From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 06 Feb 2026 13:05:47 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f64.google.com (mail-lf1-f64.google.com [209.85.167.64]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 616C5khC024417 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 6 Feb 2026 13:05:46 +0100 Received: by mail-lf1-f64.google.com with SMTP id 2adb3069b0e04-59e2cab14d8sf1397827e87.1 for ; Fri, 06 Feb 2026 04:05:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770379541; cv=pass; d=google.com; s=arc-20240605; b=EawNH7NTN9pPMdhroT438qPZufgzwmgkyeFGCdYpuXMseTv9huA58mrtfV7+mSOCp6 t8h3OShomHmgq596vzPVwTFjq/5C6U9D+UkdGWQu0H+Kg6dHrYN7b/uYvJMmk98EkVCV mgVX9pmnqUkA4nsQVxEaP87fZtIs/PnawE/9Tz/3cCcNYkx3yyE2+UDmXX5Zy52Qyc9l S2X4VRLib3YPe2mw5iS7ME4eQf4ZNuk6jXmPoW8VgvQM5RXzus7nQh5/liNBzaH1e8oS enCkpajf0AFBEKIz2UTe1hejj0xvdH2O5AjCpI3Tp9NN+4q7ohg8dhkkb6ijPD4yyQ+R ftpg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=T0CNN0BsSWO2wR/8BG7Ku8iT5k7dYthzxij9AlRntwQ=; fh=AL8cycYiaIRhyxOc39lp6O8zZjPXB9DFZSzSHVc1qTQ=; b=gH0778h84PMfBbt78UOYYrZ0xG20AiKytBQIio/UAtbKdDbmVJLPo07RFD8StG1vhQ TFRKr6PEWPPXmoo1B5wDRZKqarlGEcUJlDhmYKH6z6i1JieqF6R3mqSi5hWWf7nEOXhk uusYOOVZfMvOUWUgB+habJUNhq7e2UEYOmsjXdI0WmgxcrRC/8w8c0XVXsH0zKIXb97T eHSwBbqxCWh4Nyl2kTWCgBA/O2VY5LK/Wj3YKpksT1fUFpDaZdVFtKKqspYNT7qHzlmz BjLI9JreWv7qoiRLkwjPlOH3u+PwwGP7kAzlnJnXkTRbuf1Gto7D8BTcMz7d0fRW3GKB RONw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770379541; x=1770984341; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:cc :to:subject:user-agent:mime-version:date:message-id:sender:from:to :cc:subject:date:message-id:reply-to; bh=T0CNN0BsSWO2wR/8BG7Ku8iT5k7dYthzxij9AlRntwQ=; b=hTcSc25GZ2lMEPqeNn8aVbxfHCtaCzWRidPS6UkRf6gweMrJ3LRz2dCDVlzW7uCoyl kgpk8QDG0j++Qz5CLihkttTM7NMZe6tvUKEn5NIKgP45DCxHpqxVaXPdMGt8SgMjEvwK dLYIa+5rWmMHRvjP9BV1kWZ9Pn8ZgUoQB6aSo7RMj72ds+4P1YBzY6mdLaS/4yjWkACx 2CFcN+ujL4vXS5orPZUVNgLeXvNrEcxAT5He7konLEDxUxfwjYpJGSu634znvQC56O20 dJgtylkki4Y9624rfcQp0rzRWI8f07SkahLjtW3VY71Dojtb2KF7syuL/83sOOSv0AaV 26Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770379541; x=1770984341; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:cc:to:subject:user-agent :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender :from:to:cc:subject:date:message-id:reply-to; bh=T0CNN0BsSWO2wR/8BG7Ku8iT5k7dYthzxij9AlRntwQ=; b=GosakvMT3LX91ScyYV8Xkp5nqKAnycve8HZjP6852SqDt5jmPnUzPmGinMsEz7590W 9+D4uPwnGoRRiQzKeFHiQJE8K8PJezTuPp8/y/IvPyOZc8Gw2z1xXPFHCFJWUp9gTJ7i j0V5355WsoXyvQWmHEKNXBtJGp9HVYhDWYIrGHfhWWvvm2gJ5q6MQKgQmcQwoJqFPekx hHbFWM1OJzBte0HtHD+oo6UaEa9iPa6h9x4rx9GGA3oH3divinWB01UGZyrxmfS6jF+b ryeVM1LNZ6xyDkiWIMCDVZxgnah+mV7ZK8xbm5RVZnrJhCWMGwfWJeTQvZzYKwq4C/d+ XROA== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVrnvm8RongcQhnMZB/D1s129AKiiuMPBOesBP4Oy7VmzgNP6tySdpddcq8OmLRTy9Uw1ym@ilbers.de X-Gm-Message-State: AOJu0YzgMnphL0JVz2Y9WPOuF+lOnmHLWaJl2dgRJ40i4XK1s9ALnPXS QueVvAoNvsfsBdtrHtbnnKjvmLpkSOvZwRInI3/EEq8NALAWdreIkV08 X-Received: by 2002:a05:6512:b92:b0:59d:fd41:d6e8 with SMTP id 2adb3069b0e04-59e4515a774mr839494e87.34.1770379540411; Fri, 06 Feb 2026 04:05:40 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+E82JcYVnAOfCZw9E5suDRLFShOYLnc2Za+geF3ZiPEPw==" Received: by 2002:a05:6512:31d4:b0:59b:7324:a12c with SMTP id 2adb3069b0e04-59e3c47641fls572653e87.2.-pod-prod-07-eu; Fri, 06 Feb 2026 04:05:38 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV93CRIaQNHYu6vcIVqePpqwqfoWZ7qMsZI0SjZr7eF3N0C4LGyN01WtArP7SxliM8i9lWH2a9Z9Fgd@googlegroups.com X-Received: by 2002:a05:6512:1043:b0:59e:384b:94bf with SMTP id 2adb3069b0e04-59e4515a355mr885239e87.33.1770379537630; Fri, 06 Feb 2026 04:05:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770379537; cv=none; d=google.com; s=arc-20240605; b=Q0L2f2JqqdgYqbKWM1qMyoSvXXTE7b53ibrNidZFyaDDwg2go7320rxYqOOGIdw5df 3ApZSNv4xxVYomgVWVncnmqp9LvFx4BDPHfcbZRv/hktjz9u+YMF3suoD2iapRh0eRgA Ta4gR/ihbjKCwCM/oE/KJhbGSL6Z4Q6ee+keAY1y23Mz1jmI0+6O1sc3/CJ7ZzOlDVD+ r2l0T9X0wiho0UYs4OjvheWcNGzFxZP2ZOG8z63nFgcq2cFKJHe10WbrV5u48z8/rUsl RvworKFvSOZspea7/ts5EgnuL1NHTe3K8nIqxJRJu7T+LiSMrmy1kOwFsiSYmKwo18Wy LELg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=uPeEICWOJT6qRRHKfu1coNWAHrphCWo+DD5aBAnp45g=; fh=Soc8cThCfbwUm5MQWM0KoS2YCC47Di1J40Bg94tdTXo=; b=kqKlZtIjYYRXtsxlDZALxDu148u3adKeUMPuF2eMOin4nIrP/hHVilVl+eQ2uUKXU+ stTG+5fKE7dMJg3ZuaoSt65Dme+TO8+a2ocygaAOIBxlOztbgFxqO3UEHIEolVag+H7V Sq4PMBVa6PMLN3R1mh/rAThRMIEGulDY4xjnjOli1pj4LGwiQhViDyJoInKpelEdoAPA LM1j7FeQ7yaXpZm68Lj4xM7o4zAGJiBOoL2GuvvGqf9hUhgdaRsE5ZX4XgcgZzdyo83L s+9pu9bSp4ysAIN+vY0y8mn1maTmE09Pg6RaeG7lc4tcLKFci+RMfKR01P/nxrJINZQs xpUA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-59e44d138f5si53561e87.7.2026.02.06.04.05.37 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 06 Feb 2026 04:05:37 -0800 (PST) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.117] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 616C5ZJF024411 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 6 Feb 2026 13:05:36 +0100 Message-ID: <440684fa-3306-42f6-9307-b6f70cf5666b@ilbers.de> Date: Fri, 6 Feb 2026 13:05:35 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v8 0/7] Add SBOM generation with debsbom To: Felix Moessbauer , isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, stefan-koch@siemens.com References: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Language: en-US From: Zhihang Wei In-Reply-To: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: 1gfpBYgRkExi On 2/6/26 12:40, 'Felix Moessbauer' via isar-users wrote: > This patchset adds proper SBOM generation in the two standard formats > SPDX and CycloneDX during the rootfs generation process. > > The generation is itself is handled by a SBOM generator `debsbom` [1] > which is developed as an open source project at Siemens. It is still > early in development, but it has enough features for what we require > in isar. The required dependencies which are not yet available as > Debian packages were minimally packaged directly in isar too. > > This is a followup of the previous RFC [2]. Since then the series has > changed a lot. The SBOM generation was moved from a simple OE lib to > `debsbom`. This also meant the introduction of a separate chroot was > necessary. The SBOM generation process was also moved from the image > step to the rootfs step, along with a lot of minor changes and > improvements. > > [1] https://github.com/siemens/debsbom > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ > > Changes since v7: > > - update debsbom to 0.6.1 > - fix various errors on merging rootfs + initrd + imager sboms > (as I'm now able to execute the testsuite, I was able to test this on > DevTest and CrossTest) That's good news! Zhihang > - move testsuite adoption to p3 to make change atomic > - only merge sboms if sbom generation is enabled for image rootfs > > Changes since v6: > > - fixed imager bom failure on transitive image types (detected in isar-cip, > wic -> squashfs). > - updated debsbom to 0.6.0+git > - add support for license information > - rebased onto next > > Note: I'm still not able to run the full testsuite. The related patches > to cleanup the testsuite are pending on the list for quite some time. I > did some extensive local testing with isar-cip core and product layers, > but any additional testing is highly welcome. > > Changes since v5: > > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to > machine changes made in image file) > - rebased onto next > > Changes since v4: > > - rebased onto next > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) > > Changes since v3: > > - fix issue on external bullseye initramfs (we now disable sbom generation > on all unsupported distros rootfs instances) > - update debsbom to v0.4.0 > - rebased onto next > > Changes since v2: > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 > - generate SBOM for imager as well and create merged sbom of .wic image > - resend imager manifest + wic manifest patches to reduce conflicts > > Note, that the patches p1-p5 are most important as they add basic SBOM > support. The remaining patches address the imager + .wic bom part, > which also can be merged later on. > > Changes since v1: > > - remove tarball > - refactor packaging (auto-derive python dependencies) > - only build missing packages (varies on bookworm, trixie, noble) > - add ubuntu support > - only generate sboms for supported distributions (bookworm/jammy and > onwards) > - update debsbom (includes bug fixes and more information for source > packages) > > Felix Moessbauer (7): > debsbom: update to version 0.6.1 > feat: add license information to SBOM as well > add support to add imager dependencies to BOM > wic: create uniform manifest describing all image components > qemuamd64: add IMAGER_BOM entries > imager: create SBOM of IMAGER_BOM packages > wic: create uniform SBOM describing all image components > > doc/user_manual.md | 1 + > meta-isar/conf/machine/qemuamd64.conf | 1 + > .../recipes-core/images/isar-image-ci.bb | 1 + > .../image-tools-extension.bbclass | 29 +++++++++++++++++ > meta/classes-recipe/image.bbclass | 9 ++++++ > meta/classes-recipe/imagetypes_wic.bbclass | 32 +++++++++++++++++++ > meta/classes/sbom.bbclass | 3 +- > ...sbom_0.5.1.bb => python3-debsbom_0.6.1.bb} | 3 +- > 8 files changed, 77 insertions(+), 2 deletions(-) > rename meta/recipes-support/python3-debsbom/{python3-debsbom_0.5.1.bb => python3-debsbom_0.6.1.bb} (91%) > -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/440684fa-3306-42f6-9307-b6f70cf5666b%40ilbers.de.