From: "'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>
To: Felix Moessbauer <felix.moessbauer@siemens.com>,
isar-users@googlegroups.com
Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com,
quirin.gylstorff@siemens.com
Subject: Re: [PATCH v6 00/10] Add SBOM generation with debsbom
Date: Fri, 12 Dec 2025 11:24:23 +0100 [thread overview]
Message-ID: <7b9b5669-fb6f-4dfe-b146-25a6f35b2583@siemens.com> (raw)
In-Reply-To: <20251201085813.1616095-1-felix.moessbauer@siemens.com>
On 01.12.25 09:58, Felix Moessbauer wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v5:
>
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
> machine changes made in image file)
> - rebased onto next
>
> Changes since v4:
>
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>
> Changes since v3:
>
> - fix issue on external bullseye initramfs (we now disable sbom generation
> on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
>
> Changes since v2:
>
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
>
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
> onwards)
> - update debsbom (includes bug fixes and more information for source
> packages)
>
>
> Christoph Steiger (3):
> meta: package python libraries for SBOM generation
> meta: package python3-debsbom
> meta: add SBOM generation with debsbom
>
> Felix Moessbauer (7):
> refactor: move get_rootfs_distro from sdk into rootfs
> override distro vendor in SBOM on Ubuntu
> add support to add imager dependencies to BOM
> wic: create uniform manifest describing all image components
> qemuamd64: add IMAGER_BOM entries
> imager: create SBOM of IMAGER_BOM packages
> wic: create uniform SBOM describing all image components
>
> doc/user_manual.md | 1 +
> meta-isar/conf/distro/ubuntu-common.inc | 2 +
> meta-isar/conf/machine/qemuamd64.conf | 1 +
> .../recipes-core/images/isar-image-ci.bb | 1 +
> meta/classes/image-tools-extension.bbclass | 29 +++++++++
> meta/classes/image.bbclass | 7 ++
> meta/classes/imagetypes_wic.bbclass | 30 +++++++++
> meta/classes/initramfs.bbclass | 3 +-
> meta/classes/rootfs.bbclass | 23 ++++++-
> meta/classes/sbom.bbclass | 65 +++++++++++++++++++
> meta/classes/sdk.bbclass | 10 +--
> .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> .../python3-beartype/files/rules | 8 +++
> .../python3-beartype_0.19.0.bb | 29 +++++++++
> .../files/pybuild.testfiles | 1 +
> .../python3-cyclonedx-lib/files/rules | 8 +++
> .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
> ...icense-description-in-pyproject.toml.patch | 28 ++++++++
> .../python3-debsbom/files/rules | 8 +++
> .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++
> .../python3-packageurl/files/rules | 8 +++
> .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> .../python3-py-serializable/files/rules | 8 +++
> .../python3-py-serializable_2.0.0.bb | 38 +++++++++++
> .../python3-spdx-tools/files/rules | 25 +++++++
> .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++
> 26 files changed, 524 insertions(+), 11 deletions(-)
> create mode 100644 meta/classes/sbom.bbclass
> create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> create mode 100644 meta/recipes-support/python3-beartype/files/rules
> create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
> create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>
Can we please make sbom generation opt-in for distros that require
building the tool with all its dependencies manually? It's those extra
package targets that are only interesting if you plan to ship, not so
much while you are developing.
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/7b9b5669-fb6f-4dfe-b146-25a6f35b2583%40siemens.com.
next prev parent reply other threads:[~2025-12-12 10:24 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 8:58 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 01/10] refactor: move get_rootfs_distro from sdk into rootfs 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 02/10] meta: package python libraries for SBOM generation 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 03/10] meta: package python3-debsbom 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 04/10] meta: add SBOM generation with debsbom 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 05/10] override distro vendor in SBOM on Ubuntu 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 06/10] add support to add imager dependencies to BOM 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 07/10] wic: create uniform manifest describing all image components 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 08/10] qemuamd64: add IMAGER_BOM entries 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 09/10] imager: create SBOM of IMAGER_BOM packages 'Felix Moessbauer' via isar-users
2025-12-01 8:58 ` [PATCH v6 10/10] wic: create uniform SBOM describing all image components 'Felix Moessbauer' via isar-users
2025-12-01 9:15 ` [PATCH v6 00/10] Add SBOM generation with debsbom 'Jan Kiszka' via isar-users
2025-12-03 13:32 ` 'MOESSBAUER, Felix' via isar-users
2025-12-05 15:08 ` 'Bouska, Zdenek' via isar-users
2025-12-09 14:21 ` Zhihang Wei
2025-12-09 14:49 ` 'MOESSBAUER, Felix' via isar-users
2025-12-09 14:56 ` Zhihang Wei
2025-12-11 9:15 ` Zhihang Wei
2025-12-12 10:24 ` 'Jan Kiszka' via isar-users [this message]
2025-12-15 7:35 ` 'MOESSBAUER, Felix' via isar-users
2025-12-17 15:22 ` 'Jan Kiszka' via isar-users
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b9b5669-fb6f-4dfe-b146-25a6f35b2583@siemens.com \
--to=isar-users@googlegroups.com \
--cc=cedric.hombourger@siemens.com \
--cc=christoph.steiger@siemens.com \
--cc=felix.moessbauer@siemens.com \
--cc=jan.kiszka@siemens.com \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox