From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 17 Sep 2025 08:34:03 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f58.google.com (mail-lf1-f58.google.com [209.85.167.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58H6Y2Do022863 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 08:34:03 +0200 Received: by mail-lf1-f58.google.com with SMTP id 2adb3069b0e04-56f85820d70sf4510014e87.3 for ; Tue, 16 Sep 2025 23:34:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758090837; cv=pass; d=google.com; s=arc-20240605; b=Bx1K4ew1v9I/EQxGqhIT4BXbsArR2Ozb857JYS2RtWmfur68rDn+dSj/C5wqCwsbg5 WnI4CwYAzP1un5j8mU5dIZNF6R+m4RPVe/5WwW9eSjv1a/MJGBE+lVSQfnEKzdulFzMO trzNV5Z07wG9baiSs8ZHoLbrdGpuqjNVLfcpSrkukQeo7WNLUmfqPTKmprVng17M9HJg PM94GMIw8CWiuoyHhvfbbxmoeVV8/qDXNdKUdxfuIg7Xb1wHSpKb3s/aVjSeKwzOVCd1 FLpzqV74/0AqHT6JxaGugXVDH+yxqvTKryFasewoZMDwR3zPlkrfGQAVaQ5G87SFh4yB otvA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; fh=qzHKPBU/c23GJSj5ej0XjA4s8aJXwinbXL+FuJpQcZA=; b=DmhrIdy7HTAuXzaFfOuTqRi8NK1IwZCia6g/EDn5dl8mxRbhiKutuyzey9IhnsM9Uy oF4qLuS9w4S0YeFRcARcP2BcO52Thw+U9vyXtIaSYCufiauh1lErfMfhIiVbSqfhDMgq 5Cd/uDD+WHoXzLO8mVYkIlaNaq4FRUPdknVJgqQh72ECs43+l5Ev6JgkNIwQff4Dg1DR AotAnt7UTvcDO/ZP14WwQZD2Pujtaoo2DelRKpRWMDHRnD+/FC/sz90AKwVr6l6aUwLA y86GgY3WxnUIYZ4IMe3Yj2DxXUbyBencWJI3LlN7hMrRfZF7kb5ReTH1nzFUEw76mMZA QKsw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758090837; x=1758695637; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; b=h6jtZ//odj9P/VuryhCSoi/8rr6tE0YtJa+Z0ACSw4KNqW1n+I2Mkj0TiRpoFiMB8Z p1wuS70s3algzzLkdcNLuXsqcSbTZE/baOc4tnCurrkhEjIKT57B+JruIKljiWOuv4Zx JQPgZJPVD687uXWRxjoCkJlGiW0O3SfINF1bEAYxw0VYbgYIm0736093wSIN6N1wiDT/ zJLNRf6G5dtD6HkJGsLI1ui5vwX2iUMyoLsnUi25r6ED3KnH0y5TzQDpswU7OPj3hd0C Xu7QVROeyWgovplZ2u/LIK9j6yDWN6bzCLFb/zK3I1/jJv9YyMUbGAXstmOtOb0tr8J3 1zcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758090837; x=1758695637; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; b=XhcxR0odyBHWf/T/A2TsXgPTd1WQ2VX6mJvR7s6bmq3vdiIoNkmc8rysX+vEZu2gmJ vcIjqxqR/DwLm8NFAgCDzaLmyYBsAQkCA9tG7mkqqnZGZIk4I/TgxZBywHGpsVkQzMa+ M2v5B2oK45BymBdtf9XVor6kalMknoMLAVE4OcjiBPMtIa8l1pRROUncgou/CfqOz0On El/KP8COE0otd56cWDMUBnB+6ofP0xbihTLAWMo3ueDfnwid48JQu/+l2bvN+RRt32Py H3QjvetdsnzSwJzu7zgtLV1J/CGMEXOSSPye3ejSqvKJ8YH3MWAB6Y4lCmmktJTpX6jN vzGw== X-Forwarded-Encrypted: i=2; AJvYcCVkC50IyfRF9rTTXh9GvQ4gcjiFANpJJOH12s+vPZXdJV+XyVwx7pYf6pqrJo3+21+CTIFN@ilbers.de X-Gm-Message-State: AOJu0Yx978Pni3P25t4F3blW7a0Cbd5N2VC1f6LIghsBqrCR2BrSkEkb 6kUwyzOyF/BZtwegEd4Qmyw7cEdT5TJL2d/GipPnHPjLNdLjMOh6JtiK X-Google-Smtp-Source: AGHT+IFKPtVz9614NZRktvLIPc+w7Mo3ufnWkx0TX6FhlVtiuidmt/XwwZl7NFMamzL5fPeM7v+Cww== X-Received: by 2002:a05:6512:2c88:b0:568:993c:f047 with SMTP id 2adb3069b0e04-5779af10806mr337921e87.42.1758090837019; Tue, 16 Sep 2025 23:33:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=ARHlJd6+qSZa5sNoiQAJehWwVe+fIn0R+mEkg4T9z4VFoSkaFg== Received: by 2002:a05:6512:4489:b0:55f:4af2:a564 with SMTP id 2adb3069b0e04-57334fda945ls984058e87.0.-pod-prod-03-eu; Tue, 16 Sep 2025 23:33:53 -0700 (PDT) X-Received: by 2002:a05:6512:3e0f:b0:55f:3faa:7c21 with SMTP id 2adb3069b0e04-5779a66047emr362621e87.34.1758090833639; Tue, 16 Sep 2025 23:33:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758090833; cv=none; d=google.com; s=arc-20240605; b=k7TWRelL3wHBUvcIBKf3tZWZr7tBxkrFsw60ABF4w1a/jZrLIxL+Do5POCCwQsshpz wkb/WpsdiEMEoIWVc1RR2NSoLM9lH5lKcT17426VAS01u/8dfwfQ3Goi8ltr1URIKs9E 9AkcbpcsQJA0BLwm+6pSzEQdIJ1SqyvXsWuVmSJesUq4C08Rp15gQtAvwozk677QKHXb toCCGcZw4YhhxieZljza806qmFKoYDjSpDuzdt/fNPGPyVa/WIAdot+cQuUvcC647mWv 47FOKaUIKNroA18cQtWpe13HnYzjRDt8YYyyNNi5YYTwGocbDNb78ft+c10PV6nOIprN do6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=mzKHdm5pAjgQwPbzR7IU2+XYO3RNZYtOw1r/Vv/1Al8=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=OK6IiqT0wx38FiEjZZGySk9V95a/bJsQnVfAHdjfh/IvjOpsthCoBN5LO+JgVpL+pc b32rkR630KSlbxelYPkxDA5uSO9G1J/uzwhVA+0frQzaUYDN/e+shKi3LcRByaw3TrGr EFtl5Jk55UWQJLrmGTeP3K+X4uAXMzDyBRb6uJhWcIs6ivJYJIOpQ38wcuQatFG1+KJi 1Fz+lznp3QN4t9IMYW9T9tp+DR6KgZcG69yL1owHZjVIcAn0267f0GSlRTBrOZaQeYZo h4jEuG5P5YdjlaUo9uJafytJcpkN+cVNMp0RyyZpkh8M8FoA6ljcqgfCKCCrnmwaFIll un8A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-57076e57aabsi226652e87.1.2025.09.16.23.33.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Sep 2025 23:33:53 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202509170633527fd5d4d5120002074f for ; Wed, 17 Sep 2025 08:33:52 +0200 From: "'Christoph Steiger' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH v2 3/4] meta: add SBOM generation with debsbom Date: Wed, 17 Sep 2025 08:33:13 +0200 Message-Id: <20250917063314.44769-3-christoph.steiger@siemens.com> In-Reply-To: <20250917063314.44769-1-christoph.steiger@siemens.com> References: <20250917063314.44769-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: zlbJZ7HR3y27 Generate SBOMs for every rootfs that is created. These SBOMs are placed in the image deploy directory. For the generation a small chroot with debsbom installed is created and from that the rootfs of the image is scanned. The sbom generation is bound to the rootfs feature `generate-sbom` which is activated per default now. Signed-off-by: Christoph Steiger Signed-off-by: Felix Moessbauer --- meta/classes/image.bbclass | 8 ++- meta/classes/rootfs.bbclass | 7 ++- meta/classes/sbom.bbclass | 62 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ 5 files changed, 106 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index bd1b8552..220f5aa3 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -66,7 +66,13 @@ inherit multiarch inherit essential ROOTFSDIR = "${IMAGE_ROOTFS}" -ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache" +ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache generate-sbom" +# only supported from bookworm / jammy on +ROOTFS_FEATURES:remove:buster = "generate-sbom" +ROOTFS_FEATURES:remove:bullseye = "generate-sbom" +ROOTFS_FEATURES:remove:jammy = "generate-sbom" +ROOTFS_FEATURES:remove:focal = "generate-sbom" + # when using a custom initrd, do not generate one as part of the image rootfs ROOTFS_FEATURES += "${@ '' if d.getVar('INITRD_IMAGE') == '' else 'no-generate-initrd'}" ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}" diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 7b7859b9..98f5b24c 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -3,6 +3,8 @@ inherit deb-dl-dir +inherit sbom + ROOTFS_ARCH ?= "${DISTRO_ARCH}" ROOTFS_DISTRO ?= "${DISTRO}" ROOTFS_PACKAGES ?= "" @@ -350,6 +352,9 @@ cache_dbg_pkgs() { fi } +# The sbom generator needs the apt-cache, hence run before cleaning it +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}" + ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}" rootfs_postprocess_clean_package_cache() { sudo -E chroot '${ROOTFSDIR}' \ @@ -512,7 +517,7 @@ python do_rootfs() { } addtask rootfs before do_build -do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}" SSTATETASKS += "do_rootfs_install" SSTATECREATEFUNCS += "rootfs_install_sstate_prepare" diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass new file mode 100644 index 00000000..60c89877 --- /dev/null +++ b/meta/classes/sbom.bbclass @@ -0,0 +1,62 @@ +# This software is a part of ISAR. +# Copyright (C) 2025 Siemens +# +# SPDX-License-Identifier: MIT + +# sbom type to generate, accepted are "cdx" or "spdx" +SBOM_TYPES ?= "spdx cdx" + +SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}" + +# general user variables +SBOM_DISTRO_SUPPLIER ?= "ISAR" +SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux" +SBOM_DISTRO_VERSION ?= "1" +SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR" +SBOM_BASE_DISTRO_VENDOR ??= "debian" +SBOM_DOCUMENT_UUID ?= "" + +# SPDX specific user variables +SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs" + +DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}" + +SBOM_DIR = "${DEPLOY_DIR}/sbom" +SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot" + +# adapted from the isar-cip-core image_uuid.bbclass +def generate_document_uuid(d): + import uuid + + base_hash = d.getVar("BB_TASKHASH") + if base_hash is None: + bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible") + return uuid.uuid4() + return str(uuid.UUID(base_hash[:32], version=4)) + +def sbom_doc_uuid(d): + if not d.getVar("SBOM_DOCUMENT_UUID"): + d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d)) + +generate_sbom() { + sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir + + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + --bind ${ROOTFSDIR} /mnt/rootfs \ + --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \ + -- debsbom generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \ + --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \ + --timestamp $TIMESTAMP +} + +python do_generate_sbom() { + sbom_doc_uuid(d) + bb.build.exec_func("generate_sbom", d) +} diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass index 46436d97..644b0623 100644 --- a/meta/classes/sdk.bbclass +++ b/meta/classes/sdk.bbclass @@ -55,7 +55,7 @@ def get_rootfs_distro(d): ROOTFS_ARCH:class-sdk = "${HOST_ARCH}" ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}" ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}" -ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status" +ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom" ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb new file mode 100644 index 00000000..a9afcbbe --- /dev/null +++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb @@ -0,0 +1,30 @@ +# This software is a part of ISAR. +# +# Copyright (C) 2025 Siemens + +LICENSE = "gpl-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" + +PV = "1.0" + +inherit rootfs + +ROOTFS_ARCH = "${HOST_ARCH}" +ROOTFS_DISTRO = "${HOST_DISTRO}" +ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}" + +ROOTFS_FEATURES = "no-generate-initrd" + +# additional packages for the SBOM chroot +SBOM_IMAGE_INSTALL = "python3-debsbom" + +DEPENDS = "python3-debsbom" + +ROOTFSDIR = "${WORKDIR}/rootfs" +ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}" + +do_sbomchroot_deploy[dirs] = "${SBOM_DIR}" +do_sbomchroot_deploy() { + ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}" +} +addtask do_sbomchroot_deploy before do_build after do_rootfs -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917063314.44769-3-christoph.steiger%40siemens.com.