[PATCH 0/2] Make SBOM naming more robust against downstream changes

[PATCH 0/2] Make SBOM naming more robust against downstream changes

['Felix Moessbauer' via isar-users]

This series goes on top of: merge_wic_sbom: fix merging of multiple SBOMs,
but is otherwise independent.

The related inconsistencies have been found on isar-cip-core tests
(kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
where the IMAGE_FULLNAME variable is changed and no longer equal to
ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.

PS: would it be possible to have an isar release candidate, to encourage
more downstream layers to start testing?

Best regards,
Felix

Felix Moessbauer (2):
  sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
  sbom: use ROOTFS_PACKAGE_SUFFIX on merging

 meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
 meta/classes/sbom.bbclass                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260326082015.3169480-1-felix.moessbauer%40siemens.com.

[PATCH 1/2] sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX

['Felix Moessbauer' via isar-users]

Previously we open coded the name of the rootfs image, however this
breaks in case the name is changed in a downstream layer. We now
directly use the ROOTFS_PACKAGE_SUFFIX variable.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/sbom.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index caab3f24..10a99f37 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -50,7 +50,7 @@ generate_sbom() {
         --bind ${SBOM_CHROOT} / \
         --bind ${ROOTFSDIR} /mnt/rootfs \
         --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
-        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${ROOTFS_PACKAGE_SUFFIX}' \
             --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
             --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
             --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260326082015.3169480-2-felix.moessbauer%40siemens.com.

[PATCH 2/2] sbom: use ROOTFS_PACKAGE_SUFFIX on merging

['Felix Moessbauer' via isar-users]

Previously we used the IMAGE_FULLNAME, which is normally identical with
the ROOTFS_PACKAGE_SUFFIX. However some downstream layers like cip
append to the IMAGE_FULLNAME variable while keeping the
ROOTFS_PACKAGE_SUFFIX as is. This breaks the sbom merging, as rootfs
SBOM is created under the ROOTFS_PACKAGE_SUFFIX name.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index f31ea61f..daa6f867 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -219,7 +219,7 @@ merge_wic_sbom() {
     INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
     sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
 
-    cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+    cat ${DEPLOY_DIR_IMAGE}/${ROOTFS_PACKAGE_SUFFIX}.$BOMTYPE.json \
         ${@ '${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json' if d.getVar('IMAGE_INITRD') else '' } \
         ${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
     bwrap \
-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260326082015.3169480-3-felix.moessbauer%40siemens.com.

Re: [PATCH 0/2] Make SBOM naming more robust against downstream changes

[Zhihang Wei]

On 3/26/26 09:20, 'Felix Moessbauer' via isar-users wrote:
> This series goes on top of: merge_wic_sbom: fix merging of multiple SBOMs,
> but is otherwise independent.
>
> The related inconsistencies have been found on isar-cip-core tests
> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
> where the IMAGE_FULLNAME variable is changed and no longer equal to
> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.
>
> PS: would it be possible to have an isar release candidate, to encourage
> more downstream layers to start testing?
I'll get back to you later on this.
> Best regards,
> Felix
>
> Felix Moessbauer (2):
>    sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
>    sbom: use ROOTFS_PACKAGE_SUFFIX on merging
>
>   meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
>   meta/classes/sbom.bbclass                  | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
>
Failed on fast CI "citest.py:SbomTest.test_sbom_rootfs_generate":

|[stdlog] 2026-03-27 11:46:36,083 avocado.test cibuilder L0345 INFO | 
NOTE: Tasks Summary: Attempted 486 tasks of which 0 didn't need to be 
rerun and all succeeded. [stdlog] 2026-03-27 11:46:37,373 BitBake main 
L0465 INFO | Starting bitbake server... [stdlog] 2026-03-27 11:46:40,159 
avocado.test cibase L0162 INFO | Check cdx SBOM in 
/build/isar_wzh_devel_1z_others/15/build/tmp/deploy/images/qemuamd64/isar-rootfs-ci-debian-bookworm-qemuamd64.cdx.json 
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0040 ERROR| 
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0042 ERROR| 
Reproduced traceback from: 
/tmp/avocado_venv/lib/python3.11/site-packages/avocado/core/test.py:638 
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0049 ERROR| 
Traceback (most recent call last): [stdlog] 2026-03-27 11:46:40,159 
avocado.test stacktrace L0049 ERROR| File 
"/build/isar_wzh_devel_1z_others/15/testsuite/citest.py", line 1092, in 
test_sbom_rootfs_generate [stdlog] 2026-03-27 11:46:40,159 avocado.test 
stacktrace L0049 ERROR| self.perform_sbom_test(targets) [stdlog] 
2026-03-27 11:46:40,159 avocado.test stacktrace L0049 ERROR| File 
"/build/isar_wzh_devel_1z_others/15/testsuite/cibase.py", line 163, in 
perform_sbom_test [stdlog] 2026-03-27 11:46:40,159 avocado.test 
stacktrace L0049 ERROR| with open(sbom_path) as f: [stdlog] 2026-03-27 
11:46:40,160 avocado.test stacktrace L0049 ERROR| ^^^^^^^^^^^^^^^ 
[stdlog] 2026-03-27 11:46:40,160 avocado.test stacktrace L0049 ERROR| 
FileNotFoundError: [Errno 2] No such file or directory: 
'/build/isar_wzh_devel_1z_others/15/build/tmp/deploy/images/qemuamd64/isar-rootfs-ci-debian-bookworm-qemuamd64.cdx.json'|

To redo the test on your machine using avocado:
1. Have a clean clone of isar, checkout to branch next and apply your 
patches:
$ git clone -b next https://github.com/ilbers/isar.git
$ cd isar
$ git am /path-to/0001-my-contribution-to-isar.patch
2. Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
$ ./kas/kas-container shell kas/isar.yaml --command \
     "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
3. Run the failed test:
$ cd /work/testsuite
$ avocado run citest.py:SbomTest.test_sbom_rootfs_generate

Zhihang


-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/7b6e181d-9ae1-4634-9b14-d9b51d878caf%40ilbers.de.