From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <isar-users+bncBD5JFAGZXEJBBTVEVTCAMGQE6AHLSXY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 31 Jul 2025 08:51:02 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-io1-f62.google.com (mail-io1-f62.google.com [209.85.166.62])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 56V6p0fh025955
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupi@ilbers.de>; Thu, 31 Jul 2025 08:51:01 +0200
Received: by mail-io1-f62.google.com with SMTP id ca18e2360f4ac-87c467931c1sf130779539f.3
        for <iupi@ilbers.de>; Wed, 30 Jul 2025 23:51:01 -0700 (PDT)
ARC-Seal: i=3; a=rsa-sha256; t=1753944655; cv=pass;
        d=google.com; s=arc-20240605;
        b=WWOW9KZwTwmOOaN0mt3vuGLKaU/HyunB/zxlklOs3fcKPh92R8yfaTzvRaxCu95jsY
         mAbNlECmmKOWR3uaQLD3V+B+FxFwIt7VmOmrEDx76/igPXF8uyawIAwuRnTcSTdF3/EW
         Mnlx52MLGv+ars4YwOernj3slEPEJa3npBQ1cb774zY/WstRPA8d0I4bSFA8E1pT+NwC
         JhH7uNWzkUNpdNNFTUoee62RtnXYJnBytkSIbW5wwTmho/sgY9vVvrLlr8RFMNw6T5AC
         3619eeTa72T87dEtia0HvQQ995ArWI70n3TKnD86wsSYEuLkfycHQ3JEOSz4jqidnGnL
         +5BQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version
         :content-transfer-encoding:in-reply-to:from:cc:content-language
         :references:to:subject:user-agent:date:message-id:dkim-signature;
        bh=RsO0+UZS0y+O+BuheDvJT9R2akAznbSPJWfoaqC105k=;
        fh=BVp5C/6BfDF9c/sPGN0z681NGICD/80uBNLD5gnoG4E=;
        b=MQXUIgMl5Ruf4U53iCw3vp5jeePoAkZAMiTzgllL/4sjmL7P4UtJKaRXDDS/FTcLKf
         yXGgF7lNtCZsYvBzLR9Z1jVntf/mjNBvAZXx1zhniVejLj7c0wr9EaJIhJXTcG4sUexm
         GJ1TT/8uSlG4TAFjvVLoFGopVjOOCwUZbdWMhJnldIb2eUoON0v4RK9GQYo0i2ujFM1x
         1d9pgWKoMNls33aw4XQqttDtkl6nFBMs/49qLiUQ7M9hzP5a1eDKcZuKh4vEb+NYdRiE
         VhK9sMO1jRx+UCZGsFuw1pYn3wOi0RNQZQ4g5W0k0WPbNK9sjAGffmpEXrusWk1JmOJh
         LAPw==;
        darn=ilbers.de
ARC-Authentication-Results: i=3; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=CO+ZaLgS;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of christoph.steiger@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=christoph.steiger@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1753944655; x=1754549455; darn=ilbers.de;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :content-transfer-encoding:in-reply-to:from:cc:content-language
         :references:to:subject:user-agent:date:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=RsO0+UZS0y+O+BuheDvJT9R2akAznbSPJWfoaqC105k=;
        b=vg6EBHMKs/DK0CunDmzZ4UsDhyV7Cx946na7dxfcNCe9V8EpgQBVDdnOm1eXykAneL
         9KnUYkjpEa0BqiBzAaFpAfXfyA4+fGJJgMccCSTTy3q+IwyNfybNrTvYF4EKFgz9iVoS
         9V24Xgd+e4r/yVRbOy6bcjWcp9phmAdkqZDEaAFwX06XO4TNJ0zMvfxHCPKeEsnmgYr7
         Pg/KdDcVCbQvuuzn6cfXJwkVKp1lnu/wTM/FSjqey12euPrrtKUjylvrSSfZylNSuUDV
         oN/mIFUnNrIbanIl3ilRfQce6qbVYRffX0Az2EmtkYzM6UL8Fbq3sH+XGe0hQLoQKb6U
         J+5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753944655; x=1754549455;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :content-transfer-encoding:in-reply-to:from:cc:content-language
         :references:to:subject:user-agent:date:message-id:x-beenthere
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=RsO0+UZS0y+O+BuheDvJT9R2akAznbSPJWfoaqC105k=;
        b=MBp78D3mAk8qOFbmFA3Y7S9/hZyL8y8MSE2WreWkXgIitkBew+zI5qOr/m/djWKYON
         K+yvnIK0uNj8bxoV9Z6SZhqt/4omkpGOXB6lRzkWmjcSMPyz+WERj94N74BJpyJD5bIQ
         cllWjJknZ49ppTQ9Cr5T9EskdkfnEDIT/6ucnLkpvz8wQHkfrrpy64/OlZIlinec4HSc
         VCEQKqVs4uoHVn8Bm2NxjGucFmvJYlJJVe6GnEoeqkNi1eDXwOeNzYGZU8bimT8JQeMW
         3I0Zd5IeS7nINIJd/ujbkJNFAQxhtvGH92LyWQJRQfHVKDcwBt//Mjh+MOI0htY1ehpU
         WMDQ==
X-Forwarded-Encrypted: i=3; AJvYcCXcjr6R3aLwnByfi04nxVO6WajMePl8I4s3PtDjAcjUKMGLbBn6Hg+csSeCU/LkjA3HN8PK@ilbers.de
X-Gm-Message-State: AOJu0YxGpFiJx+WURalAD3PeorK3lxd5uixLmrPaq6kieHqbM4zyTitV
	ekmOn3mVSLJ9HuUA7TlRNiHHCFsPOeAPbEPV9hm52WnY8nSVfyXHXitL
X-Google-Smtp-Source: AGHT+IHUBYfJG1X/Vpcq7texlb5ha9k1+zrPkqVrFVyYH3lotMEGV5dzuUOVMOL0G3+CRXDYDeuZLQ==
X-Received: by 2002:a05:6e02:3:b0:3e4:4a0:b972 with SMTP id e9e14a558f8ab-3e404a0ba9dmr24558525ab.8.1753944654753;
        Wed, 30 Jul 2025 23:50:54 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdpOKgnwspk9whtrswRFzrx6ra8CnI/cB045nAggYxO3A==
Received: by 2002:a05:6e02:8d:b0:3df:1573:75d5 with SMTP id
 e9e14a558f8ab-3e40252fb2cls4895505ab.2.-pod-prod-02-us; Wed, 30 Jul 2025
 23:50:53 -0700 (PDT)
X-Received: by 2002:a05:6602:a00c:b0:875:bc13:3c26 with SMTP id ca18e2360f4ac-881377137e3mr1206844739f.4.1753944653771;
        Wed, 30 Jul 2025 23:50:53 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1753944653; cv=pass;
        d=google.com; s=arc-20240605;
        b=UrhTSnwNLLrVyUAQUYyDTd37CYqu8nD3v5U9mcJ5edDcxpHYpb+QyK+tBJjOOXaKtz
         o4nDeZjadUzWHvZPLmPzKAhp/i4OvzbcKYDgjuJn3wLQFUF6/xZq/jtKOx2HOSbtPUyZ
         sl85/mPiKPcW11NSmKFtLhw2Kd9jXPmw7CEbFk34YxON57LwMqXXg3MhDz1CDAV/JXmq
         x5ubK16FmlT1l+WRZdVvfiDq+FHQwMuMUJKhoBtUXgiTxhoXDGnOGa28Z0ywBPHSVMg2
         5c8qOMY+/5WHHLWk4Otf1KdZ0bh+s4t8LpIC2+upEt1aimpZNqTA65NOB/mc3vftG6Bf
         v9BQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=mime-version:content-transfer-encoding:in-reply-to:from:cc
         :content-language:references:to:subject:user-agent:date:message-id
         :dkim-signature;
        bh=8y8jKqoSWc42xeeZJPbPXivUiN7CsiVZ6uYpk8yNJnU=;
        fh=AmNVvZ5860sSa7vbl+UVeVWaDtjYkipY3JpfGEsMn2M=;
        b=I6GH31JmVGFDH/WQxCRpnxOvha8powbTLXjCNDKG5PLaQzbgS3CifE3b5YyKaAruDr
         aY7MsbbtXluxJ53xm1tUjb6V4eOYAZju+wOntk7LuvJyJPmDB6uXFeblLf4bGjRCeeKC
         dqC9dmS5W6lXwZccGPOKj3aOKv9J+nOO4ca40dHhBBKUyDKcPqN3i+wW5Dsy+G6XXXuk
         IoifGouIzYbY0pieQrhpGG+hUAkCOS9nwZhD5TY+HrFjuRfHyXfoaVluMIplWAip8+jF
         CrZnrlfvUIEQTJN8xDoinKQ1XYnR5kul0SlzIO2ObP4BUxsGf5kMEkecpN2ONZsSuMvN
         DQDA==;
        dara=google.com
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=CO+ZaLgS;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of christoph.steiger@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=christoph.steiger@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazlp170130006.outbound.protection.outlook.com. [2a01:111:f403:c201::6])
        by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-8814df6f9c5si3031639f.2.2025.07.30.23.50.53
        for <isar-users@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 30 Jul 2025 23:50:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of christoph.steiger@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) client-ip=2a01:111:f403:c201::6;
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=lLwKTSPl3d4+Nqqa4eOj+5JTbkXMizjNxmQeuPicccCil792zuYah0dkjnu6qzZczqLamXFGyBOFg66QfAvRavV2hG37rgmIzTerh2XYUsgiQSjW7PvbZIC37DIzqSy63IUfBiyz8PtXqF7vFI6EjEYwg7QGdVjKNhm5JVRvkJ+fWDBnxcq4rZI6271vhNjaS0C6OCRB4K6Gpji6Dbq3c1mkQX2waATIYsOAcmd7njvUh9sWD4kBooPxAmc7l5++g/IN+ESQzNt+cowrgIZjJqwx/vcJIHuuKHFJVeb0YBwyCCtCRmKs6OLSBCaGW5LwPMBEi58kkYhFqNndHDCn+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=8y8jKqoSWc42xeeZJPbPXivUiN7CsiVZ6uYpk8yNJnU=;
 b=wsAXNMPPk9h8mkJi6bO0oYKc7Qsum4wsBAInzvGyVkmBDrBjcBtw52EMrFSuIeeuroCrGvW8gY9W++/n/ko8xPm+YgAd9o0uMaInW8CEtmy5Y73L/zPbi6gpX87374KDOCcJTqXTYY2+E1GSX4QDM5xIhfltzs9PfAan33XXpmlyRW5rDcMl2LtoYY2kzj45j8SKvjZJG+HAgFNoFJ6yxWaCeEC8iuzobdXFONWn2NmXt78QHOkjo3fRfbFqosiXFkXa+qLGNd7NZ8kNz9wZ8Niaj5hOc1KfQLF5yGMpKfvCpIb+x3rVpxu1EnaKzSqx5I6bvCtnkShr/ADdsOGsow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com;
 dkim=pass header.d=siemens.com; arc=none
Received: from AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:61c::5)
 by AM8PR10MB4100.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1eb::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8989.14; Thu, 31 Jul
 2025 06:50:51 +0000
Received: from AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::fb1c:78f4:4286:6306]) by AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::fb1c:78f4:4286:6306%3]) with mapi id 15.20.8989.010; Thu, 31 Jul 2025
 06:50:51 +0000
Message-ID: <2c12f6b5-a5c6-4656-99e0-5fae2043d7a4@siemens.com>
Date: Thu, 31 Jul 2025 08:50:49 +0200
User-Agent: Mozilla Thunderbird
Subject: Re: [RFC PATCH 0/1] SBOM Generation for isar
To: isar-users@googlegroups.com
References: <20250220095944.114203-1-felix.moessbauer@siemens.com>
 <39f0bde3-fac8-48a9-a393-2566c17831e9n@googlegroups.com>
Content-Language: en-US
Cc: shaguftanaazhashmi@gmail.com
From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com>
In-Reply-To: <39f0bde3-fac8-48a9-a393-2566c17831e9n@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: FR2P281CA0139.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:9e::10) To AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:20b:61c::5)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AS8PR10MB7136:EE_|AM8PR10MB4100:EE_
X-MS-Office365-Filtering-Correlation-Id: bb2b6e4d-3210-4303-1fcc-08ddcffe9665
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|4022899009|366016;
X-Microsoft-Antispam-Message-Info: =?utf-8?B?a0U1L3BZR0xrNmdsd3BsWDltM1NyN25abkdVNlhwcStQSDRKMDg4MzBtOUVw?=
 =?utf-8?B?R0U2aEpueUh4WFQ3b0FhRnZQeVYrOWQ0cDlzb1NjYnVMblphRUJTc1hueU1Q?=
 =?utf-8?B?bG11ZVE5VEZ3M3dXOWdyRkZCVm9hamc3a1N2eWhuR0t5Y3pwQUovMGpxNGlX?=
 =?utf-8?B?ZmNVejh5Q2p3NGI1ekMvTTZWZTBOTDFWZjlXRE1TclBUdklVMVhKZmxmbnRw?=
 =?utf-8?B?ekpHY2JuVnJTazBIenhJcnpCakx1QlhUQkNvNTJjSktRYlBxbDRZOEJNdkho?=
 =?utf-8?B?bTZkRkhsWllac1dNRFZuSm5KUFBwbUlpZGhXOXk4NnRXSGV4NEZ6Vi9uckFU?=
 =?utf-8?B?UUd2MzYzWUthUWtYcDJmc3ZQdkIvNlJYWjByN1JsZTVpQzZTTG1sUUNMWGlW?=
 =?utf-8?B?VkNHYVVXUTVyV2hqZ1pncWQ2N2hEYW5oanRaN0NRd1YxakxFQWl5UGtqUFlW?=
 =?utf-8?B?R1U2aUdjV1lOSUhOdHpWaDRldTlWeElmY1VsWWZiTjVvQTkxUVpkcnJpZnk4?=
 =?utf-8?B?SFNRL2h3UmJGWUdTUVhqUWpma2NPeXZMWm1Tdm4xUnY1S2w2VXpYOXF0OFVh?=
 =?utf-8?B?Q2tUVS9VVEMzQTRUTmpuc3l3RkdNOTRkUDlsdjBKcmdSMWxwL2dOQ0YwdG5F?=
 =?utf-8?B?YjQwei9zbnJXVU1aNXU4QWtmb0dWQ3ZnTWJUWHNMZytWdS9iYWVzanN5UTVh?=
 =?utf-8?B?b3hraFJDU3cxVC9CS2pLaEpyQTBqQTJzMW9YU1lIdVNyak81ckgyK0FXUmVC?=
 =?utf-8?B?VzZ2RTJLQ3pvTUJTN2ZXREhnZlh2dy85NklkWHhtUkU3cXJES1FYalc5VlNM?=
 =?utf-8?B?K1ZhZllEZWpEODdWSDh6VEQ3aVM3cGpGMitBMmdHNE9BWWoxY0VCRDQ3dkt0?=
 =?utf-8?B?bXJpN3FRNStxRzZLL0dPVmFqTjlxbGp1dXg3elJSTnlrNW1abzh0M0xsNE8y?=
 =?utf-8?B?LzZTMUFNdXhKR1oxTWd5aE96dWgzellYRys5ckVuUkdJbDZ5anRIa3ZlNXZS?=
 =?utf-8?B?V3F1TjJnbUdZQ2U3eVNGVFZ4T1BqOGhEM3VrMGNWS1N3WmJwVThYbzh6dUdW?=
 =?utf-8?B?QTJ3U3VROHl1MGhNZVV2amVyM29LdEp2SzR2bHQzdHV5Q3hqRnV6eGhQdCt0?=
 =?utf-8?B?QUtOMGROZlIxRGFRYWNTbzdFRzNwb1RXOCtaV2tsSms2TGRiZVlLZnoyY2RH?=
 =?utf-8?B?WEJhVGxDaEo4WXBnUkhGUmlJRHpMNkJSU0VVeDlNeENPV1dlVmtSQVZNSm5S?=
 =?utf-8?B?bEZQNTZpeU16MlgwdCtCa2llaDNqekM0aHppdFdaeXhFWFVMMzdwanlndGl5?=
 =?utf-8?B?bk5NTXplckRNS0doaVIvYkZMbkN1UzlRdm9SdmlPUWtkdENZN0orRzZMZ3ZH?=
 =?utf-8?B?UUtMRmdQVXkyVFVabExqc01IVG5SR1ZKVTJ5V2JEb0xMZnVublNSWWsvUzds?=
 =?utf-8?B?VlpqN21pOVAzNFZiWGozSU9YMG4wbExlL3UveWRhWWhBb0Z1RGx1bTRkdG0w?=
 =?utf-8?B?VWdaNi94Y1VsSmNORnNsMjRiRldTcWRBaGZwQjk1T0hDZ0swWThva2lVR1RF?=
 =?utf-8?B?cHp5cms0V3NHeHA3WmNjUWNPQnBBNGp6T1pmYm9oYXMrS2lYWXVHckIrN0FQ?=
 =?utf-8?B?MXF0SGpOZEdscXhLcnBwNjNSRC9WT05jeUVKZDRocG9MWnpMQWJ0Tkg1NVRr?=
 =?utf-8?B?eHZjWk42NFhPVDhVVkY1RG1XNVlrOXVQZldwYWFtb0RjOG14TzVBckp4TDRO?=
 =?utf-8?B?a25kNnh6OUxxRHBlU0NUUmRuY2FJMzhQay9LM1lwTG82RHJybnA2SGJOVmo3?=
 =?utf-8?Q?267fTCi0eKJ5QJ3GUmjzdgz1jebWXqw30CUis=3D?=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(4022899009)(366016);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?bHZqNlMvWXgyMGcrd0FDd2dDY2RJbUEzVDVkeitxZlZGRSt2T3F4U1ZTdytH?=
 =?utf-8?B?YnM3SjU4aUZZbnFKcnhuWEZxejErZjFUVENrZUh4eWx2YnlFTkg3clErT2V0?=
 =?utf-8?B?ekttRWd4NzkwZVNzcmtVT3orQ2EyOE9ONkcybHpjNVNhbXovUm9WWUhVS0Rh?=
 =?utf-8?B?SDRJb21IRnFLcURTenUrMVRNaTl5UGhPMDBLb1JiRnZ3czZ4VjRCVlVHTGhM?=
 =?utf-8?B?TWlZVzVxRXV4TTBQV2l5YkFXZlVFZTBjc1QzWkhDNnl4RWxYMjN2SWcwK2Fi?=
 =?utf-8?B?OW01Q0hIUkRMZ2YyUDNvYlJldU1ud1d2ZzFhdkk2Sys1YmhSWENkVmJ2c1pp?=
 =?utf-8?B?T1BFY3NWWis4OEp3SU4wcGk5bVRPNWVsZTNtejdNVEQ4bmpFTmlhSEwwc2lP?=
 =?utf-8?B?RllUMWxkVlpDWG8ydzd6QW85Yi9ZZ2xYUFVGTmVjdGpqSENvM05QT2tKVml0?=
 =?utf-8?B?SWNGdFpZOHJJQko1K0cvbzNVMzN6T2IrcnNDOHNtTmI4a3ZUL3VRVVVKL3ZY?=
 =?utf-8?B?YThia2RlV3kvU3JtZGlYS3BXYnk2WC9Gc1lVYlUrUG16TWk2dVRuQzJQN29T?=
 =?utf-8?B?SWxMQkcxL1dNNS9xZXdMS1QrTzEvSFZjZWZWNVczaUcyWnFpLzFqUk9HdWpL?=
 =?utf-8?B?VnQ3TmIxUlREK2N2dHVndEJIQ3A3eFl1cTBQR1FwQ1JCWGlQUWF0MTZnRDMv?=
 =?utf-8?B?WHF6dENsVndCUldJcHhTaHRST3NoYVFuZTIyekduTThEY1pRK01JbVJYU29B?=
 =?utf-8?B?Zm5mcmFRNWFoM216bGRWZDFiaUIyMUlkTGl4R01wLzcxSTd0WWRzditVU2Zx?=
 =?utf-8?B?eXFHK2FIdm0vNlhmSWhwdjhCVllFekowbi80LzM5ZHp5alQ4MGVXRU84ZE5Y?=
 =?utf-8?B?MllJUVBzT040ZGkvN2VJMlJHNWNFNWNFMUNTdk9EdzlJODh5cFFGNzJ1S3dx?=
 =?utf-8?B?V0VTQjJGQkZZY0ZTSXUrdW1Mek02TGV3WlBzYXV0NzRsdWdONDVPcWlJcEtO?=
 =?utf-8?B?RFJQQzZ1dXFqWlhYYVBvRm03UEdjcHdFZ3NvdHlORHR6am5WOExDTCsvNmJQ?=
 =?utf-8?B?aE95azJXa2pobFRSS0VWYVMrOGQxZ3dzQVFKTkgrOVdKY0tDVm5Rc3V3TlU0?=
 =?utf-8?B?c2Z0cURJaU8yZDFGcmQwb2R3MHl2aUlETVFhMk1FK1IrbFhuU1pYY2xibzR5?=
 =?utf-8?B?U2JHNzQ3bmV0MG1ZUVFYZTlFeHRUbHBPejgvRi84S1dLeTV1cXVvWWlmUGd0?=
 =?utf-8?B?d1RDUXhZY3hhcDRMRFFNUks0dnhOL0ZPT1VlMmZLNUhlT2xUSFBPVTMzVWI2?=
 =?utf-8?B?VkI0ZTUyRUxiMC8vVldKNFhBS1N3MThubDNpRnJhYWpiTjBteVRWQWpVMW4v?=
 =?utf-8?B?L0RyUWNGWGFEL3lNcHdVb1lxY1dVMHFlamc3RXJXbTdjRC9tRHpoMHQ1d3hF?=
 =?utf-8?B?MUN3U2IrMzl1YlE4RUdEN1MreFU3T1NqbkhidExFRW8xN3gydnRQa0NXcWFv?=
 =?utf-8?B?QVdaemYyOS9UeHE4a01hM01SUktzTTlXRENxU2gvZ2dSdmJ0MUlPTG5nbkxr?=
 =?utf-8?B?R2NKUGVUS0ZxNmNwemt2SGZoS1dWdFIyRGFjVFYwWGkwaERKbm5tTzBqQ3RY?=
 =?utf-8?B?YjFXZklNZC8vem1GVVdXZzUrUmR4dXJGM3JwYldjcStDS3R1cTFHaWVyeXM0?=
 =?utf-8?B?ZVVDNlRlZDNzbndCY0hZZHhUdy83T3cvOWFBYVArV2pMMlpWMGx6UUh5cmFx?=
 =?utf-8?B?djk5VyswTVRxcE1XbldtdmF5cTE5NlAvcHljcExmRzJTNUVLZ0JQcUFGTDVW?=
 =?utf-8?B?RXo3OFpsbjdpb21SbmxNK2EzQUtGaXVTVVpxZFhvUlEwbFZaajRabnFNYnVT?=
 =?utf-8?B?NTlKejZwSHZlb1dSOGlwa3VuOHN0SEo2SndOQWtVR3JJdTdSSW5HOFdRNG9M?=
 =?utf-8?B?M2xXTDFMd1F5UjRra05xd3J1K2Q2dEdGVTBCOFBkQm50ZVBGYXJuSVVJdjU5?=
 =?utf-8?B?ZzNibUlCaFYrUGlFQ1RVWUw5eHBsdzhjN2ExelRjekVhRGgxQVNiRUZqU2hY?=
 =?utf-8?B?Y1pQMlQrekpPYThWYnpIMklTajV2NkkvUnNMUzlkamR0c1AwSzc4SFI2M2Zy?=
 =?utf-8?B?bzVwTUF6aExZM0g1OG9pRCt4dWx3dU5HZy9oVU5aTTdlQVFpUkR5SzAzTmZT?=
 =?utf-8?B?R0E9PQ==?=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bb2b6e4d-3210-4303-1fcc-08ddcffe9665
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7136.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jul 2025 06:50:51.1949
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: vbqciAMxZUU3FpL12sikgRRjYzPgv6a2lVTx5ojTh2zAPvGBB+mocDlJ/V6uhTBoWkDmJGFx5jS4soMYykMyoL5GAdB+YlbswNhFf+30ZpQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR10MB4100
X-Original-Sender: christoph.steiger@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=selector2 header.b=CO+ZaLgS;       arc=pass
 (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass
 fromdomain=siemens.com);       spf=pass (google.com: domain of
 christoph.steiger@siemens.com designates 2a01:111:f403:c201::6 as permitted
 sender) smtp.mailfrom=christoph.steiger@siemens.com;       dmarc=pass
 (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Christoph Steiger <christoph.steiger@siemens.com>
Reply-To: Christoph Steiger <christoph.steiger@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>, <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>, <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
	RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: +jC5JO7ijuOO

> Hi,
>=20
> Based on the patch, it seems that the externalReferences field is added=
=20
> when the homepage is available for the package. Would it be feasible to=
=20
> use our own scripts to populate the externalReferences field for the=20
> packages where it is currently missing?

Your assumption is correct. Nothing stops you from adding additional=20
external references after generation of the SBOM. This script only=20
considers information available in the dpkg databases, which only=20
contains a link to the homepage afaik.

If you know of other things in the packages that could be added to the=20
externalReferences field let us know so we can incorporate it.

>=20
> For the two packages considered below, we can see that the=20
> externalReferences field is added for one component (apparmor) and=20
> missing from the other (adduser).
> ```
>  =C2=A0 =C2=A0 {
>  =C2=A0 =C2=A0 =C2=A0 "bom-ref": "CDXRef-adduser",
>  =C2=A0 =C2=A0 =C2=A0 "description": "add and remove users and groups",
>  =C2=A0 =C2=A0 =C2=A0 "name": "adduser",
>  =C2=A0 =C2=A0 =C2=A0 "purl": "pkg:deb/debian/adduser@3.134?arch=3Dall",
>  =C2=A0 =C2=A0 =C2=A0 "supplier": {
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 "contact": [
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 {
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "email": "adduser@packages.deb=
ian.org"
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 ],
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 "name": "Debian Adduser Developers "
>  =C2=A0 =C2=A0 =C2=A0 },
>  =C2=A0 =C2=A0 =C2=A0 "type": "library",
>  =C2=A0 =C2=A0 =C2=A0 "version": "3.134"
>  =C2=A0 =C2=A0 },
>  =C2=A0 =C2=A0 {
>  =C2=A0 =C2=A0 =C2=A0 "bom-ref": "CDXRef-apparmor",
>  =C2=A0 =C2=A0 =C2=A0 "description": "user-space parser utility for AppAr=
mor",
>  =C2=A0 =C2=A0 =C2=A0 "externalReferences": [
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 {
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "comment": "homepage",
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "type": "website",
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "url": "https://apparmor.net/"
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
>  =C2=A0 =C2=A0 =C2=A0 ],
>  =C2=A0 =C2=A0 =C2=A0 "name": "apparmor",
>  =C2=A0 =C2=A0 =C2=A0 "purl": "pkg:deb/debian/apparmor@3.0.8-3?arch=3Damd=
64",
>  =C2=A0 =C2=A0 =C2=A0 "supplier": {
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 "contact": [
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 {
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "email": "pkg-apparmor-team@li=
sts.alioth.debian.org"
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 ],
>  =C2=A0 =C2=A0 =C2=A0 =C2=A0 "name": "Debian AppArmor Team "
>  =C2=A0 =C2=A0 =C2=A0 },
>  =C2=A0 =C2=A0 =C2=A0 "type": "library",
>  =C2=A0 =C2=A0 =C2=A0 "version": "3.0.8-3"
>  =C2=A0 =C2=A0 },
> ```
>=20
> Thanks,
> Syeda Shagufta Naaz
> syedashagufta.naaz@siemens.com
>=20
> On Thursday, February 20, 2025 at 3:31:38=E2=80=AFPM UTC+5:30 Felix Moess=
bauer=20
> wrote:
>=20
>     From: Christoph Steiger <christop...@siemens.com>
>=20
>     This patch would add SBOM generation support for isar.
>=20
>     We already generate a manifest as part of the do_rootfs task which is
>     used by some people internally at Siemens to create SBOMs, but it has
>     a proprietary format and is not documented. It also has become appare=
nt
>     that more information than in the manifest is required.
>=20
>     To create the SBOMs we parse the dpkg status file in a given image an=
d
>     have some python scripts to build a valid SBOM for the two standard
>     formats (CycloneDX and SPDX).
>=20
>     The python scripts are a very minimal implementation to generate SBOM=
s,
>     as all other tools have heavier dependencies that are not packaged in
>     debian. As we also require only a small subset of these libraries (we
>     only generate a specific version and format, using also only a small
>     part of the data structures) I chose to quickly implement this myself=
.
>=20
>     The current implementation also emits source package information in t=
he
>     SPDX format. Unfortunately the CDX standard does not allow to map the
>     relationship between a debian source and binary package in a
>     satisfactory way, so I omitted it for now. There is talks internally
>     about how to represent this relationship, but it is probably a good
>     idea
>     to leave it empty for now.
>=20
>     TODOs/next steps:
>     - license/copyright parsing: debian has no machine-readable format fo=
r
>     these, but they are very valuable for clearing purposes
>     - tigther bitbake integration: if we hook into each recipe we could a=
dd
>     more information and correctly represent vendor packages
>=20
>     Please tell me what you think and how we could land SBOM generation
>     here :-)
>=20
>     Christoph Steiger (1):
>     meta: add CycloneDX/SPDX SBOM generation
>=20
>     meta/classes/create-sbom.bbclass | 49 ++++
>     meta/classes/image.bbclass | 2 +
>     meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++++
>     meta/lib/sbom_cdx_types.py | 82 ++++++
>     meta/lib/sbom_spdx_types.py | 95 +++++++
>     5 files changed, 674 insertions(+)
>     create mode 100644 meta/classes/create-sbom.bbclass
>     create mode 100644 meta/lib/sbom.py
>     create mode 100644 meta/lib/sbom_cdx_types.py
>     create mode 100644 meta/lib/sbom_spdx_types.py
>=20
>     --=20
>     2.39.5
>=20
> --=20
> You received this message because you are subscribed to a topic in the=20
> Google Groups "isar-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/=
=20
> isar-users/8L-CF4BJY0I/unsubscribe <https://=20
> eur01.safelinks.protection.outlook.com/?=20
> url=3Dhttps%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fisar-users%2F8L-=20
> CF4BJY0I%2Funsubscribe&data=3D05%7C02%7Cchristoph.steiger%40siemens.com%7=
C38fbfcce41dc4115eb7708ddcff60649%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C=
0%7C638895377762504213%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYi=
OiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%=
7C&sdata=3DZJLWNsyTk9pxvt0sF6yuQ5TBcpvp%2B1Wet%2FUFss%2BFnnQ%3D&reserved=3D=
0>.
> To unsubscribe from this group and all its topics, send an email to=20
> isar-users+unsubscribe@googlegroups.com <mailto:isar-=20
> users+unsubscribe@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/isar-=20
> users/39f0bde3-fac8-48a9-a393-2566c17831e9n%40googlegroups.com <https://=
=20
> eur01.safelinks.protection.outlook.com/?=20
> url=3Dhttps%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fisar-users%2F39f0bde3=
-=20
> fac8-48a9-=20
> a393-2566c17831e9n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source=
%3Dfooter&data=3D05%7C02%7Cchristoph.steiger%40siemens.com%7C38fbfcce41dc41=
15eb7708ddcff60649%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C63889537776=
2533091%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCI=
sIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3D0DSm=
3jmR%2F1tI0a%2Bct3D2juZGQ4UmmnyNh%2FwHeEJX8u0%3D&reserved=3D0>.

--=20
You received this message because you are subscribed to the Google Groups "=
isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/=
2c12f6b5-a5c6-4656-99e0-5fae2043d7a4%40siemens.com.