* [PATCH v5 00/10] Add SBOM generation with debsbom
@ 2025-11-24 11:46 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 01/10] refactor: move get_rootfs_distro from sdk into rootfs 'Felix Moessbauer' via isar-users
` (10 more replies)
0 siblings, 11 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.
The generation is itself is handled by a SBOM generator `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.
This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.
[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
Changes since v4:
- rebased onto next
- fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
Changes since v3:
- fix issue on external bullseye initramfs (we now disable sbom generation
on all unsupported distros rootfs instances)
- update debsbom to v0.4.0
- rebased onto next
Changes since v2:
- fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
- update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
- generate SBOM for imager as well and create merged sbom of .wic image
- resend imager manifest + wic manifest patches to reduce conflicts
Note, that the patches p1-p5 are most important as they add basic SBOM
support. The remaining patches address the imager + .wic bom part,
which also can be merged later on.
Changes since v1:
- remove tarball
- refactor packaging (auto-derive python dependencies)
- only build missing packages (varies on bookworm, trixie, noble)
- add ubuntu support
- only generate sboms for supported distributions (bookworm/jammy and
onwards)
- update debsbom (includes bug fixes and more information for source
packages)
Christoph Steiger (3):
meta: package python libraries for SBOM generation
meta: package python3-debsbom
meta: add SBOM generation with debsbom
Felix Moessbauer (7):
refactor: move get_rootfs_distro from sdk into rootfs
override distro vendor in SBOM on Ubuntu
add support to add imager dependencies to BOM
wic: create uniform manifest describing all image components
qemuamd64: add IMAGER_BOM entries
imager: create SBOM of IMAGER_BOM packages
wic: create uniform SBOM describing all image components
doc/user_manual.md | 1 +
meta-isar/conf/distro/ubuntu-common.inc | 2 +
meta-isar/conf/machine/qemuamd64.conf | 1 +
meta/classes/image-tools-extension.bbclass | 29 +++++++++
meta/classes/image.bbclass | 7 ++
meta/classes/imagetypes_wic.bbclass | 30 +++++++++
meta/classes/initramfs.bbclass | 3 +-
meta/classes/rootfs.bbclass | 23 ++++++-
meta/classes/sbom.bbclass | 65 +++++++++++++++++++
meta/classes/sdk.bbclass | 10 +--
.../sbom-chroot/sbom-chroot.bb | 30 +++++++++
.../python3-beartype/files/rules | 8 +++
.../python3-beartype_0.19.0.bb | 29 +++++++++
.../files/pybuild.testfiles | 1 +
.../python3-cyclonedx-lib/files/rules | 8 +++
.../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
...icense-description-in-pyproject.toml.patch | 28 ++++++++
.../python3-debsbom/files/rules | 8 +++
.../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++
.../python3-packageurl/files/rules | 8 +++
.../python3-packageurl_0.16.0.bb | 33 ++++++++++
.../python3-py-serializable/files/rules | 8 +++
.../python3-py-serializable_2.0.0.bb | 38 +++++++++++
.../python3-spdx-tools/files/rules | 25 +++++++
.../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++
25 files changed, 523 insertions(+), 11 deletions(-)
create mode 100644 meta/classes/sbom.bbclass
create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
create mode 100644 meta/recipes-support/python3-beartype/files/rules
create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
create mode 100644 meta/recipes-support/python3-debsbom/files/rules
create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
create mode 100644 meta/recipes-support/python3-packageurl/files/rules
create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-1-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 01/10] refactor: move get_rootfs_distro from sdk into rootfs
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 02/10] meta: package python libraries for SBOM generation 'Felix Moessbauer' via isar-users
` (9 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
This helper is rootfs (not sdk) specific and can be re-used to reliably
compute the distro of a rootfs (also transient ones like the ones used
by sbuild). As the SDK always is included into a rootfs, we just move it
there and make it reusable.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/rootfs.bbclass | 9 +++++++++
meta/classes/sdk.bbclass | 8 --------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index e1179e61..c045bfc0 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -43,6 +43,15 @@ ROOTFS_PACKAGE_SUFFIX ?= "${PN}-${DISTRO}-${DISTRO_ARCH}"
# path to deploy stubbed versions of initrd update scripts during do_rootfs_install
ROOTFS_STUBS_DIR = "/usr/local/isar-sbin"
+# helper to compute the rootfs distro also under cross building
+def get_rootfs_distro(d):
+ host_arch = d.getVar('HOST_ARCH')
+ distro_arch = d.getVar('DISTRO_ARCH')
+ if host_arch == distro_arch:
+ return d.getVar('DISTRO')
+ else:
+ return d.getVar('HOST_DISTRO')
+
# Useful environment variables:
export E = "${@ isar_export_proxies(d)}"
export DEBIAN_FRONTEND = "noninteractive"
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 46436d97..00cae0da 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -43,14 +43,6 @@ SDK_PREINSTALL += " \
devscripts \
equivs"
-def get_rootfs_distro(d):
- host_arch = d.getVar('HOST_ARCH')
- distro_arch = d.getVar('DISTRO_ARCH')
- if host_arch == distro_arch:
- return d.getVar('DISTRO')
- else:
- return d.getVar('HOST_DISTRO')
-
# rootfs/image overrides for the SDK
ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-2-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 02/10] meta: package python libraries for SBOM generation
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 01/10] refactor: move get_rootfs_distro from sdk into rootfs 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 03/10] meta: package python3-debsbom 'Felix Moessbauer' via isar-users
` (8 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka, quirin.gylstorff
From: Christoph Steiger <christoph.steiger@siemens.com>
Package python libraries for SBOM generation in isar. The packages are
unfortunately not (yet) packaged in Debian, thats why we need to do it
here. With these libraries it is now possible to easily create CDX and
SPDX SBOMs in different file formats.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
.../python3-beartype/files/rules | 8 ++++
.../python3-beartype_0.19.0.bb | 29 +++++++++++
.../files/pybuild.testfiles | 1 +
.../python3-cyclonedx-lib/files/rules | 8 ++++
.../python3-cyclonedx-lib_9.1.0.bb | 48 +++++++++++++++++++
.../python3-packageurl/files/rules | 8 ++++
.../python3-packageurl_0.16.0.bb | 33 +++++++++++++
.../python3-py-serializable/files/rules | 8 ++++
.../python3-py-serializable_2.0.0.bb | 38 +++++++++++++++
.../python3-spdx-tools/files/rules | 25 ++++++++++
.../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++++++
11 files changed, 252 insertions(+)
create mode 100644 meta/recipes-support/python3-beartype/files/rules
create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
create mode 100644 meta/recipes-support/python3-packageurl/files/rules
create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
diff --git a/meta/recipes-support/python3-beartype/files/rules b/meta/recipes-support/python3-beartype/files/rules
new file mode 100644
index 00000000..0ca517a1
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = beartype
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
new file mode 100644
index 00000000..b8bc2708
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/beartype-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), dh-python, python3-all, python3-setuptools, pybuild-plugin-pyproject, python3-hatchling"
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+# this is 01/01/1980, any earlier and zip in the wheel building process will not accept it
+DEBIAN_CHANGELOG_TIMESTAMP = "315532800"
+DESCRIPTION = "Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python."
+
+SRC_URI = "\
+ https://github.com/beartype/beartype/archive/refs/tags/v0.19.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "e7ad00eebf527d60f30e0b391209b561dabd2074b608c50e26c94c2d8250a6cd"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
new file mode 100644
index 00000000..cc736a36
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
@@ -0,0 +1 @@
+pyproject.toml
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/rules b/meta/recipes-support/python3-cyclonedx-lib/files/rules
new file mode 100644
index 00000000..fe72dd1a
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = cyclonedx-python-lib
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
new file mode 100644
index 00000000..738ed1b3
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
@@ -0,0 +1,48 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+DEPENDS:append:bookworm = " python3-packageurl python3-py-serializable"
+DEPENDS:append:noble = " python3-packageurl python3-py-serializable"
+
+S = "${WORKDIR}/cyclonedx_python_lib-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+ dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ pybuild-plugin-pyproject, \
+ python3-poetry, \
+ python3-py-serializable, \
+ python3-packageurl, \
+ python3-sortedcontainers, \
+ python3-ddt, \
+ python3-defusedxml, \
+ python3-license-expression, \
+ python3-jsonschema, \
+ python3-lxml, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+ https://github.com/CycloneDX/cyclonedx-python-lib/releases/download/v9.1.0/cyclonedx_python_lib-9.1.0.tar.gz \
+ file://rules \
+ file://pybuild.testfiles \
+ "
+SRC_URI[sha256sum] = "86935f2c88a7b47a529b93c724dbd3e903bc573f6f8bd977628a7ca1b5dadea1"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ cp "${WORKDIR}"/pybuild.testfiles "${S}"/debian
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-packageurl/files/rules b/meta/recipes-support/python3-packageurl/files/rules
new file mode 100644
index 00000000..50e1b74c
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = packageurl-python
+export PYBUILD_SYSTEM = distutils
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
new file mode 100644
index 00000000..27209429
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/packageurl_python-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+ dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "A purl aka. Package URL parser and builder"
+
+SRC_URI = "\
+ https://github.com/package-url/packageurl-python/releases/download/v0.16.0/packageurl_python-0.16.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "69e3bf8a3932fe9c2400f56aaeb9f86911ecee2f9398dbe1b58ec34340be365d"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-py-serializable/files/rules b/meta/recipes-support/python3-py-serializable/files/rules
new file mode 100644
index 00000000..0cf845dd
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = py-serializable
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
new file mode 100644
index 00000000..5bc48c0f
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
@@ -0,0 +1,38 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/py_serializable-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = " \
+ dh-sequence-python3, \
+ pybuild-plugin-pyproject, \
+ python3-all, \
+ python3-defusedxml, \
+ python3-lxml, \
+ python3-poetry-core, \
+ python3-setuptools, \
+ xmldiff, \
+"
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+ https://github.com/madpah/serializable/releases/download/v2.0.0/py_serializable-2.0.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "e9e6491dd7d29c31daf1050232b57f9657f9e8a43b867cca1ff204752cf420a5"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-spdx-tools/files/rules b/meta/recipes-support/python3-spdx-tools/files/rules
new file mode 100644
index 00000000..ac87528a
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/files/rules
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = spdx-tools
+export PYBUILD_SYSTEM = distutils
+
+# skip tests that require hard-to-package dependencies and tests that rely on relative file paths
+# TODO: figure out a way to make these tests work
+export PYBUILD_TEST_ARGS=--ignore tests/spdx3/validation/json_ld/test_shacl_validation.py \
+ -k 'not test_examples \
+ and not test_parse_from_file \
+ and not test_annotation_parser \
+ and not test_snippet_parser \
+ and not test_creation_info_parser \
+ and not test_json_ld_writer \
+ and not test_extracted_licensing_info_parser \
+ and not test_parse_file \
+ and not test_package_parser \
+ and not test_relationship_parser \
+ and not test_graph_parsing_function \
+ and not test_license_expression_parser \
+ '
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
new file mode 100644
index 00000000..30d090a9
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
@@ -0,0 +1,46 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/tools-python-${PV}"
+
+DEPENDS:append:bookworm = " python3-beartype"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ python3-beartype, \
+ python3-semantic-version, \
+ python3-license-expression, \
+ python3-pytest <!nocheck>, \
+ python3-rdflib, \
+ python3-uritools, \
+ python3-ply, \
+ python3-click, \
+ python3-xmltodict, \
+ python3-yaml, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+DEB_BUILD_PROFILES += "nocheck"
+DEB_BUILD_OPTIONS += "nocheck"
+
+DESCRIPTION = "SPDX parser and tools."
+
+SRC_URI = "\
+ https://github.com/spdx/tools-python/archive/refs/tags/v0.8.3.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "17cb0140adbaefb58819c9d5d56060dc6a70c673a854fa9bd882ecfa4e062a7f"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-3-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 03/10] meta: package python3-debsbom
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 01/10] refactor: move get_rootfs_distro from sdk into rootfs 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 02/10] meta: package python libraries for SBOM generation 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 04/10] meta: add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (7 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka, quirin.gylstorff
From: Christoph Steiger <christoph.steiger@siemens.com>
Package the python tool debsbom for SBOM generation for Debian based
distributions.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
...icense-description-in-pyproject.toml.patch | 28 ++++++++++++
.../python3-debsbom/files/rules | 8 ++++
.../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++++++++
3 files changed, 81 insertions(+)
create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
create mode 100644 meta/recipes-support/python3-debsbom/files/rules
create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
diff --git a/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
new file mode 100644
index 00000000..c9137e25
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
@@ -0,0 +1,28 @@
+From 8f926ab0ed1585656ba7de80a82cc802c3ccbdbf Mon Sep 17 00:00:00 2001
+From: Christoph Steiger <christoph.steiger@siemens.com>
+Date: Mon, 8 Sep 2025 17:17:49 +0200
+Subject: [PATCH 1/1] Use old license description in pyproject.toml
+
+Older setuptools versions may require a different license field.
+
+Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index cc34bdb..701da4a 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -22,7 +22,7 @@ maintainers = [
+ ]
+ description = "Generate SBOMs for Debian-based distributions."
+ readme = "README.md"
+-license = "MIT"
++license = {text = "MIT"}
+ classifiers = [
+ "Intended Audience :: Developers",
+ "Operating System :: POSIX :: Linux",
+--
+2.39.5
+
diff --git a/meta/recipes-support/python3-debsbom/files/rules b/meta/recipes-support/python3-debsbom/files/rules
new file mode 100644
index 00000000..a414114d
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = debsbom
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb b/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
new file mode 100644
index 00000000..410f358a
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
@@ -0,0 +1,45 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "python3-spdx-tools"
+DEPENDS:append:bookworm = " python3-packageurl python3-cyclonedx-lib"
+DEPENDS:append:noble = " python3-packageurl python3-cyclonedx-lib"
+
+S = "${WORKDIR}/git"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ pybuild-plugin-pyproject, \
+ python3-packageurl, \
+ python3-cyclonedx-lib, \
+ python3-spdx-tools, \
+ python3-debian, \
+ python3-requests, \
+ python3-zstandard, \
+ "
+
+DEBIAN_DEPENDS = "python3-apt, \${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "debsbom generates SBOMs for Debian based distributions."
+
+SRC_URI = "git://github.com/siemens/debsbom.git;protocol=https;branch=main; \
+ file://rules \
+ file://0001-Use-old-license-description-in-pyproject.toml.patch \
+ "
+SRCREV = "a600f60966d08803eb17bfb81eb8828921497453"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-4-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 04/10] meta: add SBOM generation with debsbom
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (2 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 03/10] meta: package python3-debsbom 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 05/10] override distro vendor in SBOM on Ubuntu 'Felix Moessbauer' via isar-users
` (6 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
From: Christoph Steiger <christoph.steiger@siemens.com>
Generate SBOMs for every rootfs that is created. These SBOMs are placed
in the image deploy directory.
For the generation a small chroot with debsbom installed is created and
from that the rootfs of the image is scanned.
The sbom generation is bound to the rootfs feature `generate-sbom`
which is activated per default now.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/image.bbclass | 1 +
meta/classes/initramfs.bbclass | 3 +-
meta/classes/rootfs.bbclass | 14 +++-
meta/classes/sbom.bbclass | 65 +++++++++++++++++++
meta/classes/sdk.bbclass | 2 +-
.../sbom-chroot/sbom-chroot.bb | 30 +++++++++
6 files changed, 112 insertions(+), 3 deletions(-)
create mode 100644 meta/classes/sbom.bbclass
create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 1fa71c17..29324920 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -99,6 +99,7 @@ ROOTFS_FEATURES += "\
clean-log-files \
clean-debconf-cache \
populate-systemd-preset \
+ generate-sbom \
"
ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}"
ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass
index 862bd873..570780e1 100644
--- a/meta/classes/initramfs.bbclass
+++ b/meta/classes/initramfs.bbclass
@@ -22,11 +22,12 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
# Bill-of-material
ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}"
ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}"
+SBOM_DISTRO_NAME:append = "-initramfs"
DEPENDS += "${INITRAMFS_INSTALL}"
ROOTFSDIR = "${INITRAMFS_ROOTFS}"
-ROOTFS_FEATURES = "generate-manifest"
+ROOTFS_FEATURES = "generate-manifest generate-sbom"
ROOTFS_PACKAGES = "${INITRAMFS_GENERATOR_PKG} ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}"
# validate if have incompatible packages in the installation list
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index c045bfc0..b3ca9e16 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -3,6 +3,8 @@
inherit deb-dl-dir
+inherit sbom
+
ROOTFS_ARCH ?= "${DISTRO_ARCH}"
ROOTFS_DISTRO ?= "${DISTRO}"
@@ -28,11 +30,18 @@ INITRD_IMAGE ?= ""
# available features are:
# 'clean-package-cache' - delete package cache from rootfs
# 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR}
+# 'generate-sbom' - generate a SBOM of the rootfs into ${DEPLOY_DIR_SBOM}
# 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
# 'clean-log-files' - delete log files that are not owned by packages
# 'populate-systemd-preset' - enable systemd units according to systemd presets
+
# 'generate-initrd' - generate debian default initrd
ROOTFS_FEATURES += "${@ 'generate-initrd' if d.getVar('INITRD_IMAGE') == '' else ''}"
+# only supported from bookworm / jammy on
+ROOTFS_FEATURES:remove:buster = "generate-sbom"
+ROOTFS_FEATURES:remove:bullseye = "generate-sbom"
+ROOTFS_FEATURES:remove:jammy = "generate-sbom"
+ROOTFS_FEATURES:remove:focal = "generate-sbom"
ROOTFS_APT_ARGS="install --yes -o Debug::pkgProblemResolver=yes"
@@ -478,6 +487,9 @@ cache_dbg_pkgs() {
fi
}
+# The sbom generator needs the apt-cache, hence run before cleaning it
+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}"
+
ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}"
rootfs_postprocess_clean_package_cache() {
sudo -E chroot '${ROOTFSDIR}' \
@@ -647,7 +659,7 @@ python do_rootfs() {
}
addtask rootfs before do_build
-do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}"
SSTATETASKS += "do_rootfs_install"
SSTATECREATEFUNCS += "rootfs_install_sstate_prepare"
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
new file mode 100644
index 00000000..3ed755d9
--- /dev/null
+++ b/meta/classes/sbom.bbclass
@@ -0,0 +1,65 @@
+# This software is a part of ISAR.
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+# sbom type to generate, accepted are "cdx" or "spdx"
+SBOM_TYPES ?= "spdx cdx"
+
+SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}"
+
+# general user variables
+SBOM_DISTRO_SUPPLIER ?= "ISAR"
+SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux"
+SBOM_DISTRO_VERSION ?= "1"
+SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR"
+SBOM_BASE_DISTRO_VENDOR ??= "debian"
+SBOM_DOCUMENT_UUID ?= ""
+
+# SPDX specific user variables
+SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
+
+DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
+
+SBOM_DIR = "${DEPLOY_DIR}/sbom"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+
+# adapted from the isar-cip-core image_uuid.bbclass
+def generate_document_uuid(d, warn_not_repr=True):
+ import uuid
+
+ base_hash = d.getVar("BB_TASKHASH")
+ if base_hash is None:
+ if warn_not_repr:
+ bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible")
+ return uuid.uuid4()
+ return str(uuid.UUID(base_hash[:32], version=4))
+
+def sbom_doc_uuid(d):
+ if not d.getVar("SBOM_DOCUMENT_UUID"):
+ d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
+
+generate_sbom() {
+ sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+
+ TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ bwrap \
+ --unshare-user \
+ --unshare-pid \
+ --bind ${SBOM_CHROOT} / \
+ --bind ${ROOTFSDIR} /mnt/rootfs \
+ --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
+ -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+ --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+ --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+ --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+ --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \
+ --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \
+ --timestamp $TIMESTAMP
+}
+
+do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
+python do_generate_sbom() {
+ sbom_doc_uuid(d)
+ bb.build.exec_func("generate_sbom", d)
+}
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 00cae0da..d57269e5 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -47,7 +47,7 @@ SDK_PREINSTALL += " \
ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}"
-ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status"
+ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom"
ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
new file mode 100644
index 00000000..58200382
--- /dev/null
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -0,0 +1,30 @@
+# This software is a part of ISAR.
+#
+# Copyright (C) 2025 Siemens
+
+LICENSE = "gpl-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+PV = "1.0"
+
+inherit rootfs
+
+ROOTFS_ARCH = "${HOST_ARCH}"
+ROOTFS_DISTRO = "${@get_rootfs_distro(d)}"
+ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}"
+
+ROOTFS_FEATURES = "no-generate-initrd"
+ROOTFS_INSTALL_COMMAND:remove = "rootfs_restore_initrd_tooling"
+
+# additional packages for the SBOM chroot
+SBOM_IMAGE_INSTALL = "python3-debsbom"
+DEPENDS += "python3-debsbom"
+
+ROOTFSDIR = "${WORKDIR}/rootfs"
+ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
+
+do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy() {
+ ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+}
+addtask do_sbomchroot_deploy before do_build after do_rootfs
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-5-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 05/10] override distro vendor in SBOM on Ubuntu
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (3 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 04/10] meta: add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 06/10] add support to add imager dependencies to BOM 'Felix Moessbauer' via isar-users
` (5 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
When generating an SBOM for Ubuntu, the vendor component of the PURL
needs to be ubuntu (instead of debian). We now set it accordingly.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/distro/ubuntu-common.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-isar/conf/distro/ubuntu-common.inc b/meta-isar/conf/distro/ubuntu-common.inc
index f1e8a1d6..ffc41afe 100644
--- a/meta-isar/conf/distro/ubuntu-common.inc
+++ b/meta-isar/conf/distro/ubuntu-common.inc
@@ -45,3 +45,5 @@ SYSTEMD_BOOTLOADER_INSTALL:jammy = "systemd:${DISTRO_ARCH}"
# snapshot mirror for reproducible builds
DISTRO_APT_SNAPSHOT_PREMIRROR ??= "(http|https)://archive.ubuntu.com/(.*) https://snapshot.ubuntu.com/\2/${ISAR_APT_SNAPSHOT_DATE_INTERNAL}\n"
+
+SBOM_BASE_DISTRO_VENDOR ?= "ubuntu"
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-6-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 06/10] add support to add imager dependencies to BOM
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (4 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 05/10] override distro vendor in SBOM on Ubuntu 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 07/10] wic: create uniform manifest describing all image components 'Felix Moessbauer' via isar-users
` (4 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
Currently the imager dependencies which end up in the image are not
tracked in any BOM (e.g. the manifest file). As these cannot be
automatically derived from the IMAGER_INSTALL packages, we add a new
variable IMAGER_BOM that takes a list of binary packages which are
looked-up using dpkg-query during imaging and added to a local manifest.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
doc/user_manual.md | 1 +
meta/classes/image-tools-extension.bbclass | 7 +++++++
meta/classes/image.bbclass | 6 ++++++
3 files changed, 14 insertions(+)
diff --git a/doc/user_manual.md b/doc/user_manual.md
index efe65a51..46c15b21 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -455,6 +455,7 @@ Some other variables include:
- `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS.
- `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable.
- `IMAGER_INSTALL` - The list of package dependencies for an imager like wic.
+ - `IMAGER_BOM` - The list of packages that should be added to the image BOM (e.g. the bootloader). These packages must also be available in the imager rootfs.
---
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 3f284b39..2027effb 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -18,6 +18,7 @@ SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt"
imager_run() {
local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
+ local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
schroot_create_configs
insert_mounts
@@ -68,6 +69,12 @@ EOAPT
schroot -r -c ${session_id} "$@"
+ if [ -n "${local_bom}" ]; then
+ schroot -r -c ${session_id} -d / -- \
+ dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
+ ${WORKDIR}/imager.manifest
+ fi
+
schroot -e -c ${session_id}
remove_mounts
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 29324920..f3c3ed98 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -216,6 +216,7 @@ python() {
imager_install = set()
imager_build_deps = set()
+ imager_bom = set()
conversion_install = set()
for bt in basetypes:
local_imager_install = set()
@@ -246,6 +247,8 @@ python() {
local_imager_install.add(dep)
for dep in (d.getVar('IMAGER_BUILD_DEPS:' + bt_clean) or '').split():
imager_build_deps.add(dep)
+ for dep in (d.getVar('IMAGER_BOM:' + bt_clean) or '').split():
+ imager_bom.add(dep)
# construct image command
image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean)
@@ -320,11 +323,14 @@ python() {
bb.build.addtask(task, 'do_image', after, d)
# set per type imager dependencies
+ d.setVar('BOM_image_%s' % bt_clean, d.getVar('IMAGER_BOM'))
+ d.appendVar('BOM_image_%s' % bt_clean, ' ' + ' '.join(sorted(imager_bom)))
d.setVar('INSTALL_image_%s' % bt_clean, d.getVar('IMAGER_INSTALL'))
d.appendVar('INSTALL_image_%s' % bt_clean, ' ' + ' '.join(sorted(local_imager_install | local_conversion_install)))
d.appendVarFlag(task, 'vardeps', ' INSTALL_image_%s' % bt_clean)
d.appendVar('IMAGER_INSTALL', ' ' + ' '.join(sorted(imager_install | conversion_install)))
+ d.appendVar('IMAGER_BOM', ' ' + ' '.join(sorted(imager_bom)))
d.appendVar('IMAGER_BUILD_DEPS', ' ' + ' '.join(sorted(imager_build_deps)))
}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-7-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 07/10] wic: create uniform manifest describing all image components
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (5 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 06/10] add support to add imager dependencies to BOM 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 08/10] qemuamd64: add IMAGER_BOM entries 'Felix Moessbauer' via isar-users
` (3 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
A wic image consists of potentially many different components. All these
should be covered by a single BOM.
After creating the wic image, we collect the individual manifest files
(rootfs, initrd, imaging), deduplicate it and deploy it into the image
deploy dir (as .wic.manifest).
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/imagetypes_wic.bbclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index fb0b81a9..c75d481d 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -196,4 +196,9 @@ EOIMAGER
sudo chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true
sudo chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"*
rm -rf ${IMAGE_ROOTFS}/../pseudo
+
+ cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \
+ ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
+ ${WORKDIR}/imager.manifest 2>/dev/null \
+ | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-8-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 08/10] qemuamd64: add IMAGER_BOM entries
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (6 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 07/10] wic: create uniform manifest describing all image components 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 09/10] imager: create SBOM of IMAGER_BOM packages 'Felix Moessbauer' via isar-users
` (2 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
To give an example how to add components to the imager BOM, we set the
corresponding variable for the qemuamd64 target.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/machine/qemuamd64.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-isar/conf/machine/qemuamd64.conf b/meta-isar/conf/machine/qemuamd64.conf
index 7d5987c6..8d0753a8 100644
--- a/meta-isar/conf/machine/qemuamd64.conf
+++ b/meta-isar/conf/machine/qemuamd64.conf
@@ -7,6 +7,7 @@ KERNEL_NAME ?= "amd64"
IMAGE_FSTYPES ?= "wic"
WKS_FILE ?= "sdimage-efi"
+IMAGER_BOM:wic += "${GRUB_BOOTLOADER_INSTALL}"
IMAGER_INSTALL:wic += "${GRUB_BOOTLOADER_INSTALL}"
QEMU_ARCH ?= "x86_64"
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-9-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 09/10] imager: create SBOM of IMAGER_BOM packages
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (7 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 08/10] qemuamd64: add IMAGER_BOM entries 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 10/10] wic: create uniform SBOM describing all image components 'Felix Moessbauer' via isar-users
2025-11-27 14:35 ` [PATCH v5 00/10] Add SBOM generation with debsbom Zhihang Wei
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
This uses the same interface as the .manifest file, but adds the
packagse to an SBOM.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/image-tools-extension.bbclass | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 2027effb..95f003d0 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -73,6 +73,8 @@ EOAPT
schroot -r -c ${session_id} -d / -- \
dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
${WORKDIR}/imager.manifest
+
+ ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom', '', d)}
fi
schroot -e -c ${session_id}
@@ -80,3 +82,23 @@ EOAPT
remove_mounts
schroot_delete_configs
}
+
+generate_imager_sbom() {
+ TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+ bwrap \
+ --unshare-user \
+ --unshare-pid \
+ --bind ${SBOM_CHROOT} / \
+ --bind $schroot_dir /mnt/rootfs \
+ --bind ${WORKDIR} /mnt/deploy-dir \
+ -- debsbom -vv generate ${SBOM_DEBSBOM_TYPE_ARGS} \
+ --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/imager \
+ --distro-name '${SBOM_DISTRO_NAME}-Imager' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+ --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+ --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+ --cdx-serialnumber $sbom_document_uuid \
+ --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+ --timestamp $TIMESTAMP \
+ < ${WORKDIR}/imager.manifest
+}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-10-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v5 10/10] wic: create uniform SBOM describing all image components
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (8 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 09/10] imager: create SBOM of IMAGER_BOM packages 'Felix Moessbauer' via isar-users
@ 2025-11-24 11:46 ` 'Felix Moessbauer' via isar-users
2025-11-27 14:35 ` [PATCH v5 00/10] Add SBOM generation with debsbom Zhihang Wei
10 siblings, 0 replies; 15+ messages in thread
From: 'Felix Moessbauer' via isar-users @ 2025-11-24 11:46 UTC (permalink / raw)
To: isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka,
quirin.gylstorff, Felix Moessbauer
A wic image consists of potentially many different components. All these
should be covered by a single SBOM.
After creating the wic image, we collect the individual sbom files
(rootfs, initrd, imaging) and semantically merge it with the debsbom
tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to
the wic image.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index c75d481d..fe31e4e6 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -201,4 +201,29 @@ EOIMAGER
${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
${WORKDIR}/imager.manifest 2>/dev/null \
| sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
+
+ for bomtype in ${SBOM_TYPES}; do
+ merge_wic_sbom $bomtype
+ done
+}
+
+merge_wic_sbom() {
+ BOMTYPE="$1"
+ TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+
+ cat ${IMAGE_FULLNAME}.${bomtype}.json \
+ ${INITRD_DEPLOY_FILE}.${bomtype}.json \
+ ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+ bwrap \
+ --unshare-user \
+ --unshare-pid \
+ --bind ${SBOM_CHROOT} / \
+ -- debsbom -v merge -t $BOMTYPE \
+ --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+ --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+ --cdx-serialnumber $sbom_document_uuid \
+ --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+ --timestamp $TIMESTAMP - -o - \
+ > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
}
--
2.51.0
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251124114638.2238090-11-felix.moessbauer%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5 00/10] Add SBOM generation with debsbom
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
` (9 preceding siblings ...)
2025-11-24 11:46 ` [PATCH v5 10/10] wic: create uniform SBOM describing all image components 'Felix Moessbauer' via isar-users
@ 2025-11-27 14:35 ` Zhihang Wei
2025-11-28 14:32 ` 'MOESSBAUER, Felix' via isar-users
10 siblings, 1 reply; 15+ messages in thread
From: Zhihang Wei @ 2025-11-27 14:35 UTC (permalink / raw)
To: Felix Moessbauer, isar-users
Cc: christoph.steiger, cedric.hombourger, jan.kiszka, quirin.gylstorff
Hi,
A CI failure occured in full test suite:
citest.py:CustomizationsTest.test_single_customization
Log follows:
builder@13751127e9ed:/work/testsuite$ avocado run
citest.py:CustomizationsTest.test_single_customization
JOB ID : 5a0c694b516485d29feccb614eb23dddb0b667af
JOB LOG :
/tmp/tmpo3rzdofv/avocado/job-results/job-2025-11-27T10.47-5a0c694/job.log
(1/1) citest.py:CustomizationsTest.test_single_customization: STARTED
ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_tar:
ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_tar.8314',
1, None, None)
ERROR: Logfile of failure stored in:
/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_tar.8314
ERROR: Task
(mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_tar)
failed with exit code '1'
ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_cpio:
ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_cpio.8315',
1, None, None)
ERROR: Logfile of failure stored in:
/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_cpio.8315
ERROR: Task
(mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_cpio)
failed with exit code '1'
ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_wic:
ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_wic.8316',
1, None, None)
ERROR: Logfile of failure stored in:
/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.8316
In all of these three failed tasks, error log includes:
dpkg-query: no packages found matching grub-efi-amd64-bin
To redo the test using avocado:
1. Have a clean clone of isar, checkout to branch next and apply your
patches:
$ git clone -b next https://github.com/ilbers/isar.git
$ cd isar
$ git am /path-to/0001-my-contribution-to-isar.patch
2. Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
$ ./kas/kas-container shell kas/isar.yaml --command \
"rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
4.Run the failed test in fast:
$ cd /work/testsuite
$ avocado run citest.py:CustomizationsTest.test_single_customization$
Zhihang
On 11/24/25 12:46, 'Felix Moessbauer' via isar-users wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v4:
>
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>
> Changes since v3:
>
> - fix issue on external bullseye initramfs (we now disable sbom generation
> on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
>
> Changes since v2:
>
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
>
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
> onwards)
> - update debsbom (includes bug fixes and more information for source
> packages)
>
> Christoph Steiger (3):
> meta: package python libraries for SBOM generation
> meta: package python3-debsbom
> meta: add SBOM generation with debsbom
>
> Felix Moessbauer (7):
> refactor: move get_rootfs_distro from sdk into rootfs
> override distro vendor in SBOM on Ubuntu
> add support to add imager dependencies to BOM
> wic: create uniform manifest describing all image components
> qemuamd64: add IMAGER_BOM entries
> imager: create SBOM of IMAGER_BOM packages
> wic: create uniform SBOM describing all image components
>
> doc/user_manual.md | 1 +
> meta-isar/conf/distro/ubuntu-common.inc | 2 +
> meta-isar/conf/machine/qemuamd64.conf | 1 +
> meta/classes/image-tools-extension.bbclass | 29 +++++++++
> meta/classes/image.bbclass | 7 ++
> meta/classes/imagetypes_wic.bbclass | 30 +++++++++
> meta/classes/initramfs.bbclass | 3 +-
> meta/classes/rootfs.bbclass | 23 ++++++-
> meta/classes/sbom.bbclass | 65 +++++++++++++++++++
> meta/classes/sdk.bbclass | 10 +--
> .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> .../python3-beartype/files/rules | 8 +++
> .../python3-beartype_0.19.0.bb | 29 +++++++++
> .../files/pybuild.testfiles | 1 +
> .../python3-cyclonedx-lib/files/rules | 8 +++
> .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
> ...icense-description-in-pyproject.toml.patch | 28 ++++++++
> .../python3-debsbom/files/rules | 8 +++
> .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++
> .../python3-packageurl/files/rules | 8 +++
> .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> .../python3-py-serializable/files/rules | 8 +++
> .../python3-py-serializable_2.0.0.bb | 38 +++++++++++
> .../python3-spdx-tools/files/rules | 25 +++++++
> .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++
> 25 files changed, 523 insertions(+), 11 deletions(-)
> create mode 100644 meta/classes/sbom.bbclass
> create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> create mode 100644 meta/recipes-support/python3-beartype/files/rules
> create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
> create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/1e26bd54-623a-48f0-a400-34a454ba4993%40ilbers.de.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5 00/10] Add SBOM generation with debsbom
2025-11-27 14:35 ` [PATCH v5 00/10] Add SBOM generation with debsbom Zhihang Wei
@ 2025-11-28 14:32 ` 'MOESSBAUER, Felix' via isar-users
2025-11-28 14:35 ` 'cedric.hombourger@siemens.com' via isar-users
2025-12-09 14:09 ` Zhihang Wei
0 siblings, 2 replies; 15+ messages in thread
From: 'MOESSBAUER, Felix' via isar-users @ 2025-11-28 14:32 UTC (permalink / raw)
To: isar-users, wzh
Cc: Steiger, Christoph, quirin.gylstorff, cedric.hombourger, Kiszka, Jan
On Thu, 2025-11-27 at 15:35 +0100, Zhihang Wei wrote:
> Hi,
> A CI failure occured in full test suite:
> citest.py:CustomizationsTest.test_single_customization
>
> Log follows:
> builder@13751127e9ed:/work/testsuite$ avocado run
> citest.py:CustomizationsTest.test_single_customization
> JOB ID : 5a0c694b516485d29feccb614eb23dddb0b667af
> JOB LOG :
> /tmp/tmpo3rzdofv/avocado/job-results/job-2025-11-27T10.47-5a0c694/job.log
> (1/1) citest.py:CustomizationsTest.test_single_customization: STARTED
> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_tar:
> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_tar.8314',
> 1, None, None)
> ERROR: Logfile of failure stored in:
> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_tar.8314
> ERROR: Task
> (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_tar)
> failed with exit code '1'
> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_cpio:
> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_cpio.8315',
> 1, None, None)
> ERROR: Logfile of failure stored in:
> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_cpio.8315
> ERROR: Task
> (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_cpio)
> failed with exit code '1'
> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_wic:
> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_wic.8316',
> 1, None, None)
> ERROR: Logfile of failure stored in:
> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.8316
>
> In all of these three failed tasks, error log includes:
> dpkg-query: no packages found matching grub-efi-amd64-bin
>
>
> To redo the test using avocado:
> 1. Have a clean clone of isar, checkout to branch next and apply your
> patches:
> $ git clone -b next https://github.com/ilbers/isar.git
> $ cd isar
> $ git am /path-to/0001-my-contribution-to-isar.patch
> 2. Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
> $ ./kas/kas-container shell kas/isar.yaml --command \
> "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
> 4.Run the failed test in fast:
> $ cd /work/testsuite
> $ avocado run citest.py:CustomizationsTest.test_single_customization$
Hi, I was scratching my head how this could fail, but well ... it is a
badly written test:
In isar-image-ci [1], we do a ton conditional IMAGER_INSTALL:append and
IMAGER_INSTALL:remove, which are not aligned at all with the machine
configs.
Please add the following line to that section:
IMAGER_BOM:remove:qemuamd64:debian-bullseye ?=
"${GRUB_BOOTLOADER_INSTALL}"
This then should be added to p8. If you confirm that this works, I can
also send out a new version of the sbom series.
Anyways, I would be really happy if we could get rid of machine
manipulation parts in an image recipe. This is IMHO an anti-pattern.
[1]https://github.com/ilbers/isar/blob/master/meta-test/recipes-core/images/isar-image-ci.bb#L25
Felix
>
> Zhihang
>
> On 11/24/25 12:46, 'Felix Moessbauer' via isar-users wrote:
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> >
> > The generation is itself is handled by a SBOM generator `debsbom` [1]
> > which is developed as an open source project at Siemens. It is still
> > early in development, but it has enough features for what we require
> > in isar. The required dependencies which are not yet available as
> > Debian packages were minimally packaged directly in isar too.
> >
> > This is a followup of the previous RFC [2]. Since then the series has
> > changed a lot. The SBOM generation was moved from a simple OE lib to
> > `debsbom`. This also meant the introduction of a separate chroot was
> > necessary. The SBOM generation process was also moved from the image
> > step to the rootfs step, along with a lot of minor changes and
> > improvements.
> >
> > [1] https://github.com/siemens/debsbom
> > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> >
> > Changes since v4:
> >
> > - rebased onto next
> > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
> >
> > Changes since v3:
> >
> > - fix issue on external bullseye initramfs (we now disable sbom generation
> > on all unsupported distros rootfs instances)
> > - update debsbom to v0.4.0
> > - rebased onto next
> >
> > Changes since v2:
> >
> > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> > - generate SBOM for imager as well and create merged sbom of .wic image
> > - resend imager manifest + wic manifest patches to reduce conflicts
> >
> > Note, that the patches p1-p5 are most important as they add basic SBOM
> > support. The remaining patches address the imager + .wic bom part,
> > which also can be merged later on.
> >
> > Changes since v1:
> >
> > - remove tarball
> > - refactor packaging (auto-derive python dependencies)
> > - only build missing packages (varies on bookworm, trixie, noble)
> > - add ubuntu support
> > - only generate sboms for supported distributions (bookworm/jammy and
> > onwards)
> > - update debsbom (includes bug fixes and more information for source
> > packages)
> >
> > Christoph Steiger (3):
> > meta: package python libraries for SBOM generation
> > meta: package python3-debsbom
> > meta: add SBOM generation with debsbom
> >
> > Felix Moessbauer (7):
> > refactor: move get_rootfs_distro from sdk into rootfs
> > override distro vendor in SBOM on Ubuntu
> > add support to add imager dependencies to BOM
> > wic: create uniform manifest describing all image components
> > qemuamd64: add IMAGER_BOM entries
> > imager: create SBOM of IMAGER_BOM packages
> > wic: create uniform SBOM describing all image components
> >
> > doc/user_manual.md | 1 +
> > meta-isar/conf/distro/ubuntu-common.inc | 2 +
> > meta-isar/conf/machine/qemuamd64.conf | 1 +
> > meta/classes/image-tools-extension.bbclass | 29 +++++++++
> > meta/classes/image.bbclass | 7 ++
> > meta/classes/imagetypes_wic.bbclass | 30 +++++++++
> > meta/classes/initramfs.bbclass | 3 +-
> > meta/classes/rootfs.bbclass | 23 ++++++-
> > meta/classes/sbom.bbclass | 65 +++++++++++++++++++
> > meta/classes/sdk.bbclass | 10 +--
> > .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> > .../python3-beartype/files/rules | 8 +++
> > .../python3-beartype_0.19.0.bb | 29 +++++++++
> > .../files/pybuild.testfiles | 1 +
> > .../python3-cyclonedx-lib/files/rules | 8 +++
> > .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
> > ...icense-description-in-pyproject.toml.patch | 28 ++++++++
> > .../python3-debsbom/files/rules | 8 +++
> > .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++
> > .../python3-packageurl/files/rules | 8 +++
> > .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> > .../python3-py-serializable/files/rules | 8 +++
> > .../python3-py-serializable_2.0.0.bb | 38 +++++++++++
> > .../python3-spdx-tools/files/rules | 25 +++++++
> > .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++
> > 25 files changed, 523 insertions(+), 11 deletions(-)
> > create mode 100644 meta/classes/sbom.bbclass
> > create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > create mode 100644 meta/recipes-support/python3-beartype/files/rules
> > create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> > create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> > create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> > create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
> > create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> > create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> > create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> > create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> > create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> > create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
> >
>
> --
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/isar-users/1e26bd54-623a-48f0-a400-34a454ba4993%40ilbers.de.
--
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/2b58f5057a9dffdb136c49959a387e7b1f0e5a60.camel%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5 00/10] Add SBOM generation with debsbom
2025-11-28 14:32 ` 'MOESSBAUER, Felix' via isar-users
@ 2025-11-28 14:35 ` 'cedric.hombourger@siemens.com' via isar-users
2025-12-09 14:09 ` Zhihang Wei
1 sibling, 0 replies; 15+ messages in thread
From: 'cedric.hombourger@siemens.com' via isar-users @ 2025-11-28 14:35 UTC (permalink / raw)
To: isar-users, MOESSBAUER, Felix, wzh
Cc: Steiger, Christoph, quirin.gylstorff, Kiszka, Jan
On Fri, 2025-11-28 at 14:32 +0000, Moessbauer, Felix (FT RPD CED OES-
DE) wrote:
> On Thu, 2025-11-27 at 15:35 +0100, Zhihang Wei wrote:
> > Hi,
> > A CI failure occured in full test suite:
> > citest.py:CustomizationsTest.test_single_customization
> >
> > Log follows:
> > builder@13751127e9ed:/work/testsuite$ avocado run
> > citest.py:CustomizationsTest.test_single_customization
> > JOB ID : 5a0c694b516485d29feccb614eb23dddb0b667af
> > JOB LOG :
> > /tmp/tmpo3rzdofv/avocado/job-results/job-2025-11-27T10.47-
> > 5a0c694/job.log
> > (1/1) citest.py:CustomizationsTest.test_single_customization:
> > STARTED
> > ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_tar:
> > ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-
> > image-ci-qemuamd64/1.0-r0/temp/run.do_image_tar.8314',
> > 1, None, None)
> > ERROR: Logfile of failure stored in:
> > /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-
> > qemuamd64/1.0-r0/temp/log.do_image_tar.8314
> > ERROR: Task
> > (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-
> > image-ci.bb:do_image_tar)
> > failed with exit code '1'
> > ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_cpio:
> > ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-
> > image-ci-qemuamd64/1.0-r0/temp/run.do_image_cpio.8315',
> > 1, None, None)
> > ERROR: Logfile of failure stored in:
> > /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-
> > qemuamd64/1.0-r0/temp/log.do_image_cpio.8315
> > ERROR: Task
> > (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-
> > image-ci.bb:do_image_cpio)
> > failed with exit code '1'
> > ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_wic:
> > ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-
> > image-ci-qemuamd64/1.0-r0/temp/run.do_image_wic.8316',
> > 1, None, None)
> > ERROR: Logfile of failure stored in:
> > /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-
> > qemuamd64/1.0-r0/temp/log.do_image_wic.8316
> >
> > In all of these three failed tasks, error log includes:
> > dpkg-query: no packages found matching grub-efi-amd64-bin
> >
> >
> > To redo the test using avocado:
> > 1. Have a clean clone of isar, checkout to branch next and apply
> > your
> > patches:
> > $ git clone -b next
> > https://github.com/ilbers/isar.git
> > $ cd isar
> > $ git am /path-to/0001-my-contribution-to-isar.patch
> > 2. Run kas shell, setup CI prerequisites (avocado, qemu) and
> > cleanup:
> > $ ./kas/kas-container shell kas/isar.yaml --command \
> > "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
> > 4.Run the failed test in fast:
> > $ cd /work/testsuite
> > $ avocado run
> > citest.py:CustomizationsTest.test_single_customization$
>
> Hi, I was scratching my head how this could fail, but well ... it is
> a
> badly written test:
>
> In isar-image-ci [1], we do a ton conditional IMAGER_INSTALL:append
> and
> IMAGER_INSTALL:remove, which are not aligned at all with the machine
> configs.
>
> Please add the following line to that section:
>
> IMAGER_BOM:remove:qemuamd64:debian-bullseye ?=
> "${GRUB_BOOTLOADER_INSTALL}"
>
> This then should be added to p8. If you confirm that this works, I
> can
> also send out a new version of the sbom series.
>
> Anyways, I would be really happy if we could get rid of machine
> manipulation parts in an image recipe. This is IMHO an anti-pattern.
Agreed. I would love to see our machine-specific (and image-specific)
variables prefixed with MACHINE_ (and respectively IMAGE_) to make the
scope very clear. This would also ease the job of linters and reviewers
>
> [1]
> https://git/
> hub.com%2Filbers%2Fisar%2Fblob%2Fmaster%2Fmeta-test%2Frecipes-
> core%2Fimages%2Fisar-image-
> ci.bb%23L25&data=05%7C02%7Ccedric.hombourger%40siemens.com%7Cbdd44d79
> b4084dc0182508de2e8ae81e%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7
> C638999371287144635%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsI
> lYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7
> C0%7C%7C%7C&sdata=6KUi2SiAHEg5o4MCLaKH8g1UNqmZ5FdtqnO%2FeCXVLMs%3D&re
> served=0
>
> Felix
>
> >
> > Zhihang
> >
> > On 11/24/25 12:46, 'Felix Moessbauer' via isar-users wrote:
> > > This patchset adds proper SBOM generation in the two standard
> > > formats
> > > SPDX and CycloneDX during the rootfs generation process.
> > >
> > > The generation is itself is handled by a SBOM generator
> > > `debsbom` [1]
> > > which is developed as an open source project at Siemens. It is
> > > still
> > > early in development, but it has enough features for what we
> > > require
> > > in isar. The required dependencies which are not yet available as
> > > Debian packages were minimally packaged directly in isar too.
> > >
> > > This is a followup of the previous RFC [2]. Since then the series
> > > has
> > > changed a lot. The SBOM generation was moved from a simple OE lib
> > > to
> > > `debsbom`. This also meant the introduction of a separate chroot
> > > was
> > > necessary. The SBOM generation process was also moved from the
> > > image
> > > step to the rootfs step, along with a lot of minor changes and
> > > improvements.
> > >
> > > [1]
> > > https://github.com/siemens/debsbom
> > > [2]
> > > https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> > >
> > > Changes since v4:
> > >
> > > - rebased onto next
> > > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka
> > > ${DEPLOY_DIR_IMAGE})
> > >
> > > Changes since v3:
> > >
> > > - fix issue on external bullseye initramfs (we now disable sbom
> > > generation
> > > on all unsupported distros rootfs instances)
> > > - update debsbom to v0.4.0
> > > - rebased onto next
> > >
> > > Changes since v2:
> > >
> > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived
> > > distributions
> > > - update debsbom to v0.3.0, which fixes the Origin: bug reported
> > > in v2
> > > - generate SBOM for imager as well and create merged sbom of .wic
> > > image
> > > - resend imager manifest + wic manifest patches to reduce
> > > conflicts
> > >
> > > Note, that the patches p1-p5 are most important as they add basic
> > > SBOM
> > > support. The remaining patches address the imager + .wic bom
> > > part,
> > > which also can be merged later on.
> > >
> > > Changes since v1:
> > >
> > > - remove tarball
> > > - refactor packaging (auto-derive python dependencies)
> > > - only build missing packages (varies on bookworm, trixie, noble)
> > > - add ubuntu support
> > > - only generate sboms for supported distributions (bookworm/jammy
> > > and
> > > onwards)
> > > - update debsbom (includes bug fixes and more information for
> > > source
> > > packages)
> > >
> > > Christoph Steiger (3):
> > > meta: package python libraries for SBOM generation
> > > meta: package python3-debsbom
> > > meta: add SBOM generation with debsbom
> > >
> > > Felix Moessbauer (7):
> > > refactor: move get_rootfs_distro from sdk into rootfs
> > > override distro vendor in SBOM on Ubuntu
> > > add support to add imager dependencies to BOM
> > > wic: create uniform manifest describing all image components
> > > qemuamd64: add IMAGER_BOM entries
> > > imager: create SBOM of IMAGER_BOM packages
> > > wic: create uniform SBOM describing all image components
> > >
> > > doc/user_manual.md | 1 +
> > > meta-isar/conf/distro/ubuntu-common.inc | 2 +
> > > meta-isar/conf/machine/qemuamd64.conf | 1 +
> > > meta/classes/image-tools-extension.bbclass | 29 +++++++++
> > > meta/classes/image.bbclass | 7 ++
> > > meta/classes/imagetypes_wic.bbclass | 30 +++++++++
> > > meta/classes/initramfs.bbclass | 3 +-
> > > meta/classes/rootfs.bbclass | 23 ++++++-
> > > meta/classes/sbom.bbclass | 65
> > > +++++++++++++++++++
> > > meta/classes/sdk.bbclass | 10 +--
> > > .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> > > .../python3-beartype/files/rules | 8 +++
> > > .../python3-beartype_0.19.0.bb | 29 +++++++++
> > > .../files/pybuild.testfiles | 1 +
> > > .../python3-cyclonedx-lib/files/rules | 8 +++
> > > .../python3-cyclonedx-lib_9.1.0.bb | 48
> > > ++++++++++++++
> > > ...icense-description-in-pyproject.toml.patch | 28 ++++++++
> > > .../python3-debsbom/files/rules | 8 +++
> > > .../python3-debsbom/python3-debsbom_0.4.0.bb | 45
> > > +++++++++++++
> > > .../python3-packageurl/files/rules | 8 +++
> > > .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> > > .../python3-py-serializable/files/rules | 8 +++
> > > .../python3-py-serializable_2.0.0.bb | 38 +++++++++++
> > > .../python3-spdx-tools/files/rules | 25 +++++++
> > > .../python3-spdx-tools_0.8.3.bb | 46
> > > +++++++++++++
> > > 25 files changed, 523 insertions(+), 11 deletions(-)
> > > create mode 100644 meta/classes/sbom.bbclass
> > > create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-
> > > chroot.bb
> > > create mode 100644 meta/recipes-support/python3-
> > > beartype/files/rules
> > > create mode 100644 meta/recipes-support/python3-
> > > beartype/python3-beartype_0.19.0.bb
> > > create mode 100644 meta/recipes-support/python3-cyclonedx-
> > > lib/files/pybuild.testfiles
> > > create mode 100644 meta/recipes-support/python3-cyclonedx-
> > > lib/files/rules
> > > create mode 100644 meta/recipes-support/python3-cyclonedx-
> > > lib/python3-cyclonedx-lib_9.1.0.bb
> > > create mode 100644 meta/recipes-support/python3-
> > > debsbom/files/0001-Use-old-license-description-in-
> > > pyproject.toml.patch
> > > create mode 100644 meta/recipes-support/python3-
> > > debsbom/files/rules
> > > create mode 100644 meta/recipes-support/python3-
> > > debsbom/python3-debsbom_0.4.0.bb
> > > create mode 100644 meta/recipes-support/python3-
> > > packageurl/files/rules
> > > create mode 100644 meta/recipes-support/python3-
> > > packageurl/python3-packageurl_0.16.0.bb
> > > create mode 100644 meta/recipes-support/python3-py-
> > > serializable/files/rules
> > > create mode 100644 meta/recipes-support/python3-py-
> > > serializable/python3-py-serializable_2.0.0.bb
> > > create mode 100644 meta/recipes-support/python3-spdx-
> > > tools/files/rules
> > > create mode 100644 meta/recipes-support/python3-spdx-
> > > tools/python3-spdx-tools_0.8.3.bb
> > >
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "isar-users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to isar-users+unsubscribe@googlegroups.com.
> > To view this discussion visit
> > https://groups.google.com/d/msgid/isar-users/1e26bd54-623a-48f0-a400-34a454ba4993%40ilbers.de
> > .
>
--
Cedric Hombourger
Siemens AG
http://www.siemens.com/
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/905d493c6ca962dfe7229bce6a9e1d3add20e3c0.camel%40siemens.com.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v5 00/10] Add SBOM generation with debsbom
2025-11-28 14:32 ` 'MOESSBAUER, Felix' via isar-users
2025-11-28 14:35 ` 'cedric.hombourger@siemens.com' via isar-users
@ 2025-12-09 14:09 ` Zhihang Wei
1 sibling, 0 replies; 15+ messages in thread
From: Zhihang Wei @ 2025-12-09 14:09 UTC (permalink / raw)
To: MOESSBAUER, Felix, isar-users
Cc: Steiger, Christoph, quirin.gylstorff, cedric.hombourger, Kiszka, Jan
On 11/28/25 15:32, MOESSBAUER, Felix wrote:
> On Thu, 2025-11-27 at 15:35 +0100, Zhihang Wei wrote:
>> Hi,
>> A CI failure occured in full test suite:
>> citest.py:CustomizationsTest.test_single_customization
>>
>> Log follows:
>> builder@13751127e9ed:/work/testsuite$ avocado run
>> citest.py:CustomizationsTest.test_single_customization
>> JOB ID : 5a0c694b516485d29feccb614eb23dddb0b667af
>> JOB LOG :
>> /tmp/tmpo3rzdofv/avocado/job-results/job-2025-11-27T10.47-5a0c694/job.log
>> (1/1) citest.py:CustomizationsTest.test_single_customization: STARTED
>> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_tar:
>> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_tar.8314',
>> 1, None, None)
>> ERROR: Logfile of failure stored in:
>> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_tar.8314
>> ERROR: Task
>> (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_tar)
>> failed with exit code '1'
>> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_cpio:
>> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_cpio.8315',
>> 1, None, None)
>> ERROR: Logfile of failure stored in:
>> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_cpio.8315
>> ERROR: Task
>> (mc:qemuamd64-bullseye:/work/meta-test/recipes-core/images/isar-image-ci.bb:do_image_cpio)
>> failed with exit code '1'
>> ERROR: mc:qemuamd64-bullseye:isar-image-ci-1.0-r0 do_image_wic:
>> ExecutionError('/work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/run.do_image_wic.8316',
>> 1, None, None)
>> ERROR: Logfile of failure stored in:
>> /work/build/tmp/work/debian-bullseye-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.8316
>>
>> In all of these three failed tasks, error log includes:
>> dpkg-query: no packages found matching grub-efi-amd64-bin
>>
>>
>> To redo the test using avocado:
>> 1. Have a clean clone of isar, checkout to branch next and apply your
>> patches:
>> $ git clone -b next https://github.com/ilbers/isar.git
>> $ cd isar
>> $ git am /path-to/0001-my-contribution-to-isar.patch
>> 2. Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
>> $ ./kas/kas-container shell kas/isar.yaml --command \
>> "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
>> 4.Run the failed test in fast:
>> $ cd /work/testsuite
>> $ avocado run citest.py:CustomizationsTest.test_single_customization$
> Hi, I was scratching my head how this could fail, but well ... it is a
> badly written test:
>
> In isar-image-ci [1], we do a ton conditional IMAGER_INSTALL:append and
> IMAGER_INSTALL:remove, which are not aligned at all with the machine
> configs.
>
> Please add the following line to that section:
>
> IMAGER_BOM:remove:qemuamd64:debian-bullseye ?=
> "${GRUB_BOOTLOADER_INSTALL}"
>
> This then should be added to p8. If you confirm that this works, I can
> also send out a new version of the sbom series.
Sorry I missed this email. Unfortunately this does not work. It is still
complaining "dpkg-query: no packages found matching grub-efi-amd64-bin".
v6 doesn't show this error but some others. Error log will follow
shortly. Zhihang
> Anyways, I would be really happy if we could get rid of machine
> manipulation parts in an image recipe. This is IMHO an anti-pattern.
>
> [1]https://github.com/ilbers/isar/blob/master/meta-test/recipes-core/images/isar-image-ci.bb#L25
>
> Felix
>
>> Zhihang
>>
>> On 11/24/25 12:46, 'Felix Moessbauer' via isar-users wrote:
>>> This patchset adds proper SBOM generation in the two standard formats
>>> SPDX and CycloneDX during the rootfs generation process.
>>>
>>> The generation is itself is handled by a SBOM generator `debsbom` [1]
>>> which is developed as an open source project at Siemens. It is still
>>> early in development, but it has enough features for what we require
>>> in isar. The required dependencies which are not yet available as
>>> Debian packages were minimally packaged directly in isar too.
>>>
>>> This is a followup of the previous RFC [2]. Since then the series has
>>> changed a lot. The SBOM generation was moved from a simple OE lib to
>>> `debsbom`. This also meant the introduction of a separate chroot was
>>> necessary. The SBOM generation process was also moved from the image
>>> step to the rootfs step, along with a lot of minor changes and
>>> improvements.
>>>
>>> [1] https://github.com/siemens/debsbom
>>> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>>>
>>> Changes since v4:
>>>
>>> - rebased onto next
>>> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>>>
>>> Changes since v3:
>>>
>>> - fix issue on external bullseye initramfs (we now disable sbom generation
>>> on all unsupported distros rootfs instances)
>>> - update debsbom to v0.4.0
>>> - rebased onto next
>>>
>>> Changes since v2:
>>>
>>> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
>>> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
>>> - generate SBOM for imager as well and create merged sbom of .wic image
>>> - resend imager manifest + wic manifest patches to reduce conflicts
>>>
>>> Note, that the patches p1-p5 are most important as they add basic SBOM
>>> support. The remaining patches address the imager + .wic bom part,
>>> which also can be merged later on.
>>>
>>> Changes since v1:
>>>
>>> - remove tarball
>>> - refactor packaging (auto-derive python dependencies)
>>> - only build missing packages (varies on bookworm, trixie, noble)
>>> - add ubuntu support
>>> - only generate sboms for supported distributions (bookworm/jammy and
>>> onwards)
>>> - update debsbom (includes bug fixes and more information for source
>>> packages)
>>>
>>> Christoph Steiger (3):
>>> meta: package python libraries for SBOM generation
>>> meta: package python3-debsbom
>>> meta: add SBOM generation with debsbom
>>>
>>> Felix Moessbauer (7):
>>> refactor: move get_rootfs_distro from sdk into rootfs
>>> override distro vendor in SBOM on Ubuntu
>>> add support to add imager dependencies to BOM
>>> wic: create uniform manifest describing all image components
>>> qemuamd64: add IMAGER_BOM entries
>>> imager: create SBOM of IMAGER_BOM packages
>>> wic: create uniform SBOM describing all image components
>>>
>>> doc/user_manual.md | 1 +
>>> meta-isar/conf/distro/ubuntu-common.inc | 2 +
>>> meta-isar/conf/machine/qemuamd64.conf | 1 +
>>> meta/classes/image-tools-extension.bbclass | 29 +++++++++
>>> meta/classes/image.bbclass | 7 ++
>>> meta/classes/imagetypes_wic.bbclass | 30 +++++++++
>>> meta/classes/initramfs.bbclass | 3 +-
>>> meta/classes/rootfs.bbclass | 23 ++++++-
>>> meta/classes/sbom.bbclass | 65 +++++++++++++++++++
>>> meta/classes/sdk.bbclass | 10 +--
>>> .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
>>> .../python3-beartype/files/rules | 8 +++
>>> .../python3-beartype_0.19.0.bb | 29 +++++++++
>>> .../files/pybuild.testfiles | 1 +
>>> .../python3-cyclonedx-lib/files/rules | 8 +++
>>> .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
>>> ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>>> .../python3-debsbom/files/rules | 8 +++
>>> .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++
>>> .../python3-packageurl/files/rules | 8 +++
>>> .../python3-packageurl_0.16.0.bb | 33 ++++++++++
>>> .../python3-py-serializable/files/rules | 8 +++
>>> .../python3-py-serializable_2.0.0.bb | 38 +++++++++++
>>> .../python3-spdx-tools/files/rules | 25 +++++++
>>> .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++
>>> 25 files changed, 523 insertions(+), 11 deletions(-)
>>> create mode 100644 meta/classes/sbom.bbclass
>>> create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>>> create mode 100644 meta/recipes-support/python3-beartype/files/rules
>>> create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>>> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>>> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>>> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>>> create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>>> create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>>> create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>>> create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>>> create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>>> create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>>> create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>>> create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>>> create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>>>
>> --
>> You received this message because you are subscribed to the Google Groups "isar-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
>> To view this discussion visit https://groups.google.com/d/msgid/isar-users/1e26bd54-623a-48f0-a400-34a454ba4993%40ilbers.de.
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/ef8efd4c-0140-4d79-b7aa-67fc00e1c763%40ilbers.de.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-12-09 14:10 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-24 11:46 [PATCH v5 00/10] Add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 01/10] refactor: move get_rootfs_distro from sdk into rootfs 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 02/10] meta: package python libraries for SBOM generation 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 03/10] meta: package python3-debsbom 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 04/10] meta: add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 05/10] override distro vendor in SBOM on Ubuntu 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 06/10] add support to add imager dependencies to BOM 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 07/10] wic: create uniform manifest describing all image components 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 08/10] qemuamd64: add IMAGER_BOM entries 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 09/10] imager: create SBOM of IMAGER_BOM packages 'Felix Moessbauer' via isar-users
2025-11-24 11:46 ` [PATCH v5 10/10] wic: create uniform SBOM describing all image components 'Felix Moessbauer' via isar-users
2025-11-27 14:35 ` [PATCH v5 00/10] Add SBOM generation with debsbom Zhihang Wei
2025-11-28 14:32 ` 'MOESSBAUER, Felix' via isar-users
2025-11-28 14:35 ` 'cedric.hombourger@siemens.com' via isar-users
2025-12-09 14:09 ` Zhihang Wei
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox