From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 10 Feb 2026 08:45:28 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-ej1-f59.google.com (mail-ej1-f59.google.com [209.85.218.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61A7jROC011437 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 10 Feb 2026 08:45:27 +0100 Received: by mail-ej1-f59.google.com with SMTP id a640c23a62f3a-b8e0d4744f0sf474055666b.2 for ; Mon, 09 Feb 2026 23:45:27 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770709522; cv=pass; d=google.com; s=arc-20240605; b=QRi6WiAuyCwnHD+oTXUFSVlxMrUoROSgMrRabnb/0pXwj7IMJZYTZBlV59rfCdmPTR KTDm+3Ab/QzhHxAbVik15KkE/rTDUu264eOaJCnCU0C7DaSnBdVCiCLfuPrkN2chwi78 09em1gaBV9rZOag7eMpsiHOWLKfIYwVrimOL2r5flv0A/0XEnckojmi9X4vBpTxk5WPX v4lMj40pDqunkWX0u7hJzTdccXiqsRTwbiAM9xKCTZcxRhxucSWL6vXC3x/2zqoevDAd aqivowCJ1zZMVfGADODoDWB8MQuaINLCTKKWhZi47/ynvt5UGgT1gObKKOJBfrMVQ6bJ 8pfA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=8FCpAjxQEDMCx1gaNapqIwOgmv4Dc6QpIBMAp57QWq8=; fh=TpuBfySrHxWKqWTzdxOtmhzOmo8E9cjxFUYZ7yUvR3M=; b=gUCZGursby5ShMAUJ0t5odO5yI34S/PZVDe97czo0US9ZoqI8+CLeNyzr0wPy9Ewkq azqAk5b/wBAUvfwi2g6aA7Sc110fiO66py6/4Jv7tuSrBL8uWX2TDIFN8uCY9m10tguo YE0COq3AIP0o+WVqEowTs7dwLOgZwMc0yC7N1k3QRXRODdUV9zt6sekDJCpYhr4UelOU P7DlD/ahhaITwqqgW+52r1zpGldV1xE3E79e2MddJrF831Q++cde2pKS/4E8xHN3407J a4gSaO6nwMyuFcz+6OfoswK4sFJC7sv9EWWhpEI/KkRyfpPren9jp+T/vTE+V6krZr2M /Pcg==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770709522; x=1771314322; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:cc :to:subject:user-agent:mime-version:date:message-id:sender:from:to :cc:subject:date:message-id:reply-to; bh=8FCpAjxQEDMCx1gaNapqIwOgmv4Dc6QpIBMAp57QWq8=; b=ACNgNpkMqcjl9iuQ0hAAQVJYv4GWOD47I1vbxcHnHUEpFy/CwI7uvoox+UEcR/ZxDU ycgAXgHMQcAsnRPuuAfgGG5yOGDGwBWNCkhQE+OVM+Jxawrsenyuj1X0IlGtulSxZyEt b1lYo6DTSUlQ6L8bxKBEPNJ6mZi4RGgf2Q/byrJh6YzZUi5O0tPgUi5U7+fTGJaqAotd pphceGp6v1OJ/o8tgEXtRBa25ky55NPZ/0hMWsvJGKXQzMR+Z50Kcyouk7HaVZyUGXg/ X6wW1MPufwpwzMdUgznVRdBrZXcAObNM3JgjtAFK5f6iQlkuyYaxgkbuatQWDsNV6Gaf YV9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770709522; x=1771314322; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:cc:to:subject:user-agent :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender :from:to:cc:subject:date:message-id:reply-to; bh=8FCpAjxQEDMCx1gaNapqIwOgmv4Dc6QpIBMAp57QWq8=; b=gO+8pkEsLD2Rgf56W2sCaJrKpE/q4/65XmRebnRdsvvhcS51bQHYxo4um7vgjH6/Re WP3Zyiji4f3iijkSoyk/jlu2DAimbzukgFepVZVrGxgfW8ag0JJ1btxBy8rv8/nWx2pu HS5EbGQYMLtOMAG5ZbjuSdYO2JcY/4UlBhRUrpkQeLyodXESch323sYsXQXVJtE2MXM1 ipNEw24Xqbws76wSboK7aDsPjxKNlso1yrRuIO4W8REpfa3sTqsdJ8kuAeSfjQKAimwy OXg9lH+0UNowN1bqaCHGWUZufe+hTSr3v+R7PQLjn3f7SVgqwou0qmf3dfP4SGSLaaKL W79Q== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCXhX/u6pBALCJRP8qAPI0tfEW2LEaorN++ItShKJaht9GgX5OlqGYmS9+eE7njlM0UXfLSV@ilbers.de X-Gm-Message-State: AOJu0YxuVcKIc/iRjUWR1FpewtkqFMzZAskufptK4bE+EU/vC1Vw80aw Ip21YXJpHX2FPRueoWHAJlk6xIZOusu7FRESZH3JMCEhtsI0YXtUzq09 X-Received: by 2002:a17:907:968f:b0:b8e:d0ec:c9e5 with SMTP id a640c23a62f3a-b8edf351ef5mr804806466b.41.1770709521782; Mon, 09 Feb 2026 23:45:21 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+GegVzqicRE1qbm1xfwLr6LeOye+U7bsCftKZGQ/79qTQ==" Received: by 2002:a05:6402:f10:b0:659:495a:85f4 with SMTP id 4fb4d7f45d1cf-659622984c8ls5308972a12.1.-pod-prod-06-eu; Mon, 09 Feb 2026 23:45:19 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWbrrMmgGE5sOAujLgkLnZZrci5PrrWtrXl5ruX0VmZ70aEKsPUMONWEwwlcoI2Ug2mwmA013a4r5gw@googlegroups.com X-Received: by 2002:a17:906:dc95:b0:b88:227e:3870 with SMTP id a640c23a62f3a-b8edf174473mr724318566b.11.1770709519713; Mon, 09 Feb 2026 23:45:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770709519; cv=none; d=google.com; s=arc-20240605; b=CQ/t6cD2x9d6J2poBeZP8YikSF3Voz6Z+L1Zyy0eak6sj2Xp1G+6MsBRJ8p9yNQj1T L3d1CknisSO96n4CPNf6r2+YsWbQyH+HzfLP4djEbLYfrWUZxFGLa0456KiqWeiUbLd0 Uu6Ey9qK4yDjkuoRu56VBmJ54V+AH4eazeQfia89pxC4+u6VRarZI58yklNwtZe0xDXD DAlKWlA7cmxOvwrMj9SLzGyL5if2ceeQSiFltZH9AYAE5sjEdW/XS6IoI0+EIpJX/Tmd jYIRPH/p7wkK4OR87c8nycbMwAeD3p91hpM470ZamOIddy1ARPfCJAphTN1xvhiqZUYU 8HZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=0s+HflaL5L/Qa7gmnabxNyAMVTiIisfq/dt53+3c8W0=; fh=Soc8cThCfbwUm5MQWM0KoS2YCC47Di1J40Bg94tdTXo=; b=YBZ2cwlPIViIh+XWI5N3EXH2PPu15VjLMTrVappohhd8kBk74mXIOhdkL7GwXnqpoG tQ9txkIz6DYou8uxWovaWA+u79Ag4bvwzKPF4jkk7aJmaXvArcDYINY93AepQv6mEPZJ RpeYcRruI2nfucGoZAIFX9EKVQibzrpmQxPtg7Od30YNKqBAYW2MogxXwedapUi37Cch gYm+fFvmGstHS2V+Bd22cjcMiTf7JkSYmTpQfao1X6NHvg9by5vG9wLQmknXxorESh/V SkfulMY8WNi/Mr6mTXgiIdL2SwQ5P1vRq1OFwkmOpP3XcZrKJSBG1NQ51/1WYBt8HdQY t77g==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id a640c23a62f3a-b8eda97f4c6si32289366b.2.2026.02.09.23.45.19 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Feb 2026 23:45:19 -0800 (PST) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.117] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 61A7jISX011431 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Feb 2026 08:45:18 +0100 Message-ID: <87b5507f-6254-48cc-b939-9e4015f64515@ilbers.de> Date: Tue, 10 Feb 2026 08:45:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v8 0/7] Add SBOM generation with debsbom To: Felix Moessbauer , isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, stefan-koch@siemens.com References: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Language: en-US From: Zhihang Wei In-Reply-To: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: RCULhACPdCLF Applied to next, thanks. Zhihang On 2/6/26 12:40, 'Felix Moessbauer' via isar-users wrote: > This patchset adds proper SBOM generation in the two standard formats > SPDX and CycloneDX during the rootfs generation process. > > The generation is itself is handled by a SBOM generator `debsbom` [1] > which is developed as an open source project at Siemens. It is still > early in development, but it has enough features for what we require > in isar. The required dependencies which are not yet available as > Debian packages were minimally packaged directly in isar too. > > This is a followup of the previous RFC [2]. Since then the series has > changed a lot. The SBOM generation was moved from a simple OE lib to > `debsbom`. This also meant the introduction of a separate chroot was > necessary. The SBOM generation process was also moved from the image > step to the rootfs step, along with a lot of minor changes and > improvements. > > [1] https://github.com/siemens/debsbom > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ > > Changes since v7: > > - update debsbom to 0.6.1 > - fix various errors on merging rootfs + initrd + imager sboms > (as I'm now able to execute the testsuite, I was able to test this on > DevTest and CrossTest) > - move testsuite adoption to p3 to make change atomic > - only merge sboms if sbom generation is enabled for image rootfs > > Changes since v6: > > - fixed imager bom failure on transitive image types (detected in isar-cip, > wic -> squashfs). > - updated debsbom to 0.6.0+git > - add support for license information > - rebased onto next > > Note: I'm still not able to run the full testsuite. The related patches > to cleanup the testsuite are pending on the list for quite some time. I > did some extensive local testing with isar-cip core and product layers, > but any additional testing is highly welcome. > > Changes since v5: > > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to > machine changes made in image file) > - rebased onto next > > Changes since v4: > > - rebased onto next > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) > > Changes since v3: > > - fix issue on external bullseye initramfs (we now disable sbom generation > on all unsupported distros rootfs instances) > - update debsbom to v0.4.0 > - rebased onto next > > Changes since v2: > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 > - generate SBOM for imager as well and create merged sbom of .wic image > - resend imager manifest + wic manifest patches to reduce conflicts > > Note, that the patches p1-p5 are most important as they add basic SBOM > support. The remaining patches address the imager + .wic bom part, > which also can be merged later on. > > Changes since v1: > > - remove tarball > - refactor packaging (auto-derive python dependencies) > - only build missing packages (varies on bookworm, trixie, noble) > - add ubuntu support > - only generate sboms for supported distributions (bookworm/jammy and > onwards) > - update debsbom (includes bug fixes and more information for source > packages) > > Felix Moessbauer (7): > debsbom: update to version 0.6.1 > feat: add license information to SBOM as well > add support to add imager dependencies to BOM > wic: create uniform manifest describing all image components > qemuamd64: add IMAGER_BOM entries > imager: create SBOM of IMAGER_BOM packages > wic: create uniform SBOM describing all image components > > doc/user_manual.md | 1 + > meta-isar/conf/machine/qemuamd64.conf | 1 + > .../recipes-core/images/isar-image-ci.bb | 1 + > .../image-tools-extension.bbclass | 29 +++++++++++++++++ > meta/classes-recipe/image.bbclass | 9 ++++++ > meta/classes-recipe/imagetypes_wic.bbclass | 32 +++++++++++++++++++ > meta/classes/sbom.bbclass | 3 +- > ...sbom_0.5.1.bb => python3-debsbom_0.6.1.bb} | 3 +- > 8 files changed, 77 insertions(+), 2 deletions(-) > rename meta/recipes-support/python3-debsbom/{python3-debsbom_0.5.1.bb => python3-debsbom_0.6.1.bb} (91%) > -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/87b5507f-6254-48cc-b939-9e4015f64515%40ilbers.de.