From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 28 Jul 2025 17:13:50 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-pf1-f183.google.com (mail-pf1-f183.google.com [209.85.210.183]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 56SFDkNY013798 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 28 Jul 2025 17:13:47 +0200 Received: by mail-pf1-f183.google.com with SMTP id d2e1a72fcca58-748e6457567sf3532355b3a.1 for ; Mon, 28 Jul 2025 08:13:47 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1753715620; cv=pass; d=google.com; s=arc-20240605; b=eyHLZ6q+KZC3jRQI9Tu8v1ZX2TQh55fOJUB2k8egvclkY4pvGehbsVtiEFi4LW9PZ7 BYkTBPjt2sBdQrTh0Jqd8JtkBbUsZU/5B+acTTLrtOtexgx+egHMIq6IYt35OJWm2lnB o0TYrfTSh1sbfq1TG9+J78WnugVQ1/25ISJT5hB1E4kfWOEdbCllTi1arphQenoiS3o6 YWMIHma/6H0hpqE4z0cIdWW6mY0klw9IV+2SWyVwwhZNntZBFT4QZ/qqanPQzDJQo3wN io+uvECWiUnJ3jvhhsTQl5EBeBFaIygks1EP2LR49g2pYZYUopO/kaOU2wyX/qmVruhg /0Bw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=CYaZJO0Qt6Wfc1Ypp/kvhVF4r+h1kUPt587kE3O92Fo=; fh=QWpjb0BeFdb1p6PtYiWQkxcfGIypGY2S1Pwg4rq40EQ=; b=Q4yBR4mKA+WojKvY4/LTnWlVY83Nwme6hKzTvNjTKQ+VGf6H1sRjLARQ2jXyVUnWhV Y/5o586MaRwhRSYjDmUh4Xi6OZBvAn2XZplYvtOxJQ20quhe0KS0HiSh3h/EvV1T7jx3 jCZ+bZwJxmNUirfS2ZC15bpIPK/hPeEAwzX8dS8riW2sX1AcQB+vX3VLCH2rz/DRlbZN jpjZ2zB1qEhB9F3uHbADONOyF0Mmgt3AjQxZRGoRm59yKdcB/J/jrEqblsRjb81Ouho8 FcLjHBG4FPwBzHy82UD59sw8OpP40SQua+5JLZCqmco8InUVPUXXzNKZkRcoXm7zTR9n JqJA==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tek36HfX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1753715620; x=1754320420; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CYaZJO0Qt6Wfc1Ypp/kvhVF4r+h1kUPt587kE3O92Fo=; b=mObXGCTgKpZaaDyE8YoWSd9GXVl7PmMidm/Wd099B5IgtisBgYeUbQ7qxirCIvm9W+ kbk6wE6ep0kYvBeEZn5O8/onQsnw03wUOW5CtyH7pAjOL3BqtiJC36dt2sgJw8FRYzWh ecfbx4Apv22ynrr9uWQ+SBPqF+ZexkmXFXkADTOSiEHPcAeLtsAOxqVGymckHi0+1s2s PmiJbSldDBi2c+DbxsmLTMr9ryLz+psOeK+iw/aNTFMZIs4IMIknXMI3Bt+rjsWVFipJ WuTOQ0TyJ1CF0iSZYsyuYLlsSR3hSE3y7lguSmDlaRJ32IoUXmyachkKbu7stLfuvqLZ mENA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753715620; x=1754320420; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:to:from:x-beenthere:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=CYaZJO0Qt6Wfc1Ypp/kvhVF4r+h1kUPt587kE3O92Fo=; b=bZSv1S355H/SidBIjy3MKcpmNvFQm81k9SKUCm8+xZ8dg4vTPiHwTZApfHz43nOk2x bs5yimqibyrqcOfY4ndBAZiwvD7oUqDyY7GhVh6mVtRzWt/9aOkuKSmCkFpfnn/I0kZs v0H3WZvzPXXk9qSzI9V5vrRQoiYZMx5uruCgnJJd42Z2cfQnTgIGxQ2jpeGRQgbBQgWT T0fm/T3jS0nUH3hHJ0ZCTn1nMUhsJ5l8Z+i5rwH2Mz20lCk048veYibX//8EqbrIeB5W /PKV0yUpgp1FePI9EAKaOVEC0wTFor2DIeNQoqPjKvn43R8BdjCz/9CjVQyHVOav0CBR 3HRg== X-Forwarded-Encrypted: i=3; AJvYcCXajwug81+mDMu/+/COX0sSovG98ugR6k9xDvlylaIBxxRaK3AsmYeEmfo1ti4W9RDfNCbE@ilbers.de X-Gm-Message-State: AOJu0Yy6CofTtfKHNL7TBGfhlaRLUwTcB9eJeY8L1hsxmL9wGqkvl0FT pKNZtXmTqIY2F2sb6nBh/dFcxqXCKqCs/jyloP2f71gag+lJBom8GINo X-Google-Smtp-Source: AGHT+IHrHljXtjj/bTswOV7T/fB5roUe50lP9+bPQVJ4qMQGYBPEzE3WWdF7v26BJ8oZISfQZc1c6A== X-Received: by 2002:a05:6a00:3a12:b0:746:25d1:b712 with SMTP id d2e1a72fcca58-76333fe47b9mr17594160b3a.7.1753715619724; Mon, 28 Jul 2025 08:13:39 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZepDxhGWbBDclqofzk181zLkwW1NsL0JAbQn35ws7k7Ww== Received: by 2002:a05:6a00:a90:b0:736:cffa:56ce with SMTP id d2e1a72fcca58-7616393769bls2798199b3a.2.-pod-prod-00-us; Mon, 28 Jul 2025 08:13:37 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWIS6HW2lOGdrdmBF4rayggrWM8WG8HmpuWA0Q8FXH+97xvl+daKC1o9PFL6pFBwrv4LuRrzTNJdraS@googlegroups.com X-Received: by 2002:a05:6a00:2489:b0:746:1d29:5892 with SMTP id d2e1a72fcca58-761eee32e43mr21350672b3a.4.1753715617073; Mon, 28 Jul 2025 08:13:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1753715617; cv=pass; d=google.com; s=arc-20240605; b=L367ixeI/gvg63p07srrGsGNZ6NKRvzE0w3q8Zkphk6xF2tSvTXT1uhlZmjPw1y74P W5WXVM7D+LWo/EMuLkfDi/My0Uc64HpBAIVlEmxjH9ED8Jn/e6sfeVeVlLHjPE4FmnOm RF92RUBIWXkHwIC57euK0NK4eyVKHOs1I/5WkHi/PExpCdoG1b/sm9nC1L6kfV5qjkTw 58Zr7dozMI5wrHpCY1zqvp9NjiaO4RZYtdHs+wzKBoWzPAiOZ3KGL3JeeCs0TkMTD3W+ CQBuiMs3r2ygtNL9fdgTVr6MxN7kKJDpJr7mWPlnfqvAb7Jv23br+HgYf111Dsp2L3yf oYKA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:content-id:user-agent :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:to:from:dkim-signature; bh=WRSAfUnMhseynKrg0oGQtNTlYs+VoZs1I6hJ8i4bJcY=; fh=qYSjzRGiwz+s61YgI9KRJEPwux62RnjEmdRuMnO6utA=; b=V1Sg8wjaEljkXqBjPc79yFVdrFocBFGtU+B67F1V1E5dc/dgwDYh0aDS4zbdUKbVaM PtLkMboW1xEKpnfih5l8Yo7XYBzvgf2LVrfXdFJpBBU60DnJOnMVU3CxiTVOe9tkuXf4 robMJLJXOhgkeoJAsH2YYU74OvTEj40KjbPPhVUE9B2vekieEHlpbXnbMFPqL/8sy6nq VTgg2XpLMZJ6em8HABDAU3A1M0GnHRxr0PkL2WLkbOH6XDbr6a2rXVguYt2EW7GrxZJn cvR0Q2pawEyMrCnHOLHpSAhS2HlhiV6Q5odhDNOP34DGAgI/vha1Nq8efHGgCpY7BCYe KAUQ==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tek36HfX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c20f::7]) by gmr-mx.google.com with ESMTPS id d2e1a72fcca58-7640bc92932si286981b3a.6.2025.07.28.08.13.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jul 2025 08:13:37 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) client-ip=2a01:111:f403:c20f::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f6rz0xVjkcJdCnihlrdSJnikNqU/zs7yDPgBgC8SXT5Gzp2XW/zTaoBIKaBmC3506ky640rTg3IZtoDGa0wB5S3wTGqCaFD/PMPyKNbiguoSQBksvB4Ti6iM8+CvydMZJWBaXpyYEVTFDHu8zEJctu4sQpWPZKnUeNrcRP+g6MeJlWAejcIDP2EoAPW9EYGmqC8I2ru3RSwyJZK8ekuCrAtqZi8f/4v0+R8H5fLvdT7aM6ogDuNRpjPkLD3jCCVYXSwVbAO1u98ogUfL14oVp03WaO7aJUbaWVRHKcwHUm3gnrmaGdwcFSmKWo99fuyVtdelWzOfcbw90XcUy5mhKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WRSAfUnMhseynKrg0oGQtNTlYs+VoZs1I6hJ8i4bJcY=; b=OD8NK8qdZLxIfH3PpDMm9j0GD+L1NfGn4T9ySFH9mId40rQBDrwcB6b/CpOOkvTSWpSgwdD86Xdhu4r7jT5KBdTXNK3of6OcHNh1oOQRhtTqJLVG+iE+JSWKomaJquAp/nuFyKWrpDNx2JBK+NvLgqfQrZd0fp5PGRM0nOGz5yKg9Pw/fHGLVtyb9ITJ29wB4g8H5T0g7L4nXh2d0R2mU6cQBAcqiZ0KxGXD35OcAPqADiicMA1ZvF4aUMMezr4zWlbHqLkQfciFBEgrlhnAeselmp7hkrPWmCR+Z9Xs5ytRAJwYPPdGaShJSTQ6u8JDy89MsHCDqySd/Vc8n0ASew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by DB8PR10MB3273.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:119::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8964.26; Mon, 28 Jul 2025 15:13:31 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%5]) with mapi id 15.20.8964.025; Mon, 28 Jul 2025 15:13:31 +0000 From: "'MOESSBAUER, Felix' via isar-users" To: "simone.weiss@elektrobit.com" , "isar-users@googlegroups.com" Subject: Re: [RFC PATCH 1/1] meta: add CycloneDX/SPDX SBOM generation Thread-Topic: [RFC PATCH 1/1] meta: add CycloneDX/SPDX SBOM generation Thread-Index: AQHbg351t3lZQ1oNB0WCUyYW/TIxzbP8+HiAgDVyzQCAFjIXAA== Date: Mon, 28 Jul 2025 15:13:31 +0000 Message-ID: <89ec41fdb2ebe972204339a7d6c17da527f1899c.camel@siemens.com> References: <20250220095944.114203-1-felix.moessbauer@siemens.com> <20250220095944.114203-2-felix.moessbauer@siemens.com> <0f4c261e-305d-467d-92a2-2fee7848571fn@googlegroups.com> In-Reply-To: <0f4c261e-305d-467d-92a2-2fee7848571fn@googlegroups.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Evolution 3.56.1-1 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DU0PR10MB6828:EE_|DB8PR10MB3273:EE_ x-ms-office365-filtering-correlation-id: 30dfc822-1e37-4740-b800-08ddcde95066 x-ms-exchange-atpmessageproperties: SA x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?B?aUxjRXBQcEFxbkV1SFR0YnFSMy9PZThoeEs2aGJVRkxrRUszaXJHZDFYc1VN?= =?utf-8?B?eU1Gdk1ickE3ZmdlY2xkZ3ZzV1NXcUdwclFqUmJHWS9XYkRUVWE3eHpiRGxu?= =?utf-8?B?YjBlZWlmVUt3ZkJrRnV6bXRpVm5PSjlFRmN3QUxhbHRGVDg4S0hBU0F0RXIx?= =?utf-8?B?MzBpQVFYeWpySlNvSjZMcW9oeUxNS2d6M2s3YWIrbmJPSXIvWFJEaENuVG5V?= =?utf-8?B?WGNnaFpqWVM5Y0xma1BqL1JMZ2ZjU3lRT1Q2V0NuWitLR0IxNGozVFZhMDhu?= =?utf-8?B?OHpmNklhV0VjZU40a3VpUTczN3JQUmhxdE11a1dwMDk5UlFSSEdhN1ZIbm5Z?= =?utf-8?B?ZGRveFJyclZoWkVBMmtaUWtZaGRGZDBDWEZIS2JrVCtZRm0wdFQxQ0ZldUFD?= =?utf-8?B?OUlkd1hxVW9NL2tmK0dhbUpOd28rUkthMHZQVUlqdWFYdldGVElKcVlmbTk5?= =?utf-8?B?L3BGRGxOU0I2bHo2R0U0UWJtZEpSSnZBYkpoSHlYcmNGVC9ZV2preDBqZitu?= =?utf-8?B?bG54OVJ5dnRwT0t5djY3Z2lpeGJKQXE5eWJPUi9WMzlvNStQTFZGcmE2VlBQ?= =?utf-8?B?ZmtGL054TWlka2QvRC9OcGdDbTMwM0FreE1ENWRuVGNJdXduUlFydkxtNnV5?= =?utf-8?B?S1JCQmdQMWRoejhVc216aS9Ldi8zSElXTEZkNEM3V2V1WElZbmFsK3J4cC8r?= =?utf-8?B?cDdEWUZkM3Jab2xEdnBKQW5NRDFZZGVZT2FJc25kSllubXRCZUIrVHByL3ZS?= =?utf-8?B?THE5c3prSWRpbzBIKzZJQ3FJdWNuNE93c21wSWdCRU5zUjEvYVVCRlJ4LzZ2?= =?utf-8?B?b0l0VzVmUDM5eVVwODBZTzFTZzZDWDhzNzlydVhpQlpvejV0SVNWQlVSekZa?= =?utf-8?B?VFRkc0dITEFXeDYrdE9tNm5vUGNmenUxWWYzOCttSC9NNXEySEJxRDRTY29n?= =?utf-8?B?K3R3SitIR3ZrTFpvellrUFRyZVJLT1NXbm53a1IxRWdiOGxNSTBrdkxqRzFG?= =?utf-8?B?bFBVNHhldTlrZ3RKS1dYRWo4QmZVbFdhMFJ6elVMRlR5R2pMcWRobDViSDFJ?= =?utf-8?B?VGxrY0VmdytJRUVFNDhKNTNqeE9CMnRmZlZBRUxiV2JEUWJ2dFl1ZWordGNB?= =?utf-8?B?RTJ1UjJEaWpUVm9vZm5iZE5IUWR6NStKYVVpSnVnUmhJV3RVSEZycEc4Uk1p?= =?utf-8?B?NGJtZ2dFQkxtR0dyWTZxMjlFMlZRWVFTSUdNREl1TGRneVc1WDV3eG4yUk5J?= =?utf-8?B?S0EwUm9kOTNzVTdsMjZEMnRpZVNjUWt2Wk9iM0VUL0djZDBlWGl5b0Z5RkUz?= =?utf-8?B?UVkyT2dmZFNJajBVbTdIcGtnVHZOaU94em9NRnNudk9tUVlNcHlQWlByRm90?= =?utf-8?B?TzQwek84ZDN6Umpsa0pTcWp5TEpleSswMmJjV2ZxN3FwK1QrYWlEZkZ3Q3kx?= =?utf-8?B?aUUwUEFmNFhtOFRMTXJOd1VsWTN3bGxWVEcvcndxYmMvTWJmYWRTUFR3dWpt?= =?utf-8?B?Q0diWm5rUTB2blpSYVJRQnNPSUNUWFppUHloTW9aTDVqK1NVNWRsZFpoSHJv?= =?utf-8?B?OUpwY01tRmwvRTlXcWdhQVFyNlIwdEZIZk5rNHdTbHVzWXFXSUtnOFlqZjNO?= =?utf-8?B?R0NndzFLWC9GMkdmbW5sV0dnaHp6NU9xZXZQUlNkU205SERuUTFoWEZTZHVB?= =?utf-8?B?MmN5bmgvSlpMYlZQQ3FTcllUdGplc3plZ09qR2g4Z0VWZFFZV2UySjlDelJu?= =?utf-8?B?UEpVa0tuc1oxb2htMHVMQWgxTlBXVHI5T0FRb09MUTVwL1l1YlppTHVITFN4?= =?utf-8?B?UTRueFY3eUtvSGRNSk1QQ3NUQkNsWlRhdHNQWUFQaVZLRldyWWNOR0VmRGFT?= =?utf-8?B?c1ZVYmdsaTUrRmtacGRiNTQwemhYRXJMTGlxelZmOStGNFphRElTcEVJeUNm?= =?utf-8?Q?SwpgJOABmM8=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?LzczMTdxbG9KMk1QcDJQQWJsY1lxYjhlT0JSenpjdDdJbXFiOWoxQklndWN0?= =?utf-8?B?VFp1Uk1LQ1I0eGFpT2JzQm1pK2RsSkpIR1BUNS82STh1dldxRTVEeDVNdjBK?= =?utf-8?B?K3BydUdSc2h0TFU0UHlYamlCNUhvcjFrbm44M2JwUjRDbzJ1ZHhZSURCdFh6?= =?utf-8?B?c05LZmxQQi8vMkpoNUFnNjdZVXBoand6WS9yNVRKb29nQkhhb29FbXp6aHBK?= =?utf-8?B?WEw4Z1JiZUZJSVk4RFZmNCtrbkVZRGFuN2tJUGl2eUN6WDIwSWZIYytoOWNJ?= =?utf-8?B?QW1vK3NKVmQvWDNYM24zcFkxc1l0ZEhHc1laNFppcWhJVkRjN1gyRm5hMnBJ?= =?utf-8?B?aTlzM0lUeGM0YXErTnE4RDNnWHlZL3hvdkhvbWZ6anFlYkdxekl0bzRvWnl2?= =?utf-8?B?bGFFbVZBU2ZxdUQ0RnN3OWovMCtrYktMaFBrUk0vSmRQTGNIeTNadmxuMUJS?= =?utf-8?B?Wm1keHgrV0dyUEIzQVpudGFOUnhLdnNya3gyZHhzUEdJa29peURWTyt4Y29y?= =?utf-8?B?aHp6ZGZndXV3ekRvS0xQaXphdncvcmFxRWpoYnNaNVN2VUlIYlA3KzJWSUhx?= =?utf-8?B?T1NWbnRCQVlzcW5YWWQ4cVhNZytIUk5jL0piLzRHZlRGRzNxelF1c0ROdHpC?= =?utf-8?B?em9oaVVOdzZYUndKRFNHbzhEYkFzSzRIQUFoY2htZmI3Tjd1aFNFL3VmZ3U4?= =?utf-8?B?YVlDYWRydEpkU01QWmI5SFQ3VmdaWloxYk1lUG1JUExZOEpJa2s1NndZdHpQ?= =?utf-8?B?dEdZdkJrQmRqMjBEYWxjWlB5Q0J5aFNTdnJyZ0xLUlVqWllobDN3TzAyUDRr?= =?utf-8?B?REgvZ3dRdHVDNUxWYlc4NElXd3JuYXhFcC93T0xmN1c5RzBSSnpYZUJIbEtO?= =?utf-8?B?a1ltcFlDajdNbVBIY0k5UWZYQzA3am5xWlRJVkoydkIzMG0yZ2xGN2tob2VW?= =?utf-8?B?aExaamNndGN6SmgvbjdoTnlQQ2NMTkZGWXhXSUo3cDJlY2Q5SXdPaENQT3Na?= =?utf-8?B?STN2S3A2YmYvblpUcnlaOHdjWTFrTjZpaU5hakc1Zks2QUk3WWFhdWJYdE1H?= =?utf-8?B?NGJVa25UbkI2dVRvSy9jREF0UDVqMWNES3cwMC91SVhCanNMcWVIdlFoeklz?= =?utf-8?B?MzdLd1BBLzdvb2dZZHFTTGlxaEprVmdZSUQ3aXRmeWlISEoxWWczTXRwRGFC?= =?utf-8?B?U01iNElhL0R6ZDMxc1R6SnJrcmpsM1RveDB6SEMrTGM2WlVwN3kxR2lsK1dR?= =?utf-8?B?aWgxd2NGT1RSZ0d4WVZMOW5vTHp3YVRlTnJPQWlKYjdHMXJDNkU3RHQyUExD?= =?utf-8?B?SnVGV0prN2l1aVZkaFc5R2hmR0k1TFRmU3paeG9ZNzNHcnFSeGdmTHNNVXMz?= =?utf-8?B?RXlLM2l3K2xaM01peUE4ZGdIYmVpZmEwMVQrMG5yZENEL2tSQ01YRWNWSWQv?= =?utf-8?B?ZzFuTXRUZTBpNThGTkJZOFVvd0M5bk1KNS9CTWI2NUlhbnJqUnRBUWxJQ2ZS?= =?utf-8?B?ZkJENW9VREFjVGtmRXRCL0xkVmMwSjJEK21NTFBxMTQrV1RBNHZlYy9MRHU1?= =?utf-8?B?ZWVER3VySDNJSlhBeS9ZbUtCdFQ1ZUpSMVc3UUVFSERDc29KUEVaU1BINGN6?= =?utf-8?B?K1ZvdXM5R09PdVpnNy84QWgzVXIxc3ZnOGcyR1htSU4vU1YvMzNiTnJ5dElD?= =?utf-8?B?bytmZGFPZHc5RmEvbnNOWFgxbStBSHR6eVZVUEltNVUvMHJTM3IxMElzVC9W?= =?utf-8?B?eW0rcmd2d2JCSXZyQWc5em1tdkNvdk1IQnAyQzJKUWdZbzJoeCs1MVhUK2hV?= =?utf-8?B?cHhjZjBtbmp4MU5GczRMUVg5a3hWTFoxbmNOZTF4N1JxcXhYQnpRdFIyTEIz?= =?utf-8?B?UWtoU1Y0UUpBTHg5azcwWGdkbXlBaGlHU1ZFRHVmNk1OZFJNY3pYRnFqMHB3?= =?utf-8?B?TGErcit4ZmpzSmd5a0lWS1lkWS8rQmdnaUcrcmJtRkQvOTZYalYrMkVzdEdI?= =?utf-8?B?bURTUVV1dkVJNGhxMXJjREkvR1BnOU9uL1FxRENWenVWdGJSSm9RVWRUT2Ux?= =?utf-8?B?MXZOdHdGOUVVRmx3OGUzYWZCVkR0T2M3ZmwzR21lSm1jNXFBbWx2UXNvSU9I?= =?utf-8?B?bVA5cVIzZE9pbXRyQzJRY0tXU2hoK0kzVWxQNHlpU09BbHU3WWRKRXhoQmZ0?= =?utf-8?Q?zk90OeN42qeJXO2/NrgvHVY=3D?= Content-Type: text/plain; charset="UTF-8" Content-ID: <97658B1A96194440923F96DC53AB718E@EURPRD10.PROD.OUTLOOK.COM> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 30dfc822-1e37-4740-b800-08ddcde95066 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2025 15:13:31.6291 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: bIdMYccFZ/NsMD1NfOF2EDXerBOG2z46S+pIliGgyJwAq5BpPO09KvlJyiZx2rNn/eemR9xNukc1HiLLKT5j2rj/QTfJaKuO8mj4v5yZbQY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3273 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tek36HfX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: "MOESSBAUER, Felix" Reply-To: "MOESSBAUER, Felix" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: AbhZ+aBZxtxu On Mon, 2025-07-14 at 05:16 -0700, 'Simone Wei=C3=9F' via isar-users wrote: > Hi, >=20 > Are you planing to add Concludedlicense information as per your > comment in the original? Any plan for SPDX3? Hi, we are still collecting user feedback regarding what is needed (and possible to acquire in an automated way). As already written in the initial commit message, providing license information is tricky - if not impossible: Source components are often not licensed under a single license, but on a per-file basis. The debian/copyright file precisely describes this, but it is far more complex than putting in an SPDX identifier for the whole package. For binary packages, Debian does not declare a dedicated license, but just includes the licenses (and copyright information) of the source package. However, Debian does not track which source file is used to produce a binary. By that, the end-user needs to make the final conclusion. The whole licensing topic is anyways way beyond what ISAR can do and questions regarding this should likely better be asked on debian-legal@lists.debian.org. The SPDX generator of ISAR just extracts the data from the dpkg status file and reworks that into a (valid) SPDX / CycloneDX document. Best regards, Felix >=20 >=20 > On Tuesday, June 10, 2025 at 2:04:03=E2=80=AFPM UTC+2 Christoph Steiger > wrote: > > FYI Benjamin, Cedric and Mete: > >=20 > > We are currently working on a V2 for this with more or less the > > same=20 > > functionality and some internal changes. It might be interesting > > for you=20 > > too. Maybe you could try this version out in your builds and see if > > anything important/nice-to-have is missing in the SBOMs? > >=20 > > > From: Christoph Steiger > > >=20 > > > Add a new class to allow generation of software bill of materials > > > (SBOM). Supported are the two standard SBOM formats CycloneDX and > > > SPDX. > > > SBOM generation is enabled per default for all images. > > >=20 > > > Both formats support the minimal usecase of binary packages > > > information > > > and their dependencies. Unfortunately there is no proper way to > > > express > > > the relationships of debian source packages and their > > > corresponding > > > binary packages in the CDX format, so it is left out there. > > >=20 > > > The information included in the SBOM is parsed from the dpkg > > > status > > > file found in the created image. > > >=20 > > > Signed-off-by: Christoph Steiger > > > --- > > > meta/classes/create-sbom.bbclass | 49 ++++ > > > meta/classes/image.bbclass | 2 + > > > meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++++ > > > meta/lib/sbom_cdx_types.py | 82 ++++++ > > > meta/lib/sbom_spdx_types.py | 95 +++++++ > > > 5 files changed, 674 insertions(+) > > > create mode 100644 meta/classes/create-sbom.bbclass > > > create mode 100644 meta/lib/sbom.py > > > create mode 100644 meta/lib/sbom_cdx_types.py > > > create mode 100644 meta/lib/sbom_spdx_types.py > > >=20 > > > diff --git a/meta/classes/create-sbom.bbclass > > > b/meta/classes/create-sbom.bbclass > > > new file mode 100644 > > > index 00000000..8c647699 > > > --- /dev/null > > > +++ b/meta/classes/create-sbom.bbclass > > > @@ -0,0 +1,49 @@ > > > +# This software is a part of ISAR. > > > +# Copyright (C) 2025 Siemens AG > > > +# > > > +# SPDX-License-Identifier: MIT > > > + > > > +# sbom type to generate, accepted are "cyclonedx" and "spdx" > > > +SBOM_TYPE ?=3D "cyclonedx spdx" > > > + > > > +# general user variables > > > +SBOM_DISTRO_SUPPLIER ?=3D "ISAR" > > > +SBOM_DISTRO_NAME ?=3D "ISAR-Debian-GNU-Linux" > > > +SBOM_DISTRO_VERSION ?=3D "1.0.0" > > > +SBOM_DISTRO_SUMMARY ?=3D "Linux distribution built with ISAR" > > > +SBOM_DOCUMENT_UUID ?=3D "" > > > + > > > +# SPDX specific user variables > > > +SBOM_SPDX_NAMESPACE_PREFIX ?=3D "https://spdx.org/spdxdocs" > > > + > > > +SBOM_DEPLOY_BASE =3D "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}" > > > + > > > +SBOM_GEN_VERSION =3D "0.1.0" > > > + > > > +# adapted from the isar-cip-core image_uuid.bbclass > > > +def generate_document_uuid(d): > > > + import uuid > > > + > > > + base_hash =3D d.getVar("BB_TASKHASH") > > > + if base_hash is None: > > > + bb.warn("no BB_TASKHASH available, SBOM UUID is not > > > reproducible") > > > + return uuid.uuid4() > > > + return str(uuid.UUID(base_hash[:32], version=3D4)) > > > + > > > +python do_create_sbom() { > > > + import sbom > > > + > > > + dpkg_status =3D d.getVar("IMAGE_ROOTFS") + "/var/lib/dpkg/status" > > > + packages =3D sbom.Package.parse_status_file(dpkg_status) > > > + > > > + if not d.getVar("SBOM_DOCUMENT_UUID"): > > > + d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d)) > > > + > > > + sbom_type =3D d.getVar("SBOM_TYPE") > > > + if "cyclonedx" in sbom_type: > > > + sbom.generate(d, packages, sbom.SBOMType.CycloneDX, > > > d.getVar("SBOM_DEPLOY_BASE") + ".cyclonedx.json") > > > + if "spdx" in sbom_type: > > > + sbom.generate(d, packages, sbom.SBOMType.SPDX, > > > d.getVar("SBOM_DEPLOY_BASE") + ".spdx.json") > > > +} > > > + > > > +addtask do_create_sbom after do_rootfs before do_build > > > diff --git a/meta/classes/image.bbclass > > > b/meta/classes/image.bbclass > > > index 56eca202..e9da6a61 100644 > > > --- a/meta/classes/image.bbclass > > > +++ b/meta/classes/image.bbclass > > > @@ -81,6 +81,8 @@ inherit image-postproc-extension > > > inherit image-locales-extension > > > inherit image-account-extension > > >=20 > > > +inherit create-sbom > > > + > > > # Extra space for rootfs in MB > > > ROOTFS_EXTRA ?=3D "64" > > >=20 > > > diff --git a/meta/lib/sbom.py b/meta/lib/sbom.py > > > new file mode 100644 > > > index 00000000..d7c79e43 > > > --- /dev/null > > > +++ b/meta/lib/sbom.py > > > @@ -0,0 +1,446 @@ > > > +# This software is part of ISAR. > > > +# Copyright (C) 2025 Siemens AG > > > +# > > > +# SPDX-License-Identifier: MIT > > > + > > > +from dataclasses import dataclass > > > +from datetime import datetime > > > +from enum import Enum > > > +from typing import Dict, List, Type > > > +import json > > > +import re > > > +from uuid import uuid4 > > > + > > > +import sbom_cdx_types as cdx > > > +import sbom_spdx_types as spdx > > > + > > > + > > > +class SBOMType(Enum): > > > + CycloneDX =3D (0,) > > > + SPDX =3D (1,) > > > + > > > + > > > +@dataclass > > > +class SourcePackage: > > > + name: str > > > + version: str | None > > > + > > > + def purl(self): > > > + """Return the PURL of the package.""" > > > + return > > > "pkg:deb/debian/{}@{}?arch=3Dsource".format(self.name, > > > self.version) > > > + > > > + def bom_ref(self, sbom_type: SBOMType) -> str: > > > + """Return a unique BOM reference.""" > > > + if sbom_type =3D=3D SBOMType.CycloneDX: > > > + return cdx.CDXREF_PREFIX + "{}- > > > src".format(self.name) > > > + elif sbom_type =3D=3D SBOMType.SPDX: > > > + return spdx.SPDX_REF_PREFIX + "{}- > > > src".format(self.name) > > > + > > > + def parse(s: str) -> Type["SourcePackage"]: > > > + split =3D s.split(" ") > > > + name =3D split[0] > > > + try: > > > + version =3D " ".join(split[1:]).strip("()") > > > + except IndexError: > > > + version =3D None > > > + > > > + return SourcePackage(name=3Dname, version=3Dversion) > > > + > > > + > > > +@dataclass > > > +class Dependency: > > > + name: str > > > + version: str | None > > > + > > > + def bom_ref(self, sbom_type: SBOMType) -> str: > > > + """Return a unique BOM reference.""" > > > + if sbom_type =3D=3D SBOMType.CycloneDX: > > > + return cdx.CDX_REF_PREFIX + "{}".format(self.name) > > > + elif sbom_type =3D=3D SBOMType.SPDX: > > > + return spdx.SPDX_REF_PREFIX + "{}".format(self.name) > > > + > > > + def parse_multiple(s: str) -> List[Type["Dependency"]]: > > > + """Parse a 'Depends' line in the dpkg status file.""" > > > + dependencies =3D [] > > > + for entry in s.split(","): > > > + entry =3D entry.strip() > > > + for entry in entry.split("|"): > > > + split =3D entry.split("(") > > > + name =3D split[0].strip() > > > + try: > > > + version =3D split[1].strip(")") > > > + except IndexError: > > > + version =3D None > > > + dependencies.append(Dependency(name=3Dname, version=3Dversion)) > > > + > > > + return dependencies > > > + > > > + > > > +@dataclass > > > +class Package: > > > + """Incomplete representation of a debian package.""" > > > + > > > + name: str > > > + section: str > > > + maintainer: str > > > + architecture: str > > > + source: SourcePackage > > > + version: str > > > + depends: List[Dependency] > > > + description: str > > > + homepage: str > > > + > > > + def purl(self) -> str: > > > + """Return the PURL of the package.""" > > > + purl =3D "pkg:deb/debian/{}@{}".format(self.name, > > > self.version) > > > + if self.architecture: > > > + purl =3D purl + "?arch=3D{}".format(self.architecture) > > > + return purl > > > + > > > + def bom_ref(self, sbom_type: SBOMType) -> str: > > > + """Return a unique BOM reference.""" > > > + if sbom_type =3D=3D SBOMType.CycloneDX: > > > + return cdx.CDX_REF_PREFIX + self.name > >=20 > >=20 > > > + elif sbom_type =3D=3D SBOMType.SPDX: > > > + return spdx.SPDX_REF_PREFIX + self.name > >=20 > >=20 > > > + > > > + def parse_status_file(status_file: str) -> > > > List[Type["Package"]]: > > > + """Parse a dpkg status file.""" > > > + packages =3D [] > > > + with open(status_file, "r") as f: > > > + name =3D None > > > + section =3D None > > > + maintainer =3D None > > > + architecture =3D None > > > + source =3D None > > > + version =3D None > > > + dependencies =3D None > > > + description =3D None > > > + homepage =3D None > > > + for line in f.readlines(): > > > + if line.strip(): > > > + if line[0] =3D=3D " ": > > > + # this is a description line, we ignore it > > > + continue > > > + else: > > > + split =3D line.split(":") > > > + key =3D split[0] > > > + value =3D ":".join(split[1:]).strip() > > > + if key =3D=3D "Package": > > > + name =3D value > > > + elif key =3D=3D "Section": > > > + section =3D value > > > + elif key =3D=3D "Maintainer": > > > + maintainer =3D value > > > + elif key =3D=3D "Architecture": > > > + architecture =3D value > > > + elif key =3D=3D "Source": > > > + source =3D SourcePackage.parse(value) > > > + elif key =3D=3D "Version": > > > + version =3D value > > > + elif key =3D=3D "Depends": > > > + dependencies =3D Dependency.parse_multiple(value) > > > + elif key =3D=3D "Description": > > > + description =3D value > > > + elif key =3D=3D "Homepage": > > > + homepage =3D value > > > + else: > > > + # fixup source version, if not specified it is the same > > > + # as the package version > > > + if source and not source.version: > > > + source.version =3D version > > > + # empty line means new package, so finish the current one > > > + packages.append( > > > + Package( > > > + name=3Dname, > > > + section=3Dsection, > > > + maintainer=3Dmaintainer, > > > + architecture=3Darchitecture, > > > + source=3Dsource, > > > + version=3Dversion, > > > + depends=3Ddependencies, > > > + description=3Ddescription, > > > + homepage=3Dhomepage, > > > + ) > > > + ) > > > + name =3D None > > > + section =3D None > > > + maintainer =3D None > > > + architecture =3D None > > > + source =3D None > > > + version =3D None > > > + dependencies =3D None > > > + description =3D None > > > + homepage =3D None > > > + > > > + return packages > > > + > > > + > > > +def cyclonedx_bom(d, packages: List[Package]) -> Dict: > > > + """Return a valid CycloneDX SBOM.""" > > > + data =3D [] > > > + dependencies =3D [] > > > + > > > + pattern =3D > > > re.compile("(?P^[^<]*)(\\<(?P.*)\\ > > > >)?") > > > + for package in packages: > > > + match =3D pattern.match(package.maintainer) > > > + supplier =3D cdx.CDXSupplier(name=3Dmatch["supplier_name"]) > > > + supplier_email =3D match["supplier_email"] > > > + if supplier_email: > > > + supplier.contact =3D > > > [cdx.CDXSupplierContact(email=3Dsupplier_email)] > > > + entry =3D cdx.CDXComponent( > > > + type=3Dcdx.CDX_COMPONENT_TYPE_LIBRARY, > > > + bom_ref=3Dpackage.bom_ref(SBOMType.CycloneDX), > > > + supplier=3Dsupplier, > > > + name=3Dpackage.name, > > > + version=3Dpackage.version, > > > + description=3Dpackage.description, > > > + purl=3Dpackage.purl(), > > > + ) > > > + if package.homepage: > > > + entry.externalReferences =3D ( > > > + cdx.CDXExternalReference( > > > + url=3Dpackage.homepage, > > > + type=3Dcdx.CDX_PACKAGE_EXTREF_TYPE_WEBSITE, > > > + comment=3D"homepage", > > > + ), > > > + ) > > > + data.append(entry) > > > + > > > + distro_bom_ref =3D cdx.CDX_REF_PREFIX + > > > d.getVar("SBOM_DISTRO_NAME") > > > + distro_dependencies =3D [] > > > + # after we have found all packages we can start to resolve > > > dependencies > > > + package_names =3D [package.name for package in packages] > > > + for package in packages: > > > + distro_dependencies.append(package.bom_ref(SBOMType.CycloneDX)) > > > + if package.depends: > > > + deps =3D [] > > > + for dep in package.depends: > > > + dep_bom_ref =3D dep.bom_ref(SBOMType.CycloneDX) > > > + # it is possibe to specify the same package multiple times, but > > > + # in different versions > > > + if dep.name in package_names and dep_bom_ref not > > > in deps: > > > + deps.append(dep_bom_ref) > > > + else: > > > + # this might happen if we have optional dependencies > > > + continue > > > + dependency =3D cdx.CDXDependency( > > > + ref=3Dpackage.bom_ref(SBOMType.CycloneDX), > > > + dependsOn=3Ddeps, > > > + ) > > > + dependencies.append(dependency) > > > + dependency =3D cdx.CDXDependency( > > > + ref=3Ddistro_bom_ref, > > > + dependsOn=3Ddistro_dependencies, > > > + ) > > > + dependencies.append(dependency) > > > + > > > + doc_uuid =3D d.getVar("SBOM_DOCUMENT_UUID") > > > + distro_component =3D cdx.CDXComponent( > > > + type=3Dcdx.CDX_COMPONENT_TYPE_OS, > > > + bom_ref=3Dcdx.CDX_REF_PREFIX + d.getVar("SBOM_DISTRO_NAME"), > > > + > > > supplier=3Dcdx.CDXSupplier(name=3Dd.getVar("SBOM_DISTRO_SUPPLIER")), > > > + name=3Dd.getVar("SBOM_DISTRO_NAME"), > > > + version=3Dd.getVar("SBOM_DISTRO_VERSION"), > > > + description=3Dd.getVar("SBOM_DISTRO_SUMMARY"), > > > + ) > > > + > > > + timestamp =3D > > > datetime.fromtimestamp(int(d.getVar("SOURCE_DATE_EPOCH"))) > > > + bom =3D cdx.CDXBOM( > > > + bomFormat=3Dcdx.CDX_BOM_FORMAT, > > > + specVersion=3Dcdx.CDX_SPEC_VERSION, > > > + serialNumber=3D"urn:uuid:{}".format(doc_uuid if doc_uuid else > > > uuid4()), > > > + version=3D1, > > > + metadata=3Dcdx.CDXBOMMetadata( > > > + timestamp=3Dtimestamp.strftime("%Y-%m-%dT%H:%M:%SZ"), > > > + component=3Ddistro_component, > > > + tools=3Dcdx.CDXBOMMetadataTool( > > > + components=3D[ > > > + cdx.CDXComponent( > > > + type=3Dcdx.CDX_COMPONENT_TYPE_APPLICATION, > > > + name=3D"ISAR SBOM Generator", > > > + version=3Dd.getVar("SBOM_GEN_VERSION"), > > > + ) > > > + ], > > > + ), > > > + ), > > > + components=3Ddata, > > > + dependencies=3Ddependencies, > > > + ) > > > + return bom > > > + > > > + > > > +def spdx_bom(d, packages: List[Package]) -> Dict: > > > + "Return a valid SPDX SBOM." > > > + > > > + data =3D [] > > > + # create a "fake" entry for the distribution > > > + distro_ref =3D spdx.SPDX_REF_PREFIX + > > > d.getVar("SBOM_DISTRO_NAME") > > > + distro_package =3D spdx.SPDXPackage( > > > + SPDXID=3Ddistro_ref, > > > + name=3Dd.getVar("SBOM_DISTRO_NAME"), > > > + versionInfo=3Dd.getVar("SBOM_DISTRO_VERSION"), > > > + primaryPackagePurpose=3Dspdx.SPDX_PACKAGE_PURPOSE_OS, > > > + supplier=3D"Organization: > > > {}".format(d.getVar("SBOM_DISTRO_SUPPLIER")), > > > + downloadLocation=3Dspdx.SPDX_NOASSERTION, > > > + filesAnalyzed=3DFalse, > > > + licenseConcluded=3Dspdx.SPDX_NOASSERTION, > > > + licenseDeclared=3Dspdx.SPDX_NOASSERTION, > > > + copyrightText=3Dspdx.SPDX_NOASSERTION, > > > + summary=3Dd.getVar("SBOM_DISTRO_SUMMARY"), > > > + ) > > > + > > > + data.append(distro_package) > > > + > > > + pattern =3D > > > re.compile("(?P^[^<]*)(\\<(?P.*)\\ > > > >)?") > > > + for package in packages: > > > + match =3D pattern.match(package.maintainer) > > > + supplier_name =3D match["supplier_name"] > > > + supplier_email =3D match["supplier_email"] > > > + if any([cue in supplier_name.lower() for cue in > > > spdx.SPDX_SUPPLIER_ORG_CUE]): > > > + supplier =3D "Organization: {}".format(supplier_name) > > > + else: > > > + supplier =3D "Person: {}".format(supplier_name) > > > + if supplier_email: > > > + supplier +=3D "({})".format(supplier_email) > > > + > > > + entry =3D spdx.SPDXPackage( > > > + SPDXID=3Dpackage.bom_ref(SBOMType.SPDX), > > > + name=3Dpackage.name, > > > + versionInfo=3Dpackage.version, > > > + primaryPackagePurpose=3Dspdx.SPDX_PACKAGE_PURPOSE_LIBRARY, > > > + supplier=3Dsupplier, > > > + downloadLocation=3Dspdx.SPDX_NOASSERTION, > > > + filesAnalyzed=3DFalse, > > > + # TODO: it should be possible to conclude license/copyright > > > + # information, we could look e.g. in /usr/share/doc/*/copyright > > > + licenseConcluded=3Dspdx.SPDX_NOASSERTION, > > > + licenseDeclared=3Dspdx.SPDX_NOASSERTION, > > > + copyrightText=3Dspdx.SPDX_NOASSERTION, > > > + summary=3Dpackage.description, > > > + externalRefs=3D[ > > > + spdx.SPDXExternalRef( > > > + referenceCategory=3Dspdx.SPDX_REFERENCE_CATEGORY_PKG_MANAGER, > > > + referenceType=3Dspdx.SPDX_REFERENCE_TYPE_PURL, > > > + referenceLocator=3Dpackage.purl(), > > > + ) > > > + ], > > > + ) > > > + if package.homepage: > > > + entry.homepage =3D package.homepage > > > + data.append(entry) > > > + > > > + if package.source: > > > + src_entry =3D spdx.SPDXPackage( > > > + SPDXID=3Dpackage.source.bom_ref(SBOMType.SPDX), > > > + name=3Dpackage.source.name, > > > + versionInfo=3Dpackage.source.version, > > > + primaryPackagePurpose=3Dspdx.SPDX_PACKAGE_PURPOSE_SRC, > > > + supplier=3Dsupplier, > > > + downloadLocation=3Dspdx.SPDX_NOASSERTION, > > > + filesAnalyzed=3DFalse, > > > + licenseConcluded=3Dspdx.SPDX_NOASSERTION, > > > + licenseDeclared=3Dspdx.SPDX_NOASSERTION, > > > + copyrightText=3Dspdx.SPDX_NOASSERTION, > > > + summary=3D"debian source code package > > > '{}'".format(package.source.name), > > > + externalRefs=3D[ > > > + spdx.SPDXExternalRef( > > > + referenceCategory=3Dspdx.SPDX_REFERENCE_CATEGORY_PKG_MANAGER, > > > + referenceType=3Dspdx.SPDX_REFERENCE_TYPE_PURL, > > > + referenceLocator=3Dpackage.source.purl(), > > > + ) > > > + ], > > > + ) > > > + # source packages might be referenced multiple times > > > + if src_entry not in data: > > > + data.append(src_entry) > > > + > > > + relationships =3D [] > > > + # after we have found all packages we can start to resolve > > > dependencies > > > + package_names =3D [package.name for package in packages] > > > + for package in packages: > > > + relationships.append( > > > + spdx.SPDXRelationship( > > > + spdxElementId=3Dpackage.bom_ref(SBOMType.SPDX), > > > + relatedSpdxElement=3Ddistro_ref, > > > + relationshipType=3Dspdx.SPDX_RELATIONSHIP_PACKAGE_OF, > > > + ) > > > + ) > > > + if package.depends: > > > + for dep in package.depends: > > > + if dep.name in package_names: > > > + relationship =3D spdx.SPDXRelationship( > > > + spdxElementId=3Dpackage.bom_ref(SBOMType.SPDX), > > > + relatedSpdxElement=3Ddep.bom_ref(SBOMType.SPDX), > > > + relationshipType=3Dspdx.SPDX_RELATIONSHIP_DEPENDS_ON, > > > + ) > > > + relationships.append(relationship) > > > + else: > > > + # this might happen if we have optional dependencies > > > + pass > > > + if package.source: > > > + relationship =3D spdx.SPDXRelationship( > > > + spdxElementId=3Dpackage.source.bom_ref(SBOMType.SPDX), > > > + relatedSpdxElement=3Dpackage.bom_ref(SBOMType.SPDX), > > > + relationshipType=3Dspdx.SPDX_RELATIONSHIP_GENERATES, > > > + ) > > > + relationships.append(relationship) > > > + relationships.append( > > > + spdx.SPDXRelationship( > > > + spdxElementId=3Dspdx.SPDX_REF_DOCUMENT, > > > + relatedSpdxElement=3Ddistro_ref, > > > + relationshipType=3Dspdx.SPDX_RELATIONSHIP_DESCRIBES, > > > + ) > > > + ) > > > + > > > + namespace_uuid =3D d.getVar("SBOM_DOCUMENT_UUID") > > > + timestamp =3D > > > datetime.fromtimestamp(int(d.getVar("SOURCE_DATE_EPOCH"))) > > > + bom =3D spdx.SPDXBOM( > > > + SPDXID=3Dspdx.SPDX_REF_DOCUMENT, > > > + spdxVersion=3Dspdx.SPDX_VERSION, > > > + creationInfo=3Dspdx.SPDXCreationInfo( > > > + comment=3D"This document has been generated as part of an ISAR > > > build.", > > > + creators=3D[ > > > + "Tool: ISAR SBOM Generator - > > > {}".format(d.getVar("SBOM_GEN_VERSION")) > > > + ], > > > + created=3Dtimestamp.strftime("%Y-%m-%dT%H:%M:%SZ"), > > > + ), > > > + name=3Dd.getVar("SBOM_DISTRO_NAME"), > > > + dataLicense=3D"CC0-1.0", > > > + documentNamespace=3D"{}/{}-{}".format( > > > + d.getVar("SBOM_SPDX_NAMESPACE_PREFIX"), > > > + d.getVar("SBOM_DISTRO_NAME"), > > > + namespace_uuid if namespace_uuid else uuid4(), > > > + ), > > > + packages=3Ddata, > > > + relationships=3Drelationships, > > > + ) > > > + return bom > > > + > > > + > > > +def fixup_dict(o): > > > + """Apply fixups for the BOMs. > > > + > > > + This is necessary for some field names and to remove fields > > > with a None > > > + value. > > > + """ > > > + dct =3D vars(o) > > > + new_dct =3D {} > > > + for k, v in dct.items(): > > > + # remove fields with no content > > > + if v is not None: > > > + # we can not name our fields with dashes, so convert them > > > + k =3D k.replace("_", "-") > > > + new_dct[k] =3D v > > > + return new_dct > > > + > > > + > > > +def generate(d, packages: List[Package], sbom_type: SBOMType, > > > out: str): > > > + """Generate a SBOM.""" > > > + if sbom_type =3D=3D SBOMType.CycloneDX: > > > + bom =3D cyclonedx_bom(d, packages) > > > + elif sbom_type =3D=3D SBOMType.SPDX: > > > + bom =3D spdx_bom(d, packages) > > > + > > > + with open(out, "w") as bom_file: > > > + json.dump(bom, bom_file, indent=3D2, default=3Dfixup_dict, > > > sort_keys=3DTrue) > > > diff --git a/meta/lib/sbom_cdx_types.py > > > b/meta/lib/sbom_cdx_types.py > > > new file mode 100644 > > > index 00000000..4911cc23 > > > --- /dev/null > > > +++ b/meta/lib/sbom_cdx_types.py > > > @@ -0,0 +1,82 @@ > > > +# This software is part of ISAR. > > > +# Copyright (C) 2025 Siemens AG > > > +# > > > +# SPDX-License-Identifier: MIT > > > + > > > +from dataclasses import dataclass > > > +from typing import List, Optional > > > + > > > +# Minimal implementation of some CycloneDX SBOM types. > > > +# Please mind that (almost) none of these types are complete, > > > they only > > > +# reflect what was strictly necessary for immediate SBOM > > > creation > > > + > > > +CDX_BOM_FORMAT =3D "CycloneDX" > > > +CDX_SPEC_VERSION =3D "1.6" > > > + > > > +CDX_REF_PREFIX =3D "CDXRef-" > > > + > > > +CDX_PACKAGE_EXTREF_TYPE_WEBSITE =3D "website" > > > + > > > +CDX_COMPONENT_TYPE_LIBRARY =3D "library" > > > +CDX_COMPONENT_TYPE_APPLICATION =3D "application" > > > +CDX_COMPONENT_TYPE_OS =3D "operating-system" > > > + > > > + > > > +@dataclass > > > +class CDXDependency: > > > + ref: str > > > + dependsOn: Optional[str] > > > + > > > + > > > +@dataclass > > > +class CDXExternalReference: > > > + url: str > > > + type: str > > > + comment: Optional[str] =3D None > > > + > > > + > > > +@dataclass > > > +class CDXSupplierContact: > > > + email: Optional[str] =3D None > > > + > > > + > > > +@dataclass > > > +class CDXSupplier: > > > + name: Optional[str] =3D None > > > + contact: Optional[CDXSupplierContact] =3D None > > > + > > > + > > > +@dataclass > > > +class CDXComponent: > > > + type: str > > > + name: str > > > + bom_ref: Optional[str] =3D None > > > + supplier: Optional[str] =3D None > > > + version: Optional[CDXSupplier] =3D None > > > + description: Optional[str] =3D None > > > + purl: Optional[str] =3D None > > > + externalReferences: Optional[List[CDXExternalReference]] =3D None > > > + homepage: Optional[str] =3D None > > > + > > > + > > > +@dataclass > > > +class CDXBOMMetadataTool: > > > + components: Optional[List[CDXComponent]] > > > + > > > + > > > +@dataclass > > > +class CDXBOMMetadata: > > > + timestamp: Optional[str] =3D None > > > + component: Optional[str] =3D None > > > + tools: Optional[List[CDXBOMMetadataTool]] =3D None > > > + > > > + > > > +@dataclass > > > +class CDXBOM: > > > + bomFormat: str > > > + specVersion: str > > > + serialNumber: Optional[str] =3D None > > > + version: Optional[str] =3D None > > > + metadata: Optional[CDXBOMMetadata] =3D None > > > + components: Optional[List[CDXComponent]] =3D None > > > + dependencies: Optional[List[CDXDependency]] =3D None > > > diff --git a/meta/lib/sbom_spdx_types.py > > > b/meta/lib/sbom_spdx_types.py > > > new file mode 100644 > > > index 00000000..efd7cc0c > > > --- /dev/null > > > +++ b/meta/lib/sbom_spdx_types.py > > > @@ -0,0 +1,95 @@ > > > +# This software is part of ISAR. > > > +# Copyright (C) 2025 Siemens AG > > > +# > > > +# SPDX-License-Identifier: MIT > > > + > > > +from dataclasses import dataclass > > > +from typing import List, Optional > > > + > > > +# Minimal implementation of some SPDX SBOM types. > > > +# Please mind that (almost) none of these types are complete, > > > they only > > > +# reflect what was strictly necessary for immediate SBOM > > > creation > > > + > > > +SPDX_VERSION =3D "SPDX-2.3" > > > + > > > +SPDX_REF_PREFIX =3D "SPDXRef-" > > > + > > > +SPDX_REF_DOCUMENT =3D "SPDXRef-DOCUMENT" > > > + > > > +SPDX_PACKAGE_PURPOSE_LIBRARY =3D "LIBRARY" > > > +SPDX_PACKAGE_PURPOSE_OS =3D "OPERATING_SYSTEM" > > > +SPDX_PACKAGE_PURPOSE_SRC =3D "SOURCE" > > > + > > > +SPDX_NOASSERTION =3D "NOASSERTION" > > > + > > > +SPDX_RELATIONSHIP_DEPENDS_ON =3D "DEPENDS_ON" > > > +SPDX_RELATIONSHIP_PACKAGE_OF =3D "PACKAGE_OF" > > > +SPDX_RELATIONSHIP_GENERATES =3D "GENERATES" > > > +SPDX_RELATIONSHIP_DESCRIBES =3D "DESCRIBES" > > > + > > > +SPDX_REFERENCE_CATEGORY_PKG_MANAGER =3D "PACKAGE_MANAGER" > > > +SPDX_REFERENCE_TYPE_PURL =3D "purl" > > > + > > > +# cues for an organization in the maintainer name > > > +SPDX_SUPPLIER_ORG_CUE =3D [ > > > + "maintainers", > > > + "group", > > > + "developers", > > > + "team", > > > + "project", > > > + "task force", > > > + "strike force", > > > + "packagers", > > > +] > > > + > > > + > > > +@dataclass > > > +class SPDXRelationship: > > > + spdxElementId: str > > > + relatedSpdxElement: str > > > + relationshipType: str > > > + > > > + > > > +@dataclass > > > +class SPDXExternalRef: > > > + referenceCategory: str > > > + referenceType: str > > > + referenceLocator: str > > > + > > > + > > > +@dataclass > > > +class SPDXPackage: > > > + SPDXID: str > > > + name: str > > > + downloadLocation: str > > > + filesAnalyzed: Optional[bool] =3D False > > > + versionInfo: Optional[str] =3D None > > > + homepage: Optional[str] =3D None > > > + primaryPackagePurpose: Optional[str] =3D None > > > + supplier: Optional[str] =3D None > > > + licenseConcluded: Optional[str] =3D None > > > + licenseDeclared: Optional[str] =3D None > > > + copyrightText: Optional[str] =3D None > > > + summary: Optional[str] =3D None > > > + externalRefs: Optional[List[SPDXExternalRef]] =3D None > > > + > > > + > > > +@dataclass > > > +class SPDXCreationInfo: > > > + created: str > > > + comment: Optional[str] =3D None > > > + creators: List[str] =3D None > > > + > > > + > > > +@dataclass > > > +class SPDXBOM: > > > + """Incomplete BOM as of SPDX spec v2.3.""" > > > + > > > + SPDXID: str > > > + spdxVersion: str > > > + creationInfo: SPDXCreationInfo > > > + name: str > > > + dataLicense: str > > > + documentNamespace: str > > > + packages: List[SPDXPackage] > > > + relationships: List[SPDXRelationship] > >=20 --=20 Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/= 89ec41fdb2ebe972204339a7d6c17da527f1899c.camel%40siemens.com.