[PATCH v6 00/10] Add SBOM generation with debsbom

[PATCH v6 00/10] Add SBOM generation with debsbom

['Felix Moessbauer' via isar-users]

This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.

The generation is itself is handled by a SBOM generator  `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.

This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.

[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ

Changes since v5:

- fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
  machine changes made in image file)
- rebased onto next

Changes since v4:

- rebased onto next
- fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})

Changes since v3:

- fix issue on external bullseye initramfs (we now disable sbom generation
  on all unsupported distros rootfs instances)
- update debsbom to v0.4.0
- rebased onto next

Changes since v2:

- fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
- update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
- generate SBOM for imager as well and create merged sbom of .wic image
- resend imager manifest + wic manifest patches to reduce conflicts

Note, that the patches p1-p5 are most important as they add basic SBOM
support. The remaining patches address the imager + .wic bom part,
which also can be merged later on.

Changes since v1:

- remove tarball
- refactor packaging (auto-derive python dependencies)
- only build missing packages (varies on bookworm, trixie, noble)
- add ubuntu support
- only generate sboms for supported distributions (bookworm/jammy and
  onwards)
- update debsbom (includes bug fixes and more information for source
  packages)


Christoph Steiger (3):
  meta: package python libraries for SBOM generation
  meta: package python3-debsbom
  meta: add SBOM generation with debsbom

Felix Moessbauer (7):
  refactor: move get_rootfs_distro from sdk into rootfs
  override distro vendor in SBOM on Ubuntu
  add support to add imager dependencies to BOM
  wic: create uniform manifest describing all image components
  qemuamd64: add IMAGER_BOM entries
  imager: create SBOM of IMAGER_BOM packages
  wic: create uniform SBOM describing all image components

 doc/user_manual.md                            |  1 +
 meta-isar/conf/distro/ubuntu-common.inc       |  2 +
 meta-isar/conf/machine/qemuamd64.conf         |  1 +
 .../recipes-core/images/isar-image-ci.bb      |  1 +
 meta/classes/image-tools-extension.bbclass    | 29 +++++++++
 meta/classes/image.bbclass                    |  7 ++
 meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
 meta/classes/initramfs.bbclass                |  3 +-
 meta/classes/rootfs.bbclass                   | 23 ++++++-
 meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
 meta/classes/sdk.bbclass                      | 10 +--
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 .../python3-beartype/files/rules              |  8 +++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 +++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
 ...icense-description-in-pyproject.toml.patch | 28 ++++++++
 .../python3-debsbom/files/rules               |  8 +++
 .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
 .../python3-packageurl/files/rules            |  8 +++
 .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
 .../python3-py-serializable/files/rules       |  8 +++
 .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
 .../python3-spdx-tools/files/rules            | 25 +++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
 26 files changed, 524 insertions(+), 11 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb

-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-1-felix.moessbauer%40siemens.com.

[PATCH v6 01/10] refactor: move get_rootfs_distro from sdk into rootfs

['Felix Moessbauer' via isar-users]

This helper is rootfs (not sdk) specific and can be re-used to reliably
compute the distro of a rootfs (also transient ones like the ones used
by sbuild). As the SDK always is included into a rootfs, we just move it
there and make it reusable.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/rootfs.bbclass | 9 +++++++++
 meta/classes/sdk.bbclass    | 8 --------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 70d4bfb8..3027c4dd 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -44,6 +44,15 @@ ROOTFS_PACKAGE_SUFFIX ?= "${PN}-${DISTRO}-${DISTRO_ARCH}"
 # path to deploy stubbed versions of initrd update scripts during do_rootfs_install
 ROOTFS_STUBS_DIR = "/usr/local/isar-sbin"
 
+# helper to compute the rootfs distro also under cross building
+def get_rootfs_distro(d):
+    host_arch = d.getVar('HOST_ARCH')
+    distro_arch = d.getVar('DISTRO_ARCH')
+    if host_arch == distro_arch:
+        return d.getVar('DISTRO')
+    else:
+        return d.getVar('HOST_DISTRO')
+
 # Useful environment variables:
 export E = "${@ isar_export_proxies(d)}"
 export DEBIAN_FRONTEND = "noninteractive"
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 5933b52a..81d3c65e 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -43,14 +43,6 @@ SDK_PREINSTALL += " \
     devscripts \
     equivs"
 
-def get_rootfs_distro(d):
-    host_arch = d.getVar('HOST_ARCH')
-    distro_arch = d.getVar('DISTRO_ARCH')
-    if host_arch == distro_arch:
-        return d.getVar('DISTRO')
-    else:
-        return d.getVar('HOST_DISTRO')
-
 # rootfs/image overrides for the SDK
 ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
 ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-2-felix.moessbauer%40siemens.com.

[PATCH v6 02/10] meta: package python libraries for SBOM generation

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Package python libraries for SBOM generation in isar. The packages are
unfortunately not (yet) packaged in Debian, thats why we need to do it
here. With these libraries it is now possible to easily create CDX and
SPDX SBOMs in different file formats.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
 .../python3-beartype/files/rules              |  8 ++++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 ++++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 +++++++++++++++++++
 .../python3-packageurl/files/rules            |  8 ++++
 .../python3-packageurl_0.16.0.bb              | 33 +++++++++++++
 .../python3-py-serializable/files/rules       |  8 ++++
 .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 ++++++++++++++++++
 11 files changed, 252 insertions(+)
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb

diff --git a/meta/recipes-support/python3-beartype/files/rules b/meta/recipes-support/python3-beartype/files/rules
new file mode 100644
index 00000000..0ca517a1
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = beartype
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
new file mode 100644
index 00000000..b8bc2708
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/beartype-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), dh-python, python3-all, python3-setuptools, pybuild-plugin-pyproject, python3-hatchling"
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+# this is 01/01/1980, any earlier and zip in the wheel building process will not accept it
+DEBIAN_CHANGELOG_TIMESTAMP = "315532800"
+DESCRIPTION = "Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python."
+
+SRC_URI = "\
+    https://github.com/beartype/beartype/archive/refs/tags/v0.19.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "e7ad00eebf527d60f30e0b391209b561dabd2074b608c50e26c94c2d8250a6cd"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
new file mode 100644
index 00000000..cc736a36
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
@@ -0,0 +1 @@
+pyproject.toml
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/rules b/meta/recipes-support/python3-cyclonedx-lib/files/rules
new file mode 100644
index 00000000..fe72dd1a
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = cyclonedx-python-lib
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
new file mode 100644
index 00000000..738ed1b3
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
@@ -0,0 +1,48 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+DEPENDS:append:bookworm = " python3-packageurl python3-py-serializable"
+DEPENDS:append:noble = " python3-packageurl python3-py-serializable"
+
+S = "${WORKDIR}/cyclonedx_python_lib-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+                        dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        pybuild-plugin-pyproject, \
+                        python3-poetry, \
+                        python3-py-serializable, \
+                        python3-packageurl, \
+                        python3-sortedcontainers, \
+                        python3-ddt, \
+                        python3-defusedxml, \
+                        python3-license-expression, \
+                        python3-jsonschema, \
+                        python3-lxml, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+    https://github.com/CycloneDX/cyclonedx-python-lib/releases/download/v9.1.0/cyclonedx_python_lib-9.1.0.tar.gz \
+    file://rules \
+    file://pybuild.testfiles \
+    "
+SRC_URI[sha256sum] = "86935f2c88a7b47a529b93c724dbd3e903bc573f6f8bd977628a7ca1b5dadea1"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp "${WORKDIR}"/pybuild.testfiles "${S}"/debian
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-packageurl/files/rules b/meta/recipes-support/python3-packageurl/files/rules
new file mode 100644
index 00000000..50e1b74c
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = packageurl-python
+export PYBUILD_SYSTEM = distutils
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
new file mode 100644
index 00000000..27209429
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/packageurl_python-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+                        dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "A purl aka. Package URL parser and builder"
+
+SRC_URI = "\
+    https://github.com/package-url/packageurl-python/releases/download/v0.16.0/packageurl_python-0.16.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "69e3bf8a3932fe9c2400f56aaeb9f86911ecee2f9398dbe1b58ec34340be365d"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-py-serializable/files/rules b/meta/recipes-support/python3-py-serializable/files/rules
new file mode 100644
index 00000000..0cf845dd
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = py-serializable
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
new file mode 100644
index 00000000..5bc48c0f
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
@@ -0,0 +1,38 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/py_serializable-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = " \
+    dh-sequence-python3, \
+    pybuild-plugin-pyproject, \
+    python3-all, \
+    python3-defusedxml, \
+    python3-lxml, \
+    python3-poetry-core, \
+    python3-setuptools, \
+    xmldiff, \
+"
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+    https://github.com/madpah/serializable/releases/download/v2.0.0/py_serializable-2.0.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "e9e6491dd7d29c31daf1050232b57f9657f9e8a43b867cca1ff204752cf420a5"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-spdx-tools/files/rules b/meta/recipes-support/python3-spdx-tools/files/rules
new file mode 100644
index 00000000..ac87528a
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/files/rules
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = spdx-tools
+export PYBUILD_SYSTEM = distutils
+
+# skip tests that require hard-to-package dependencies and tests that rely on relative file paths
+# TODO: figure out a way to make these tests work
+export PYBUILD_TEST_ARGS=--ignore tests/spdx3/validation/json_ld/test_shacl_validation.py \
+	-k 'not test_examples \
+	and not test_parse_from_file \
+	and not test_annotation_parser \
+	and not test_snippet_parser \
+	and not test_creation_info_parser \
+	and not test_json_ld_writer \
+	and not test_extracted_licensing_info_parser \
+	and not test_parse_file \
+	and not test_package_parser \
+	and not test_relationship_parser \
+	and not test_graph_parsing_function \
+	and not test_license_expression_parser \
+	'
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
new file mode 100644
index 00000000..30d090a9
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
@@ -0,0 +1,46 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/tools-python-${PV}"
+
+DEPENDS:append:bookworm = " python3-beartype"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        python3-beartype, \
+                        python3-semantic-version, \
+                        python3-license-expression, \
+                        python3-pytest <!nocheck>, \
+                        python3-rdflib, \
+                        python3-uritools, \
+                        python3-ply, \
+                        python3-click, \
+                        python3-xmltodict, \
+                        python3-yaml, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+DEB_BUILD_PROFILES += "nocheck"
+DEB_BUILD_OPTIONS += "nocheck"
+
+DESCRIPTION = "SPDX parser and tools."
+
+SRC_URI = "\
+    https://github.com/spdx/tools-python/archive/refs/tags/v0.8.3.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "17cb0140adbaefb58819c9d5d56060dc6a70c673a854fa9bd882ecfa4e062a7f"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-3-felix.moessbauer%40siemens.com.

[PATCH v6 03/10] meta: package python3-debsbom

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Package the python tool debsbom for SBOM generation for Debian based
distributions.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
 ...icense-description-in-pyproject.toml.patch | 28 ++++++++++++
 .../python3-debsbom/files/rules               |  8 ++++
 .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb

diff --git a/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
new file mode 100644
index 00000000..c9137e25
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
@@ -0,0 +1,28 @@
+From 8f926ab0ed1585656ba7de80a82cc802c3ccbdbf Mon Sep 17 00:00:00 2001
+From: Christoph Steiger <christoph.steiger@siemens.com>
+Date: Mon, 8 Sep 2025 17:17:49 +0200
+Subject: [PATCH 1/1] Use old license description in pyproject.toml
+
+Older setuptools versions may require a different license field.
+
+Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index cc34bdb..701da4a 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -22,7 +22,7 @@ maintainers = [
+ ]
+ description = "Generate SBOMs for Debian-based distributions."
+ readme = "README.md"
+-license = "MIT"
++license = {text = "MIT"}
+ classifiers = [
+   "Intended Audience :: Developers",
+   "Operating System :: POSIX :: Linux",
+-- 
+2.39.5
+
diff --git a/meta/recipes-support/python3-debsbom/files/rules b/meta/recipes-support/python3-debsbom/files/rules
new file mode 100644
index 00000000..a414114d
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = debsbom
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb b/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
new file mode 100644
index 00000000..410f358a
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
@@ -0,0 +1,45 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "python3-spdx-tools"
+DEPENDS:append:bookworm = " python3-packageurl python3-cyclonedx-lib"
+DEPENDS:append:noble = " python3-packageurl python3-cyclonedx-lib"
+
+S = "${WORKDIR}/git"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        pybuild-plugin-pyproject, \
+                        python3-packageurl, \
+                        python3-cyclonedx-lib, \
+                        python3-spdx-tools, \
+                        python3-debian, \
+                        python3-requests, \
+                        python3-zstandard, \
+                        "
+
+DEBIAN_DEPENDS = "python3-apt, \${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "debsbom generates SBOMs for Debian based distributions."
+
+SRC_URI = "git://github.com/siemens/debsbom.git;protocol=https;branch=main; \
+           file://rules \
+           file://0001-Use-old-license-description-in-pyproject.toml.patch \
+           "
+SRCREV = "a600f60966d08803eb17bfb81eb8828921497453"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-4-felix.moessbauer%40siemens.com.

[PATCH v6 04/10] meta: add SBOM generation with debsbom

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Generate SBOMs for every rootfs that is created. These SBOMs are placed
in the image deploy directory.

For the generation a small chroot with debsbom installed is created and
from that the rootfs of the image is scanned.

The sbom generation is bound to the rootfs feature `generate-sbom`
which is activated per default now.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/image.bbclass                    |  1 +
 meta/classes/initramfs.bbclass                |  3 +-
 meta/classes/rootfs.bbclass                   | 14 +++-
 meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
 meta/classes/sdk.bbclass                      |  2 +-
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 6 files changed, 112 insertions(+), 3 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index b030024f..da7910b2 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -99,6 +99,7 @@ ROOTFS_FEATURES += "\
     clean-log-files \
     clean-debconf-cache \
     populate-systemd-preset \
+    generate-sbom \
     "
 ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}"
 ROOTFS_VARDEPS += "IMAGE_INSTALL"
diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass
index 862bd873..570780e1 100644
--- a/meta/classes/initramfs.bbclass
+++ b/meta/classes/initramfs.bbclass
@@ -22,11 +22,12 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
 # Bill-of-material
 ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}"
 ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}"
+SBOM_DISTRO_NAME:append = "-initramfs"
 
 DEPENDS += "${INITRAMFS_INSTALL}"
 
 ROOTFSDIR = "${INITRAMFS_ROOTFS}"
-ROOTFS_FEATURES = "generate-manifest"
+ROOTFS_FEATURES = "generate-manifest generate-sbom"
 ROOTFS_PACKAGES = "${INITRAMFS_GENERATOR_PKG} ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}"
 
 # validate if have incompatible packages in the installation list
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 3027c4dd..2c45a9c7 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -3,6 +3,8 @@
 
 inherit deb-dl-dir
 
+inherit sbom
+
 ROOTFS_ARCH ?= "${DISTRO_ARCH}"
 ROOTFS_DISTRO ?= "${DISTRO}"
 
@@ -29,11 +31,18 @@ INITRD_IMAGE ?= ""
 # available features are:
 # 'clean-package-cache' - delete package cache from rootfs
 # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR}
+# 'generate-sbom' - generate a SBOM of the rootfs into ${DEPLOY_DIR_SBOM}
 # 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
 # 'clean-log-files' - delete log files that are not owned by packages
 # 'populate-systemd-preset' - enable systemd units according to systemd presets
+
 # 'generate-initrd' - generate debian default initrd
 ROOTFS_FEATURES += "${@ 'generate-initrd' if d.getVar('INITRD_IMAGE') == '' else ''}"
+# only supported from bookworm / jammy on
+ROOTFS_FEATURES:remove:buster = "generate-sbom"
+ROOTFS_FEATURES:remove:bullseye = "generate-sbom"
+ROOTFS_FEATURES:remove:jammy = "generate-sbom"
+ROOTFS_FEATURES:remove:focal = "generate-sbom"
 
 ROOTFS_APT_ARGS="install --yes -o Debug::pkgProblemResolver=yes"
 
@@ -480,6 +489,9 @@ cache_dbg_pkgs() {
     fi
 }
 
+# The sbom generator needs the apt-cache, hence run before cleaning it
+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}"
+
 ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}"
 rootfs_postprocess_clean_package_cache() {
     sudo -E chroot '${ROOTFSDIR}' \
@@ -649,7 +661,7 @@ python do_rootfs() {
 }
 addtask rootfs before do_build
 
-do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}"
 
 SSTATETASKS += "do_rootfs_install"
 SSTATECREATEFUNCS += "rootfs_install_sstate_prepare"
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
new file mode 100644
index 00000000..3ed755d9
--- /dev/null
+++ b/meta/classes/sbom.bbclass
@@ -0,0 +1,65 @@
+# This software is a part of ISAR.
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+# sbom type to generate, accepted are "cdx" or "spdx"
+SBOM_TYPES ?= "spdx cdx"
+
+SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}"
+
+# general user variables
+SBOM_DISTRO_SUPPLIER ?= "ISAR"
+SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux"
+SBOM_DISTRO_VERSION ?= "1"
+SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR"
+SBOM_BASE_DISTRO_VENDOR ??= "debian"
+SBOM_DOCUMENT_UUID ?= ""
+
+# SPDX specific user variables
+SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
+
+DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
+
+SBOM_DIR = "${DEPLOY_DIR}/sbom"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+
+# adapted from the isar-cip-core image_uuid.bbclass
+def generate_document_uuid(d, warn_not_repr=True):
+    import uuid
+
+    base_hash = d.getVar("BB_TASKHASH")
+    if base_hash is None:
+        if warn_not_repr:
+            bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible")
+        return uuid.uuid4()
+    return str(uuid.UUID(base_hash[:32], version=4))
+
+def sbom_doc_uuid(d):
+    if not d.getVar("SBOM_DOCUMENT_UUID"):
+        d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
+
+generate_sbom() {
+    sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        --bind ${ROOTFSDIR} /mnt/rootfs \
+        --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
+        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+            --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+            --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \
+            --timestamp $TIMESTAMP
+}
+
+do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
+python do_generate_sbom() {
+    sbom_doc_uuid(d)
+    bb.build.exec_func("generate_sbom", d)
+}
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 81d3c65e..17b56bcf 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -48,7 +48,7 @@ ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
 ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
 ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}"
 ROOTFS_VARDEPS:class-sdk = "SDK_INSTALL SDK_INCLUDE_ISAR_APT"
-ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status"
+ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom"
 ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
 ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
 
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
new file mode 100644
index 00000000..58200382
--- /dev/null
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -0,0 +1,30 @@
+# This software is a part of ISAR.
+#
+# Copyright (C) 2025 Siemens
+
+LICENSE = "gpl-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+PV = "1.0"
+
+inherit rootfs
+
+ROOTFS_ARCH = "${HOST_ARCH}"
+ROOTFS_DISTRO = "${@get_rootfs_distro(d)}"
+ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}"
+
+ROOTFS_FEATURES = "no-generate-initrd"
+ROOTFS_INSTALL_COMMAND:remove = "rootfs_restore_initrd_tooling"
+
+# additional packages for the SBOM chroot
+SBOM_IMAGE_INSTALL = "python3-debsbom"
+DEPENDS += "python3-debsbom"
+
+ROOTFSDIR = "${WORKDIR}/rootfs"
+ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
+
+do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy() {
+    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+}
+addtask do_sbomchroot_deploy before do_build after do_rootfs
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-5-felix.moessbauer%40siemens.com.

[PATCH v6 05/10] override distro vendor in SBOM on Ubuntu

['Felix Moessbauer' via isar-users]

When generating an SBOM for Ubuntu, the vendor component of the PURL
needs to be ubuntu (instead of debian). We now set it accordingly.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta-isar/conf/distro/ubuntu-common.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/conf/distro/ubuntu-common.inc b/meta-isar/conf/distro/ubuntu-common.inc
index dbfeed4a..8b9964c8 100644
--- a/meta-isar/conf/distro/ubuntu-common.inc
+++ b/meta-isar/conf/distro/ubuntu-common.inc
@@ -42,3 +42,5 @@ SYSTEMD_BOOTLOADER_INSTALL:jammy = "systemd:${DISTRO_ARCH}"
 
 # snapshot mirror for reproducible builds
 DISTRO_APT_SNAPSHOT_PREMIRROR ??= "(http|https)://archive.ubuntu.com/(.*) https://snapshot.ubuntu.com/\2/${ISAR_APT_SNAPSHOT_DATE_INTERNAL}\n"
+
+SBOM_BASE_DISTRO_VENDOR ?= "ubuntu"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-6-felix.moessbauer%40siemens.com.

[PATCH v6 06/10] add support to add imager dependencies to BOM

['Felix Moessbauer' via isar-users]

Currently the imager dependencies which end up in the image are not
tracked in any BOM (e.g. the manifest file). As these cannot be
automatically derived from the IMAGER_INSTALL packages, we add a new
variable IMAGER_BOM that takes a list of binary packages which are
looked-up using dpkg-query during imaging and added to a local manifest.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 doc/user_manual.md                         | 1 +
 meta/classes/image-tools-extension.bbclass | 7 +++++++
 meta/classes/image.bbclass                 | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index 4df122a8..6d08ef71 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -449,6 +449,7 @@ Some other variables include:
  - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS.
  - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable.
  - `IMAGER_INSTALL` -  The list of package dependencies for an imager like wic.
+ - `IMAGER_BOM` - The list of packages that should be added to the image BOM (e.g. the bootloader). These packages must also be available in the imager rootfs.
 
 ---
 
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 3f284b39..2027effb 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -18,6 +18,7 @@ SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt"
 
 imager_run() {
     local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
+    local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
 
     schroot_create_configs
     insert_mounts
@@ -68,6 +69,12 @@ EOAPT
 
     schroot -r -c ${session_id} "$@"
 
+    if [ -n "${local_bom}" ]; then
+        schroot -r -c ${session_id} -d / -- \
+            dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
+        ${WORKDIR}/imager.manifest
+    fi
+
     schroot -e -c ${session_id}
 
     remove_mounts
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index da7910b2..5a42c230 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -217,6 +217,7 @@ python() {
 
     imager_install = set()
     imager_build_deps = set()
+    imager_bom = set()
     conversion_install = set()
     for bt in basetypes:
         local_imager_install = set()
@@ -247,6 +248,8 @@ python() {
             local_imager_install.add(dep)
         for dep in (d.getVar('IMAGER_BUILD_DEPS:' + bt_clean) or '').split():
             imager_build_deps.add(dep)
+        for dep in (d.getVar('IMAGER_BOM:' + bt_clean) or '').split():
+            imager_bom.add(dep)
 
         # construct image command
         image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean)
@@ -321,11 +324,14 @@ python() {
         bb.build.addtask(task, 'do_image', after, d)
 
         # set per type imager dependencies
+        d.setVar('BOM_image_%s' % bt_clean, d.getVar('IMAGER_BOM'))
+        d.appendVar('BOM_image_%s' % bt_clean, ' ' + ' '.join(sorted(imager_bom)))
         d.setVar('INSTALL_image_%s' % bt_clean, d.getVar('IMAGER_INSTALL'))
         d.appendVar('INSTALL_image_%s' % bt_clean, ' ' + ' '.join(sorted(local_imager_install | local_conversion_install)))
         d.appendVarFlag(task, 'vardeps', ' INSTALL_image_%s' % bt_clean)
 
     d.appendVar('IMAGER_INSTALL', ' ' + ' '.join(sorted(imager_install | conversion_install)))
+    d.appendVar('IMAGER_BOM', ' ' + ' '.join(sorted(imager_bom)))
     d.appendVar('IMAGER_BUILD_DEPS', ' ' + ' '.join(sorted(imager_build_deps)))
 }
 
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-7-felix.moessbauer%40siemens.com.

[PATCH v6 07/10] wic: create uniform manifest describing all image components

['Felix Moessbauer' via isar-users]

A wic image consists of potentially many different components. All these
should be covered by a single BOM.

After creating the wic image, we collect the individual manifest files
(rootfs, initrd, imaging), deduplicate it and deploy it into the image
deploy dir (as .wic.manifest).

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/imagetypes_wic.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index fb0b81a9..c75d481d 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -196,4 +196,9 @@ EOIMAGER
     sudo chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true
     sudo chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"*
     rm -rf ${IMAGE_ROOTFS}/../pseudo
+
+    cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \
+        ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
+        ${WORKDIR}/imager.manifest 2>/dev/null \
+        | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
 }
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-8-felix.moessbauer%40siemens.com.

[PATCH v6 08/10] qemuamd64: add IMAGER_BOM entries

['Felix Moessbauer' via isar-users]

To give an example how to add components to the imager BOM, we set the
corresponding variable for the qemuamd64 target. As the isar-image-ci
changes the bootloader of the qemuamd64 machine, we also need to
reflect that change in the IMAGER_BOM entry.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta-isar/conf/machine/qemuamd64.conf          | 1 +
 meta-test/recipes-core/images/isar-image-ci.bb | 1 +
 2 files changed, 2 insertions(+)

diff --git a/meta-isar/conf/machine/qemuamd64.conf b/meta-isar/conf/machine/qemuamd64.conf
index 7d5987c6..8d0753a8 100644
--- a/meta-isar/conf/machine/qemuamd64.conf
+++ b/meta-isar/conf/machine/qemuamd64.conf
@@ -7,6 +7,7 @@ KERNEL_NAME ?= "amd64"
 
 IMAGE_FSTYPES ?= "wic"
 WKS_FILE ?= "sdimage-efi"
+IMAGER_BOM:wic += "${GRUB_BOOTLOADER_INSTALL}"
 IMAGER_INSTALL:wic += "${GRUB_BOOTLOADER_INSTALL}"
 
 QEMU_ARCH ?= "x86_64"
diff --git a/meta-test/recipes-core/images/isar-image-ci.bb b/meta-test/recipes-core/images/isar-image-ci.bb
index 9133da74..961a3057 100644
--- a/meta-test/recipes-core/images/isar-image-ci.bb
+++ b/meta-test/recipes-core/images/isar-image-ci.bb
@@ -24,6 +24,7 @@ WKS_FILE:qemuamd64:debian-bullseye ?= "sdimage-efi-btrfs"
 IMAGE_INSTALL:append:qemuamd64:debian-bullseye = " expand-on-first-boot"
 IMAGER_INSTALL:remove:qemuamd64:debian-bullseye ?= "${GRUB_BOOTLOADER_INSTALL}"
 IMAGER_INSTALL:append:qemuamd64:debian-bullseye ?= " ${SYSTEMD_BOOTLOADER_INSTALL} btrfs-progs"
+IMAGER_BOM:wic = "${SYSTEMD_BOOTLOADER_INSTALL}"
 IMAGE_PREINSTALL:append:qemuamd64:debian-bullseye ?= " btrfs-progs"
 # Explicitly remove from wic since it is set in qemuamd64.conf:
 IMAGER_INSTALL:wic:remove:qemuamd64:debian-bullseye ?= "${GRUB_BOOTLOADER_INSTALL}"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-9-felix.moessbauer%40siemens.com.

[PATCH v6 09/10] imager: create SBOM of IMAGER_BOM packages

['Felix Moessbauer' via isar-users]

This uses the same interface as the .manifest file, but adds the
packagse to an SBOM.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/image-tools-extension.bbclass | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 2027effb..95f003d0 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -73,6 +73,8 @@ EOAPT
         schroot -r -c ${session_id} -d / -- \
             dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
         ${WORKDIR}/imager.manifest
+
+        ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom', '', d)}
     fi
 
     schroot -e -c ${session_id}
@@ -80,3 +82,23 @@ EOAPT
     remove_mounts
     schroot_delete_configs
 }
+
+generate_imager_sbom() {
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        --bind $schroot_dir /mnt/rootfs \
+        --bind ${WORKDIR} /mnt/deploy-dir \
+        -- debsbom -vv generate ${SBOM_DEBSBOM_TYPE_ARGS} \
+            --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/imager \
+            --distro-name '${SBOM_DISTRO_NAME}-Imager' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+            --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber $sbom_document_uuid \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+            --timestamp $TIMESTAMP \
+    < ${WORKDIR}/imager.manifest
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-10-felix.moessbauer%40siemens.com.

[PATCH v6 10/10] wic: create uniform SBOM describing all image components

['Felix Moessbauer' via isar-users]

A wic image consists of potentially many different components. All these
should be covered by a single SBOM.

After creating the wic image, we collect the individual sbom files
(rootfs, initrd, imaging) and semantically merge it with the debsbom
tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to
the wic image.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index c75d481d..fe31e4e6 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -201,4 +201,29 @@ EOIMAGER
         ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
         ${WORKDIR}/imager.manifest 2>/dev/null \
         | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
+
+    for bomtype in ${SBOM_TYPES}; do
+        merge_wic_sbom $bomtype
+    done
+}
+
+merge_wic_sbom() {
+    BOMTYPE="$1"
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+
+    cat ${IMAGE_FULLNAME}.${bomtype}.json \
+        ${INITRD_DEPLOY_FILE}.${bomtype}.json \
+        ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        -- debsbom -v merge -t $BOMTYPE \
+            --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber $sbom_document_uuid \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+            --timestamp $TIMESTAMP - -o - \
+     > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
 }
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251201085813.1616095-11-felix.moessbauer%40siemens.com.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['Jan Kiszka' via isar-users]

On 01.12.25 09:58, Felix Moessbauer wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
> 
> The generation is itself is handled by a SBOM generator  `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
> 
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
> 
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> 
> Changes since v5:
> 
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>   machine changes made in image file)
> - rebased onto next
> 
> Changes since v4:
> 
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
> 
> Changes since v3:
> 
> - fix issue on external bullseye initramfs (we now disable sbom generation
>   on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
> 
> Changes since v2:
> 
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
> 
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
> 
> Changes since v1:
> 
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
>   onwards)
> - update debsbom (includes bug fixes and more information for source
>   packages)
> 
> 
> Christoph Steiger (3):
>   meta: package python libraries for SBOM generation
>   meta: package python3-debsbom
>   meta: add SBOM generation with debsbom
> 
> Felix Moessbauer (7):
>   refactor: move get_rootfs_distro from sdk into rootfs
>   override distro vendor in SBOM on Ubuntu
>   add support to add imager dependencies to BOM
>   wic: create uniform manifest describing all image components
>   qemuamd64: add IMAGER_BOM entries
>   imager: create SBOM of IMAGER_BOM packages
>   wic: create uniform SBOM describing all image components
> 
>  doc/user_manual.md                            |  1 +
>  meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>  meta-isar/conf/machine/qemuamd64.conf         |  1 +
>  .../recipes-core/images/isar-image-ci.bb      |  1 +
>  meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>  meta/classes/image.bbclass                    |  7 ++
>  meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>  meta/classes/initramfs.bbclass                |  3 +-
>  meta/classes/rootfs.bbclass                   | 23 ++++++-
>  meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++

New classes should go into the right category already, then rebasing is
easier for whoever has to do it in the light of
https://patchwork.isar-build.org/project/isar/list/?series=1780. Look at
the dracut series.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20caede7-0708-4ed4-8aac-084bffaa6887%40siemens.com.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Mon, 2025-12-01 at 10:15 +0100, Jan Kiszka wrote:
> On 01.12.25 09:58, Felix Moessbauer wrote:
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> > 
> > The generation is itself is handled by a SBOM generator  `debsbom` [1]
> > which is developed as an open source project at Siemens. It is still
> > early in development, but it has enough features for what we require
> > in isar. The required dependencies which are not yet available as
> > Debian packages were minimally packaged directly in isar too.
> > 
> > This is a followup of the previous RFC [2]. Since then the series has
> > changed a lot. The SBOM generation was moved from a simple OE lib to
> > `debsbom`. This also meant the introduction of a separate chroot was
> > necessary. The SBOM generation process was also moved from the image
> > step to the rootfs step, along with a lot of minor changes and
> > improvements.
> > 
> > [1] https://github.com/siemens/debsbom
> > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> > 
> > Changes since v5:
> > 
> > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
> >   machine changes made in image file)
> > - rebased onto next
> > 
> > Changes since v4:
> > 
> > - rebased onto next
> > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
> > 
> > Changes since v3:
> > 
> > - fix issue on external bullseye initramfs (we now disable sbom generation
> >   on all unsupported distros rootfs instances)
> > - update debsbom to v0.4.0
> > - rebased onto next
> > 
> > Changes since v2:
> > 
> > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> > - generate SBOM for imager as well and create merged sbom of .wic image
> > - resend imager manifest + wic manifest patches to reduce conflicts
> > 
> > Note, that the patches p1-p5 are most important as they add basic SBOM
> > support. The remaining patches address the imager + .wic bom part,
> > which also can be merged later on.
> > 
> > Changes since v1:
> > 
> > - remove tarball
> > - refactor packaging (auto-derive python dependencies)
> > - only build missing packages (varies on bookworm, trixie, noble)
> > - add ubuntu support
> > - only generate sboms for supported distributions (bookworm/jammy and
> >   onwards)
> > - update debsbom (includes bug fixes and more information for source
> >   packages)
> > 
> > 
> > Christoph Steiger (3):
> >   meta: package python libraries for SBOM generation
> >   meta: package python3-debsbom
> >   meta: add SBOM generation with debsbom
> > 
> > Felix Moessbauer (7):
> >   refactor: move get_rootfs_distro from sdk into rootfs
> >   override distro vendor in SBOM on Ubuntu
> >   add support to add imager dependencies to BOM
> >   wic: create uniform manifest describing all image components
> >   qemuamd64: add IMAGER_BOM entries
> >   imager: create SBOM of IMAGER_BOM packages
> >   wic: create uniform SBOM describing all image components
> > 
> >  doc/user_manual.md                            |  1 +
> >  meta-isar/conf/distro/ubuntu-common.inc       |  2 +
> >  meta-isar/conf/machine/qemuamd64.conf         |  1 +
> >  .../recipes-core/images/isar-image-ci.bb      |  1 +
> >  meta/classes/image-tools-extension.bbclass    | 29 +++++++++
> >  meta/classes/image.bbclass                    |  7 ++
> >  meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
> >  meta/classes/initramfs.bbclass                |  3 +-
> >  meta/classes/rootfs.bbclass                   | 23 ++++++-
> >  meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
> 
> New classes should go into the right category already, then rebasing is
> easier for whoever has to do it in the light of
> https://patchwork.isar-build.org/project/isar/list/?series=1780. Look at
> the dracut series.

Hi, according to my interpretation of the use-more-classes series and
the dracut series, the sbom class is already correct. The sbom series
also cleanly applies and works on top of the use-more-classes series.

Felix

> 
> Jan
> 
> -- 
> Siemens AG, Foundational Technologies
> Linux Expert Center

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/c52a6c4481da1f6f3ca2a01b8e7948ef33b0bcc0.camel%40siemens.com.

RE: [PATCH v6 00/10] Add SBOM generation with debsbom

['Bouska, Zdenek' via isar-users]

> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.

libre2-11 (provider of virtual package libre2-11-absl20240722) is
missing as dependency of libgrpc29t64 in
build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.cdx.json
See dependencies on Debian Trixie [1].

Reproduce by a bit older isar so that this patchset works:
2efd5d4ca3b4abf2386fe0089594029becdf2801
$ isar/kas/kas-container build trixie-grpc.yml
$ cat trixie-grpc.yml
header:
  version: 14

build_system: isar

machine: qemuamd64
distro: debian-trixie

target: mc:qemuamd64-trixie:isar-image-base

repos:
  isar:
    path: isar
    layers:
      meta:
      meta-isar:

local_conf_header:
  meta-custom: |
    IMAGE_PREINSTALL:append = " libgrpc29t64"


[1] https://packages.debian.org/trixie/libgrpc29t64

Thank you for pushing debsbom to isar!
Zdenek Bouska

-- 
Siemens, s.r.o
Foundational Technologies

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/AS1PR10MB5675B5F1D4273515A9E3F4A9EBA7A%40AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

[Zhihang Wei]

Hi,
There are mulltiple test cases failed on CI.


On fast CI:

Failed test case: citest.py:DevTest.test_dev
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.3897481
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:DevTest.test_dev_apps
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.18529
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:DevTest.test_dev_rebuild
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.262594
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:CrossTest.test_cross_debsrc
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.3057235
dpkg-query: no packages found matching systemd-boot-efi:arm64

Failed test case: citest.py:CrossTest.test_cross_dependencies
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.772494
dpkg-query: no packages found matching systemd-boot-efi:arm64


On full CI:

Failed test case: citest.py:ReproTest.test_repro_unsigned:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.862703
bwrap: Can't mkdir /mnt/rootfs: Permission denied
I assume this is related with CI environment. This error is also there 
for v5.

Failed test case: citest.py:InstallerTest.test_installer_build:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1240668
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:KernelTests.test_per_kernel:
Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.1626092
dpkg-query: no packages found matching systemd-boot-efi:arm64

Failed test case: citest.py:InitRdTest.test_dracut_in_image:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1723289
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:InitRdCrossTests.test_dracut_in_image:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.2466233
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:WicTest.test_wic_nodeploy_partitions:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2823952
dpkg-query: no packages found matching systemd-boot-efi:arm64

Failed test case: citest.py:WicTest.test_wic_deploy_partitions:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2892279
dpkg-query: no packages found matching systemd-boot-efi:arm64

07:06:42 
18-/build/isar_wzh_devel_7b/28/testsuite/citest.py:NoCrossTest.test_nocross:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64-iso/1.0-r0/temp/log.do_image_squashfs.1864458
dpkg-query: no packages found matching systemd-boot-efi:amd64

Failed test case: citest.py:SstateTest.test_sstate_populate:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build-sstate/tmp/work/debian-bullseye-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.1858017
bwrap: Can't find source path 
/build/isar_wzh_devel_7b/28/build-sstate/tmp/deploy/sbom/sbom-chroot: No 
such file or directory

Failed test case: citest.py:SstateTest.test_sstate:
ERROR: Logfile of failure stored in: 
/build/isar_wzh_devel_7b/28/build-sstate/tmp/work/debian-bullseye-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.1943793
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | | 
Traceback (most recent call last):
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/wic", line 547, in <module>
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    sys.exit(main(sys.argv[1:]))
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/wic", line 542, in main
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    return hlp.invoke_subcommand(args, parser, hlp.wic_help_usage, 
subcommands)
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/lib/wic/help.py", line 83, 
in invoke_subcommand
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    subcmd[0](args, usage)
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/wic", line 222, in 
wic_create_subcommand
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    engine.wic_create(wks_file, rootfs_dir, bootimg_dir, kernel_dir,
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/lib/wic/engine.py", line 
183, in wic_create
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    plugin_class = PluginMgr.get_plugins('imager').get(pname)
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "/build/isar_wzh_devel_7b/28/scripts/lib/wic/pluginbase.py", line 
61, in get_plugins
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    spec.loader.exec_module(module)
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File "<frozen importlib._bootstrap>", line 228, in 
_call_with_frames_removed
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
  File 
"/build/isar_wzh_devel_7b/28/scripts/lib/wic/plugins/imager/direct.py", 
line 22, in <module>
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | |  
    from oe.path import copyhardlinktree
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | | 
ModuleNotFoundError: No module named 'oe'
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | 
NOTE: recipe isar-image-base-1.0-r0: task do_image_wic: Failed
[stdlog] 2025-12-05 05:40:29,889 avocado.test cibuilder L0321 INFO | 
NOTE: Tasks Summary: Attempted 170 tasks of which 138 didn't need to be 
rerun and 1 failed.


Zhihang

On 12/1/25 09:58, 'Felix Moessbauer' via isar-users wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator  `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v5:
>
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>    machine changes made in image file)
> - rebased onto next
>
> Changes since v4:
>
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>
> Changes since v3:
>
> - fix issue on external bullseye initramfs (we now disable sbom generation
>    on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
>
> Changes since v2:
>
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
>
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
>    onwards)
> - update debsbom (includes bug fixes and more information for source
>    packages)
>
>
> Christoph Steiger (3):
>    meta: package python libraries for SBOM generation
>    meta: package python3-debsbom
>    meta: add SBOM generation with debsbom
>
> Felix Moessbauer (7):
>    refactor: move get_rootfs_distro from sdk into rootfs
>    override distro vendor in SBOM on Ubuntu
>    add support to add imager dependencies to BOM
>    wic: create uniform manifest describing all image components
>    qemuamd64: add IMAGER_BOM entries
>    imager: create SBOM of IMAGER_BOM packages
>    wic: create uniform SBOM describing all image components
>
>   doc/user_manual.md                            |  1 +
>   meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>   meta-isar/conf/machine/qemuamd64.conf         |  1 +
>   .../recipes-core/images/isar-image-ci.bb      |  1 +
>   meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>   meta/classes/image.bbclass                    |  7 ++
>   meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>   meta/classes/initramfs.bbclass                |  3 +-
>   meta/classes/rootfs.bbclass                   | 23 ++++++-
>   meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
>   meta/classes/sdk.bbclass                      | 10 +--
>   .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
>   .../python3-beartype/files/rules              |  8 +++
>   .../python3-beartype_0.19.0.bb                | 29 +++++++++
>   .../files/pybuild.testfiles                   |  1 +
>   .../python3-cyclonedx-lib/files/rules         |  8 +++
>   .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
>   ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>   .../python3-debsbom/files/rules               |  8 +++
>   .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
>   .../python3-packageurl/files/rules            |  8 +++
>   .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
>   .../python3-py-serializable/files/rules       |  8 +++
>   .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
>   .../python3-spdx-tools/files/rules            | 25 +++++++
>   .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
>   26 files changed, 524 insertions(+), 11 deletions(-)
>   create mode 100644 meta/classes/sbom.bbclass
>   create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>   create mode 100644 meta/recipes-support/python3-beartype/files/rules
>   create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>   create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>   create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>   create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>   create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>   create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>   create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>   create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>   create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>   create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/1d82fbfe-f625-45f6-bd6d-a0ad90845bab%40ilbers.de.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Tue, 2025-12-09 at 15:21 +0100, Zhihang Wei wrote:
> Hi,
> There are mulltiple test cases failed on CI.

Hi,

that's very unfortunate. As I'm not able to run the CI, for me it is
basically impossible to catch these corner cases (especially the ones
in the isar-image-ci, which is somewhat special). This topic also has
been extensively discussed at the isar community meetup and identified
as a major blocker for contributions.

To move forward, we need a different strategy:

Patches 1-5 are probably not breaking things. Please consider a partial
apply of the series. The series is written in a way that it can be
applied linearly.

We need a way to get quick feedback regarding which CI tests break.
With these one-per-week feedback rounds where other patches are applied
in-between, I don't see a chance of getting the sbom feature integrated
at all.

Finally, we need to reduce the runtime of the testsuite and make it
possible to easily execute just the failed tests. The testsuite wrapper
script from Cedric could help in this regard.

> 
> 
> On fast CI:
> 
> Failed test case: citest.py:DevTest.test_dev
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.3897481
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:DevTest.test_dev_apps
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.18529
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:DevTest.test_dev_rebuild
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.262594
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:CrossTest.test_cross_debsrc
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.3057235
> dpkg-query: no packages found matching systemd-boot-efi:arm64
> 
> Failed test case: citest.py:CrossTest.test_cross_dependencies
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.772494
> dpkg-query: no packages found matching systemd-boot-efi:arm64

This class of failures seems to be related to the anti-pattern of
overwriting machine configs in an image recipe. I'll work on a fix.

> 
> 
> On full CI:
> 
> Failed test case: citest.py:ReproTest.test_repro_unsigned:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.862703
> bwrap: Can't mkdir /mnt/rootfs: Permission denied
> I assume this is related with CI environment. This error is also there 
> for v5.

Possible. I never saw it before.

> 
> Failed test case: citest.py:InstallerTest.test_installer_build:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1240668
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:KernelTests.test_per_kernel:
> Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.1626092
> dpkg-query: no packages found matching systemd-boot-efi:arm64
> 
> Failed test case: citest.py:InitRdTest.test_dracut_in_image:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1723289
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:InitRdCrossTests.test_dracut_in_image:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.2466233
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:WicTest.test_wic_nodeploy_partitions:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2823952
> dpkg-query: no packages found matching systemd-boot-efi:arm64
> 
> Failed test case: citest.py:WicTest.test_wic_deploy_partitions:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2892279
> dpkg-query: no packages found matching systemd-boot-efi:arm64
> 
> 07:06:42 
> 18-/build/isar_wzh_devel_7b/28/testsuite/citest.py:NoCrossTest.test_nocross:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64-iso/1.0-r0/temp/log.do_image_squashfs.1864458
> dpkg-query: no packages found matching systemd-boot-efi:amd64
> 
> Failed test case: citest.py:SstateTest.test_sstate_populate:
> ERROR: Logfile of failure stored in: 
> /build/isar_wzh_devel_7b/28/build-sstate/tmp/work/debian-bullseye-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.1858017
> bwrap: Can't find source path 
> /build/isar_wzh_devel_7b/28/build-sstate/tmp/deploy/sbom/sbom-chroot: No 
> such file or directory

On bullseye there should not be any sbom-chroot. I'm wondering why it
even is executed. Investigating...

Felix

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/67aa63be5b9a7fe41ce9fdf87cb9a76d8c538aff.camel%40siemens.com.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

[Zhihang Wei]

On 12/9/25 15:49, MOESSBAUER, Felix wrote:
> On Tue, 2025-12-09 at 15:21 +0100, Zhihang Wei wrote:
>> Hi,
>> There are mulltiple test cases failed on CI.
> Hi,
>
> that's very unfortunate. As I'm not able to run the CI, for me it is
> basically impossible to catch these corner cases (especially the ones
> in the isar-image-ci, which is somewhat special). This topic also has
> been extensively discussed at the isar community meetup and identified
> as a major blocker for contributions.
>
> To move forward, we need a different strategy:
>
> Patches 1-5 are probably not breaking things. Please consider a partial
> apply of the series. The series is written in a way that it can be
> applied linearly.
I'll put p1-5 on CI and get back to you tomorrow.

Zhihang
> We need a way to get quick feedback regarding which CI tests break.
> With these one-per-week feedback rounds where other patches are applied
> in-between, I don't see a chance of getting the sbom feature integrated
> at all.
>
> Finally, we need to reduce the runtime of the testsuite and make it
> possible to easily execute just the failed tests. The testsuite wrapper
> script from Cedric could help in this regard.
>
>>
>> On fast CI:
>>
>> Failed test case: citest.py:DevTest.test_dev
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.3897481
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:DevTest.test_dev_apps
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.18529
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:DevTest.test_dev_rebuild
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.262594
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:CrossTest.test_cross_debsrc
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.3057235
>> dpkg-query: no packages found matching systemd-boot-efi:arm64
>>
>> Failed test case: citest.py:CrossTest.test_cross_dependencies
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_5b_fast/4/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.772494
>> dpkg-query: no packages found matching systemd-boot-efi:arm64
> This class of failures seems to be related to the anti-pattern of
> overwriting machine configs in an image recipe. I'll work on a fix.
>
>>
>> On full CI:
>>
>> Failed test case: citest.py:ReproTest.test_repro_unsigned:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.862703
>> bwrap: Can't mkdir /mnt/rootfs: Permission denied
>> I assume this is related with CI environment. This error is also there
>> for v5.
> Possible. I never saw it before.
>
>> Failed test case: citest.py:InstallerTest.test_installer_build:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1240668
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:KernelTests.test_per_kernel:
>> Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.1626092
>> dpkg-query: no packages found matching systemd-boot-efi:arm64
>>
>> Failed test case: citest.py:InitRdTest.test_dracut_in_image:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.1723289
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:InitRdCrossTests.test_dracut_in_image:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64/1.0-r0/temp/log.do_image_wic.2466233
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:WicTest.test_wic_nodeploy_partitions:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2823952
>> dpkg-query: no packages found matching systemd-boot-efi:arm64
>>
>> Failed test case: citest.py:WicTest.test_wic_deploy_partitions:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-arm64/isar-image-ci-qemuarm64/1.0-r0/temp/log.do_image_wic.2892279
>> dpkg-query: no packages found matching systemd-boot-efi:arm64
>>
>> 07:06:42
>> 18-/build/isar_wzh_devel_7b/28/testsuite/citest.py:NoCrossTest.test_nocross:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build/tmp/work/debian-bookworm-amd64/isar-image-ci-qemuamd64-iso/1.0-r0/temp/log.do_image_squashfs.1864458
>> dpkg-query: no packages found matching systemd-boot-efi:amd64
>>
>> Failed test case: citest.py:SstateTest.test_sstate_populate:
>> ERROR: Logfile of failure stored in:
>> /build/isar_wzh_devel_7b/28/build-sstate/tmp/work/debian-bullseye-amd64/isar-image-base-qemuamd64/1.0-r0/temp/log.do_image_wic.1858017
>> bwrap: Can't find source path
>> /build/isar_wzh_devel_7b/28/build-sstate/tmp/deploy/sbom/sbom-chroot: No
>> such file or directory
> On bullseye there should not be any sbom-chroot. I'm wondering why it
> even is executed. Investigating...
>
> Felix
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/3d97daa0-1ca2-410c-aa69-2dbaf92c7733%40ilbers.de.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

[Zhihang Wei]

p1-5 were applied to next, thanks.

Zhihang

On 12/1/25 09:58, 'Felix Moessbauer' via isar-users wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator  `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v5:
>
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>    machine changes made in image file)
> - rebased onto next
>
> Changes since v4:
>
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>
> Changes since v3:
>
> - fix issue on external bullseye initramfs (we now disable sbom generation
>    on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
>
> Changes since v2:
>
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
>
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
>    onwards)
> - update debsbom (includes bug fixes and more information for source
>    packages)
>
>
> Christoph Steiger (3):
>    meta: package python libraries for SBOM generation
>    meta: package python3-debsbom
>    meta: add SBOM generation with debsbom
>
> Felix Moessbauer (7):
>    refactor: move get_rootfs_distro from sdk into rootfs
>    override distro vendor in SBOM on Ubuntu
>    add support to add imager dependencies to BOM
>    wic: create uniform manifest describing all image components
>    qemuamd64: add IMAGER_BOM entries
>    imager: create SBOM of IMAGER_BOM packages
>    wic: create uniform SBOM describing all image components
>
>   doc/user_manual.md                            |  1 +
>   meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>   meta-isar/conf/machine/qemuamd64.conf         |  1 +
>   .../recipes-core/images/isar-image-ci.bb      |  1 +
>   meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>   meta/classes/image.bbclass                    |  7 ++
>   meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>   meta/classes/initramfs.bbclass                |  3 +-
>   meta/classes/rootfs.bbclass                   | 23 ++++++-
>   meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
>   meta/classes/sdk.bbclass                      | 10 +--
>   .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
>   .../python3-beartype/files/rules              |  8 +++
>   .../python3-beartype_0.19.0.bb                | 29 +++++++++
>   .../files/pybuild.testfiles                   |  1 +
>   .../python3-cyclonedx-lib/files/rules         |  8 +++
>   .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
>   ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>   .../python3-debsbom/files/rules               |  8 +++
>   .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
>   .../python3-packageurl/files/rules            |  8 +++
>   .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
>   .../python3-py-serializable/files/rules       |  8 +++
>   .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
>   .../python3-spdx-tools/files/rules            | 25 +++++++
>   .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
>   26 files changed, 524 insertions(+), 11 deletions(-)
>   create mode 100644 meta/classes/sbom.bbclass
>   create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>   create mode 100644 meta/recipes-support/python3-beartype/files/rules
>   create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>   create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>   create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>   create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>   create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>   create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>   create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>   create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>   create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>   create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/96aeaacc-3977-43f5-9f0b-e72d595a06fb%40ilbers.de.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['Jan Kiszka' via isar-users]

On 01.12.25 09:58, Felix Moessbauer wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
> 
> The generation is itself is handled by a SBOM generator  `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
> 
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
> 
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> 
> Changes since v5:
> 
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>   machine changes made in image file)
> - rebased onto next
> 
> Changes since v4:
> 
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
> 
> Changes since v3:
> 
> - fix issue on external bullseye initramfs (we now disable sbom generation
>   on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
> 
> Changes since v2:
> 
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
> 
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
> 
> Changes since v1:
> 
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
>   onwards)
> - update debsbom (includes bug fixes and more information for source
>   packages)
> 
> 
> Christoph Steiger (3):
>   meta: package python libraries for SBOM generation
>   meta: package python3-debsbom
>   meta: add SBOM generation with debsbom
> 
> Felix Moessbauer (7):
>   refactor: move get_rootfs_distro from sdk into rootfs
>   override distro vendor in SBOM on Ubuntu
>   add support to add imager dependencies to BOM
>   wic: create uniform manifest describing all image components
>   qemuamd64: add IMAGER_BOM entries
>   imager: create SBOM of IMAGER_BOM packages
>   wic: create uniform SBOM describing all image components
> 
>  doc/user_manual.md                            |  1 +
>  meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>  meta-isar/conf/machine/qemuamd64.conf         |  1 +
>  .../recipes-core/images/isar-image-ci.bb      |  1 +
>  meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>  meta/classes/image.bbclass                    |  7 ++
>  meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>  meta/classes/initramfs.bbclass                |  3 +-
>  meta/classes/rootfs.bbclass                   | 23 ++++++-
>  meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
>  meta/classes/sdk.bbclass                      | 10 +--
>  .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
>  .../python3-beartype/files/rules              |  8 +++
>  .../python3-beartype_0.19.0.bb                | 29 +++++++++
>  .../files/pybuild.testfiles                   |  1 +
>  .../python3-cyclonedx-lib/files/rules         |  8 +++
>  .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
>  ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>  .../python3-debsbom/files/rules               |  8 +++
>  .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
>  .../python3-packageurl/files/rules            |  8 +++
>  .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
>  .../python3-py-serializable/files/rules       |  8 +++
>  .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
>  .../python3-spdx-tools/files/rules            | 25 +++++++
>  .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
>  26 files changed, 524 insertions(+), 11 deletions(-)
>  create mode 100644 meta/classes/sbom.bbclass
>  create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>  create mode 100644 meta/recipes-support/python3-beartype/files/rules
>  create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>  create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>  create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>  create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>  create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>  create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>  create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>  create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>  create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>  create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
> 

Can we please make sbom generation opt-in for distros that require
building the tool with all its dependencies manually? It's those extra
package targets that are only interesting if you plan to ship, not so
much while you are developing.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/7b9b5669-fb6f-4dfe-b146-25a6f35b2583%40siemens.com.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Fri, 2025-12-12 at 11:24 +0100, Jan Kiszka wrote:
> On 01.12.25 09:58, Felix Moessbauer wrote:
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> > 
> > The generation is itself is handled by a SBOM generator  `debsbom` [1]
> > which is developed as an open source project at Siemens. It is still
> > early in development, but it has enough features for what we require
> > in isar. The required dependencies which are not yet available as
> > Debian packages were minimally packaged directly in isar too.
> > 
> > This is a followup of the previous RFC [2]. Since then the series has
> > changed a lot. The SBOM generation was moved from a simple OE lib to
> > `debsbom`. This also meant the introduction of a separate chroot was
> > necessary. The SBOM generation process was also moved from the image
> > step to the rootfs step, along with a lot of minor changes and
> > improvements.
> > 
> > [1] https://github.com/siemens/debsbom
> > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> > 
> > Changes since v5:
> > 
> > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
> >   machine changes made in image file)
> > - rebased onto next
> > 
> > Changes since v4:
> > 
> > - rebased onto next
> > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
> > 
> > Changes since v3:
> > 
> > - fix issue on external bullseye initramfs (we now disable sbom generation
> >   on all unsupported distros rootfs instances)
> > - update debsbom to v0.4.0
> > - rebased onto next
> > 
> > Changes since v2:
> > 
> > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> > - generate SBOM for imager as well and create merged sbom of .wic image
> > - resend imager manifest + wic manifest patches to reduce conflicts
> > 
> > Note, that the patches p1-p5 are most important as they add basic SBOM
> > support. The remaining patches address the imager + .wic bom part,
> > which also can be merged later on.
> > 
> > Changes since v1:
> > 
> > - remove tarball
> > - refactor packaging (auto-derive python dependencies)
> > - only build missing packages (varies on bookworm, trixie, noble)
> > - add ubuntu support
> > - only generate sboms for supported distributions (bookworm/jammy and
> >   onwards)
> > - update debsbom (includes bug fixes and more information for source
> >   packages)
> > 
> > 
> > Christoph Steiger (3):
> >   meta: package python libraries for SBOM generation
> >   meta: package python3-debsbom
> >   meta: add SBOM generation with debsbom
> > 
> > Felix Moessbauer (7):
> >   refactor: move get_rootfs_distro from sdk into rootfs
> >   override distro vendor in SBOM on Ubuntu
> >   add support to add imager dependencies to BOM
> >   wic: create uniform manifest describing all image components
> >   qemuamd64: add IMAGER_BOM entries
> >   imager: create SBOM of IMAGER_BOM packages
> >   wic: create uniform SBOM describing all image components
> > 
> >  doc/user_manual.md                            |  1 +
> >  meta-isar/conf/distro/ubuntu-common.inc       |  2 +
> >  meta-isar/conf/machine/qemuamd64.conf         |  1 +
> >  .../recipes-core/images/isar-image-ci.bb      |  1 +
> >  meta/classes/image-tools-extension.bbclass    | 29 +++++++++
> >  meta/classes/image.bbclass                    |  7 ++
> >  meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
> >  meta/classes/initramfs.bbclass                |  3 +-
> >  meta/classes/rootfs.bbclass                   | 23 ++++++-
> >  meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
> >  meta/classes/sdk.bbclass                      | 10 +--
> >  .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
> >  .../python3-beartype/files/rules              |  8 +++
> >  .../python3-beartype_0.19.0.bb                | 29 +++++++++
> >  .../files/pybuild.testfiles                   |  1 +
> >  .../python3-cyclonedx-lib/files/rules         |  8 +++
> >  .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
> >  ...icense-description-in-pyproject.toml.patch | 28 ++++++++
> >  .../python3-debsbom/files/rules               |  8 +++
> >  .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
> >  .../python3-packageurl/files/rules            |  8 +++
> >  .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
> >  .../python3-py-serializable/files/rules       |  8 +++
> >  .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
> >  .../python3-spdx-tools/files/rules            | 25 +++++++
> >  .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
> >  26 files changed, 524 insertions(+), 11 deletions(-)
> >  create mode 100644 meta/classes/sbom.bbclass
> >  create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> >  create mode 100644 meta/recipes-support/python3-beartype/files/rules
> >  create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> >  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> >  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> >  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> >  create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> >  create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> >  create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
> >  create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> >  create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> >  create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> >  create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> >  create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> >  create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
> > 
> 
> Can we please make sbom generation opt-in for distros that require
> building the tool with all its dependencies manually? It's those extra
> package targets that are only interesting if you plan to ship, not so
> much while you are developing.

I'm not against making this opt-in in general. It also significantly
slows down the CI. Opinions?

However, currently all SBOM related changes are blocked behind the
testsuite refactoring, so it might take a while to continue here.

Felix

> 
> Jan
> 
> -- 
> Siemens AG, Foundational Technologies
> Linux Expert Center

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/d050b4824cc7d99f908e70bbe1df86c92f99acb2.camel%40siemens.com.

Re: [PATCH v6 00/10] Add SBOM generation with debsbom

['Jan Kiszka' via isar-users]

On 12.12.25 11:24, Jan Kiszka wrote:
> On 01.12.25 09:58, Felix Moessbauer wrote:
>> This patchset adds proper SBOM generation in the two standard formats
>> SPDX and CycloneDX during the rootfs generation process.
>>
>> The generation is itself is handled by a SBOM generator  `debsbom` [1]
>> which is developed as an open source project at Siemens. It is still
>> early in development, but it has enough features for what we require
>> in isar. The required dependencies which are not yet available as
>> Debian packages were minimally packaged directly in isar too.
>>
>> This is a followup of the previous RFC [2]. Since then the series has
>> changed a lot. The SBOM generation was moved from a simple OE lib to
>> `debsbom`. This also meant the introduction of a separate chroot was
>> necessary. The SBOM generation process was also moved from the image
>> step to the rootfs step, along with a lot of minor changes and
>> improvements.
>>
>> [1] https://github.com/siemens/debsbom
>> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>>
>> Changes since v5:
>>
>> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>>   machine changes made in image file)
>> - rebased onto next
>>
>> Changes since v4:
>>
>> - rebased onto next
>> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>>
>> Changes since v3:
>>
>> - fix issue on external bullseye initramfs (we now disable sbom generation
>>   on all unsupported distros rootfs instances)
>> - update debsbom to v0.4.0
>> - rebased onto next
>>
>> Changes since v2:
>>
>> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
>> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
>> - generate SBOM for imager as well and create merged sbom of .wic image
>> - resend imager manifest + wic manifest patches to reduce conflicts
>>
>> Note, that the patches p1-p5 are most important as they add basic SBOM
>> support. The remaining patches address the imager + .wic bom part,
>> which also can be merged later on.
>>
>> Changes since v1:
>>
>> - remove tarball
>> - refactor packaging (auto-derive python dependencies)
>> - only build missing packages (varies on bookworm, trixie, noble)
>> - add ubuntu support
>> - only generate sboms for supported distributions (bookworm/jammy and
>>   onwards)
>> - update debsbom (includes bug fixes and more information for source
>>   packages)
>>
>>
>> Christoph Steiger (3):
>>   meta: package python libraries for SBOM generation
>>   meta: package python3-debsbom
>>   meta: add SBOM generation with debsbom
>>
>> Felix Moessbauer (7):
>>   refactor: move get_rootfs_distro from sdk into rootfs
>>   override distro vendor in SBOM on Ubuntu
>>   add support to add imager dependencies to BOM
>>   wic: create uniform manifest describing all image components
>>   qemuamd64: add IMAGER_BOM entries
>>   imager: create SBOM of IMAGER_BOM packages
>>   wic: create uniform SBOM describing all image components
>>
>>  doc/user_manual.md                            |  1 +
>>  meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>>  meta-isar/conf/machine/qemuamd64.conf         |  1 +
>>  .../recipes-core/images/isar-image-ci.bb      |  1 +
>>  meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>>  meta/classes/image.bbclass                    |  7 ++
>>  meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>>  meta/classes/initramfs.bbclass                |  3 +-
>>  meta/classes/rootfs.bbclass                   | 23 ++++++-
>>  meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
>>  meta/classes/sdk.bbclass                      | 10 +--
>>  .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
>>  .../python3-beartype/files/rules              |  8 +++
>>  .../python3-beartype_0.19.0.bb                | 29 +++++++++
>>  .../files/pybuild.testfiles                   |  1 +
>>  .../python3-cyclonedx-lib/files/rules         |  8 +++
>>  .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
>>  ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>>  .../python3-debsbom/files/rules               |  8 +++
>>  .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
>>  .../python3-packageurl/files/rules            |  8 +++
>>  .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
>>  .../python3-py-serializable/files/rules       |  8 +++
>>  .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
>>  .../python3-spdx-tools/files/rules            | 25 +++++++
>>  .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
>>  26 files changed, 524 insertions(+), 11 deletions(-)
>>  create mode 100644 meta/classes/sbom.bbclass
>>  create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>>  create mode 100644 meta/recipes-support/python3-beartype/files/rules
>>  create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>>  create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>>  create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>>  create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>>  create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>>  create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>>  create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>>  create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>>  create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>>  create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>>  create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>>
> 
> Can we please make sbom generation opt-in for distros that require
> building the tool with all its dependencies manually? It's those extra
> package targets that are only interesting if you plan to ship, not so
> much while you are developing.

At least I now know (and practice is xenomai-images) how to opt-out:

ROOTFS_FEATURES:remove = "generate-sbom"

e.g. in your image recipe. Would still be good to flip the default.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/3a94e788-0998-47f8-a200-c8e2af99b002%40siemens.com.