36eZJwBCStdWBY78YoOTQFidArkFx 15lFM0kQnrJ8cMACHSsghS89Dft7goHHOxX9tI8nRv++MSoEKVrSPWzE+trA1RsfI/yT LrEBaJJ0L16I3kr4DVVsS99TisObqZTIL6rBZfeG/mdRYswbWr+4Ck5VJHwbQr76bRHy oVzgjWIQghg4NmzHStrVVc7f4GJRx/4nq9rFAEnjhJubrsNGFb2wcDuUTyyiVwT5bk3n trEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=tUnbV40SrQU2GXXnITaeaXAJgy3ovKB9vOaKa1627ks=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=YHDy9nU8btnJxEUCxe+x6c7cgikaX3pf3vyIeGcYA9OCBnV6B3vfxtqAFQci+1iWFx I/NTjIXBeJKxOMiK2krAwKygrARVb4E9WvasRE2qtiZTk2U1tVVNpnG/b36FiCk937ud b+eNTA/U6QZShcmkMO1amM7ZFd5DADRDBcLslr9PWE1wmxsdisEvIIcBHAZNCPw+WJjl gpMfnful+R2FxLWGzctqkBfdnrfci2yNzc8kBZ3F8fInwUwY7phHBYXLpVtTT6YiAGlZ dOvykG0mtGwyweoWQqUX2UDCsiv3QhXgxfi3Hh2tTVhEp8+Wc1w4MsLDaFIV3mUQL/LB fTAw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4607aaf8226si469975e9.1.2025.09.16.23.33.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Sep 2025 23:33:45 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025091706334438955e5254000207a6 for ; Wed, 17 Sep 2025 08:33:44 +0200 From: "'Christoph Steiger' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH v2 0/4] Add SBOM generation with debsbom Date: Wed, 17 Sep 2025 08:33:11 +0200 Message-Id: <20250917063314.44769-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: /L3Jz9vW51gv This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom Felix Moessbauer (1): override distro vendor in SBOM on Ubuntu meta-isar/conf/distro/ubuntu-common.inc | 2 + meta/classes/image.bbclass | 8 ++- meta/classes/rootfs.bbclass | 7 ++- meta/classes/sbom.bbclass | 62 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-lib/files/rules | 8 +++ .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 +++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.0.1.bb | 44 +++++++++++++ .../python3-packageurl/files/rules | 8 +++ .../python3-packageurl_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 38 ++++++++++++ .../python3-spdx-tools/files/rules | 25 ++++++++ .../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++ 20 files changed, 440 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb create mode 100644 meta/recipes-support/python3-packageurl/files/rules create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917063314.44769-1-christoph.steiger%40siemens.com.