From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 31 Jul 2025 07:49:38 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f55.google.com (mail-qv1-f55.google.com [209.85.219.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 56V5na4Y025688 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 31 Jul 2025 07:49:37 +0200 Received: by mail-qv1-f55.google.com with SMTP id 6a1803df08f44-7073b4fb53esf8708986d6.0 for ; Wed, 30 Jul 2025 22:49:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1753940971; x=1754545771; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=bYmJdT20nlkt/DA5LeFfCJ3bjygc68rvqeegIbVLeAs=; b=ThNCoxndMnzhTt40LGDuSr/bro7laQ/Gf1A9ixkqSGGRgDrW3BrPQL9/hycd4l8yyQ iy2qAyyZM31GpLPV69FcPadBE1ne6OmwnDh7xCLqGzAyxj/PRd71Nd/4woGOxbU47X9G P1AH7hN2yPtF3PiT8E0bNewZJc08fpLPp4M4wq24VbB3KhrTVmKhAwucBrxgfAjNgGk+ UuPVUC3Dw2+/YBVpVvuv6Sk3sZRAIzw3Wrgi4dcI+EFLAKS1y7qMp4Z+VfdtxH0IqMA3 /aUhp0u/1GhHqnTnAoYTutbfyk9YMu9mX+BsG01NODttVOoXZd1zBYIOmeipqtx80d42 8YnQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753940971; x=1754545771; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=bYmJdT20nlkt/DA5LeFfCJ3bjygc68rvqeegIbVLeAs=; b=LchVAnZCZuU8jyKI8BgfKRgc+LdTy3UPAauy7LEYD4jBBLCxx9qjBov179js5GAZIH heuPbp54of5uvoOHAnMjLPRnFIS+fHpgfbQjdsXPxH3p22mYH9oYNtwX5P7b4XDjXxEL 56m1m9aFOyWes/s2ascF1C4GlGoN2bcKpeCYpOFD1MTvIsniQSyzwq6jPxQpFxtf1g+J DsidtvNpS9CVbVbp2FD9U7wC2dSiqnQh3Xhr1NGjs85vhQQhh2WBFMEYieqlIAZN7dlU QF4bCuB83fbnwFD/MPMfgn4F4uhEThgEsxmtXLcr0j+rQKDTGuTKgbuq33+PghCf1NWT 63rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753940971; x=1754545771; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=bYmJdT20nlkt/DA5LeFfCJ3bjygc68rvqeegIbVLeAs=; b=NfJlUPuDWVAPaecCCiHG3j++0h82EEZP5uzNVRFrJA39WxOCZivUFGwU2pi9kHkqbJ Thrp/TMGmZlWGjGiwp6HDFmhyy+io1v97EjZYjbPIbTlYX09pa3v1IPhwHJUCVrBgiSA SyqA59E79AKqAPTbSTPKkGJC3lBA387wfupL69SJuYAFHJTy4CqSUObr1R3s0gxKFjKR cU+IZsRiq11H8oQ29qFTR0grAgFtvax/S66Yf+1ow0s2P3gzuFDJsVAB0sDXQKR6Hghw kXyz9+YODGeU0xe4z1snIsNi6rcmTr30NbUSyPdC94rwu4f4Udvj+QCxQycud2lPnY4x zkzQ== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCXc8Q50SfiYNUoRZgkSj+Tpik83d1A0c8yQuXjtkFa4uNB8CDo930WrBpgJh3YOu777zxDr@ilbers.de X-Gm-Message-State: AOJu0Yx4Nv3EIJ7sFxTAZ22qAtxyGLJfYhNPRmWcUtSMmRArKb5hZD/8 WmKtZgP4pRnPddzf+JnWwGS8Xvjp6Cz3SrLoQjYzWHrBKBqOu9cOUvUw X-Google-Smtp-Source: AGHT+IFQflFeuZY2HbMPS3B3t0/4tDIQos+AbL0WjuJvlh5QafhNvtNBguGlwJmqchqToY64Qlm8AQ== X-Received: by 2002:ad4:5dce:0:b0:707:284b:53fe with SMTP id 6a1803df08f44-70766e1d824mr87272756d6.13.1753940970806; Wed, 30 Jul 2025 22:49:30 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZeYdikvyxis3sMm678AlkN4Sgk8fYFixkcsNjZFmuvm7w== Received: by 2002:a05:6214:8015:b0:707:18b0:de30 with SMTP id 6a1803df08f44-707665e7842ls14089956d6.1.-pod-prod-00-us-canary; Wed, 30 Jul 2025 22:49:30 -0700 (PDT) X-Received: by 2002:a05:620a:6890:b0:7e6:5f1c:4d78 with SMTP id af79cd13be357-7e6813bb0bamr110236285a.33.1753940970392; Wed, 30 Jul 2025 22:49:30 -0700 (PDT) Received: by 2002:a05:620a:4785:b0:7b6:d2da:e6ae with SMTP id af79cd13be357-7e66e7ded20ms85a; Wed, 30 Jul 2025 22:38:05 -0700 (PDT) X-Received: by 2002:a05:620a:7018:b0:7d2:26b4:66d2 with SMTP id af79cd13be357-7e6813bd7f4mr80256685a.22.1753940284106; Wed, 30 Jul 2025 22:38:04 -0700 (PDT) Date: Wed, 30 Jul 2025 22:38:03 -0700 (PDT) From: Syeda Shagufta Naaz To: isar-users Message-Id: <39f0bde3-fac8-48a9-a393-2566c17831e9n@googlegroups.com> In-Reply-To: <20250220095944.114203-1-felix.moessbauer@siemens.com> References: <20250220095944.114203-1-felix.moessbauer@siemens.com> Subject: Re: [RFC PATCH 0/1] SBOM Generation for isar MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_30464_1962855133.1753940283944" X-Original-Sender: shaguftanaazhashmi@gmail.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 9KB1kO2RC2cN ------=_Part_30464_1962855133.1753940283944 Content-Type: multipart/alternative; boundary="----=_Part_30465_1905900013.1753940283944" ------=_Part_30465_1905900013.1753940283944 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi,=20 Based on the patch, it seems that the externalReferences field is added=20 when the homepage is available for the package. Would it be feasible to use= =20 our own scripts to populate the externalReferences field for the packages= =20 where it is currently missing? For the two packages considered below, we can see that the=20 externalReferences field is added for one component (apparmor) and missing= =20 from the other (adduser). ``` { "bom-ref": "CDXRef-adduser", "description": "add and remove users and groups", "name": "adduser", "purl": "pkg:deb/debian/adduser@3.134?arch=3Dall", "supplier": { "contact": [ { "email": "adduser@packages.debian.org" } ], "name": "Debian Adduser Developers " }, "type": "library", "version": "3.134" }, { "bom-ref": "CDXRef-apparmor", "description": "user-space parser utility for AppArmor", "externalReferences": [ { "comment": "homepage", "type": "website", "url": "https://apparmor.net/" } ], "name": "apparmor", "purl": "pkg:deb/debian/apparmor@3.0.8-3?arch=3Damd64", "supplier": { "contact": [ { "email": "pkg-apparmor-team@lists.alioth.debian.org" } ], "name": "Debian AppArmor Team " }, "type": "library", "version": "3.0.8-3" }, ``` Thanks, Syeda Shagufta Naaz syedashagufta.naaz@siemens.com On Thursday, February 20, 2025 at 3:31:38=E2=80=AFPM UTC+5:30 Felix Moessba= uer=20 wrote: From: Christoph Steiger =20 This patch would add SBOM generation support for isar.=20 We already generate a manifest as part of the do_rootfs task which is=20 used by some people internally at Siemens to create SBOMs, but it has=20 a proprietary format and is not documented. It also has become apparent=20 that more information than in the manifest is required.=20 To create the SBOMs we parse the dpkg status file in a given image and=20 have some python scripts to build a valid SBOM for the two standard=20 formats (CycloneDX and SPDX).=20 The python scripts are a very minimal implementation to generate SBOMs,=20 as all other tools have heavier dependencies that are not packaged in=20 debian. As we also require only a small subset of these libraries (we=20 only generate a specific version and format, using also only a small=20 part of the data structures) I chose to quickly implement this myself.=20 The current implementation also emits source package information in the=20 SPDX format. Unfortunately the CDX standard does not allow to map the=20 relationship between a debian source and binary package in a=20 satisfactory way, so I omitted it for now. There is talks internally=20 about how to represent this relationship, but it is probably a good idea=20 to leave it empty for now.=20 TODOs/next steps:=20 - license/copyright parsing: debian has no machine-readable format for=20 these, but they are very valuable for clearing purposes=20 - tigther bitbake integration: if we hook into each recipe we could add=20 more information and correctly represent vendor packages=20 Please tell me what you think and how we could land SBOM generation=20 here :-)=20 Christoph Steiger (1):=20 meta: add CycloneDX/SPDX SBOM generation=20 meta/classes/create-sbom.bbclass | 49 ++++=20 meta/classes/image.bbclass | 2 +=20 meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++++=20 meta/lib/sbom_cdx_types.py | 82 ++++++=20 meta/lib/sbom_spdx_types.py | 95 +++++++=20 5 files changed, 674 insertions(+)=20 create mode 100644 meta/classes/create-sbom.bbclass=20 create mode 100644 meta/lib/sbom.py=20 create mode 100644 meta/lib/sbom_cdx_types.py=20 create mode 100644 meta/lib/sbom_spdx_types.py=20 --=20 2.39.5=20 --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/= 39f0bde3-fac8-48a9-a393-2566c17831e9n%40googlegroups.com. ------=_Part_30465_1905900013.1753940283944 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi,=C2=A0

Based on the patch, it seems that the extern= alReferences field is added when the homepage is available for the package.= Would it be feasible to use our own scripts to populate the externalRefere= nces field for the packages where it is currently missing?

=
For the two packages considered below, we can see that the exter= nalReferences field is added for one component (apparmor) and missing from = the other (adduser).
```
=C2=A0 =C2=A0 {
=C2=A0 =C2=A0 =C2= =A0 "bom-ref": "CDXRef-adduser",
=C2=A0 =C2=A0 =C2=A0 "description": "= add and remove users and groups",
=C2=A0 =C2=A0 =C2=A0 "name": "adduse= r",
=C2=A0 =C2=A0 =C2=A0 "purl": "pkg:deb/debian/adduser@3.134?arch=3D= all",
=C2=A0 =C2=A0 =C2=A0 "supplier": {
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 "contact": [
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 {
=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "email": "adduser@packages.debian.org"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ],=C2=A0 =C2=A0 =C2=A0 =C2=A0 "name": "Debian Adduser Developers "
= =C2=A0 =C2=A0 =C2=A0 },
=C2=A0 =C2=A0 =C2=A0 "type": "library",
= =C2=A0 =C2=A0 =C2=A0 "version": "3.134"
=C2=A0 =C2=A0 },
=C2=A0 = =C2=A0 {
=C2=A0 =C2=A0 =C2=A0 "bom-ref": "CDXRef-apparmor",
=C2= =A0 =C2=A0 =C2=A0 "description": "user-space parser utility for AppArmor",<= br />=C2=A0 =C2=A0 =C2=A0 "externalReferences": [
=C2=A0 =C2=A0 =C2=A0= =C2=A0 {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "comment": "homepage",=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "type": "website",
=C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 "url": "https://apparmor.net/"
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 }
=C2=A0 =C2=A0 =C2=A0 ],
=C2=A0 =C2=A0 =C2=A0 "name":= "apparmor",
=C2=A0 =C2=A0 =C2=A0 "purl": "pkg:deb/debian/apparmor@3.0= .8-3?arch=3Damd64",
=C2=A0 =C2=A0 =C2=A0 "supplier": {
=C2=A0 =C2= =A0 =C2=A0 =C2=A0 "contact": [
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 {=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "email": "pkg-apparmor-team@li= sts.alioth.debian.org"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 }
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 ],
=C2=A0 =C2=A0 =C2=A0 =C2=A0 "name": "Debia= n AppArmor Team "
=C2=A0 =C2=A0 =C2=A0 },
=C2=A0 =C2=A0 =C2=A0 "t= ype": "library",
=C2=A0 =C2=A0 =C2=A0 "version": "3.0.8-3"
=C2=A0= =C2=A0 },
```

Thanks,
Syeda Shag= ufta Naaz
syedashagufta.naaz@siemens.com

On Thursday, February 20, 2025 at 3:31:38=E2=80=AFPM U= TC+5:30 Felix Moessbauer wrote:
From: Christoph Steiger <christop...@s= iemens.com>

This patch would add SBOM generation support for isar.

We already generate a manifest as part of the do_rootfs task which is
used by some people internally at Siemens to create SBOMs, but it has
a proprietary format and is not documented. It also has become appare= nt
that more information than in the manifest is required.

To create the SBOMs we parse the dpkg status file in a given image an= d
have some python scripts to build a valid SBOM for the two standard
formats (CycloneDX and SPDX).

The python scripts are a very minimal implementation to generate SBOM= s,
as all other tools have heavier dependencies that are not packaged in
debian. As we also require only a small subset of these libraries (we
only generate a specific version and format, using also only a small
part of the data structures) I chose to quickly implement this myself= .

The current implementation also emits source package information in t= he
SPDX format. Unfortunately the CDX standard does not allow to map the
relationship between a debian source and binary package in a
satisfactory way, so I omitted it for now. There is talks internally
about how to represent this relationship, but it is probably a good i= dea
to leave it empty for now.

TODOs/next steps:
- license/copyright parsing: debian has no machine-readable format fo= r
these, but they are very valuable for clearing purposes
- tigther bitbake integration: if we hook into each recipe we could a= dd
more information and correctly represent vendor packages

Please tell me what you think and how we could land SBOM generation
here :-)

Christoph Steiger (1):
meta: add CycloneDX/SPDX SBOM generation

meta/classes/create-sbom.bbclass | 49 ++++
meta/classes/image.bbclass | 2 +
meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++= ++
meta/lib/sbom_cdx_types.py | 82 ++++++
meta/lib/sbom_spdx_types.py | 95 +++++++
5 files changed, 674 insertions(+)
create mode 100644 meta/classes/create-sbom.bbclass
create mode 100644 meta/lib/sbom.py
create mode 100644 meta/lib/sbom_cdx_types.py
create mode 100644 meta/lib/sbom_spdx_types.py

--=20
2.39.5

--
You received this message because you are subscribed to the Google Groups &= quot;isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-use= rs+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-use= rs/39f0bde3-fac8-48a9-a393-2566c17831e9n%40googlegroups.com.
------=_Part_30465_1905900013.1753940283944-- ------=_Part_30464_1962855133.1753940283944--