From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <isar-users+bncBD7ZZZNM2YPRBIEX5LEQMGQEK57EVZY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 11 Dec 2025 10:15:19 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-wr1-f57.google.com (mail-wr1-f57.google.com [209.85.221.57])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5BB9FJDC018004
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupi@ilbers.de>; Thu, 11 Dec 2025 10:15:19 +0100
Received: by mail-wr1-f57.google.com with SMTP id ffacd0b85a97d-42b366a76ffsf297334f8f.1
        for <iupi@ilbers.de>; Thu, 11 Dec 2025 01:15:19 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1765444514; cv=pass;
        d=google.com; s=arc-20240605;
        b=Y0tJIcw3S7gr8L9jMWoF26OT5pTNtXhmbrnGLTc6y16OzfgEHvbjd8YkWCKk5EZAph
         L1eeBZNUCq5lOVVBi1UeikTJi5z8OuQ6kscaCP3Y/3AW2/2LH+dv6LMfVk15/Whgb3KG
         9sEfmTlkACCkklwRadM/44+JsUYfUO2LOg8LqivzdXnge3HkNAU1RND6AnstDyz85OH5
         4CiPoOBzdrI2c8tcY4x29imYx8IuPB9z3HNsQBt8HGw99vro+UkoB57cfSZ1Mbxr9R9r
         7SRAPDGq/8om+2Y22orjsgTvHb/Yr54DYx7R0R32hzUo3jYN6uWIGXGT5KzGEF9T2OMW
         /QBQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :sender:dkim-signature;
        bh=7ha1QRFW/XkeUb6UzFBhqIzCbqmvC6zKTHyMY1DjAvw=;
        fh=x+Ha14zcnod6/jILwXoNY/F2pK3eUnyT+ad4kkJHTtM=;
        b=OwVZ17RQatybdKEMjGUVkDf7ElxwjeQKsX5tV6+oEiHBJi5Y8jVUCf/REEJ7E52eDH
         6LcFakSs8kEs/SsBG6LTSlstfEMJsxU9TuqJEJCMlQa0VilyyseE35itU1X40FBwgz5F
         HTy4XyWFnkNHhckaq9uIo6z4UBweyCTUTGQR29+A2HStbyGF15BjEI4zWGOnHwjs1HVM
         u6yIgNKy8iKWTMov2KWr+AFuXw2PYsTGU3JydswS22xySv7sGOrpQeQdeyXCLlSXgf+s
         GBPauKw/+DgUg+TE/tGfvO2/6AKsFVsCy0CPeWvwB5D/KicUvsNVB3BEFMiyCUSs/sdZ
         kyEA==;
        darn=ilbers.de
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1765444514; x=1766049314; darn=ilbers.de;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:from:content-language:references:cc
         :to:subject:user-agent:mime-version:date:message-id:sender:from:to
         :cc:subject:date:message-id:reply-to;
        bh=7ha1QRFW/XkeUb6UzFBhqIzCbqmvC6zKTHyMY1DjAvw=;
        b=ujaHEWbUOWNsrdalQ8qbvzLC4nGhwHDj/wThgtmP7m/5v961wRCJGMoKbnYgSpDnSb
         AdAVKYdOdfiyAourg2Q6k1ImBWiy4BeS78OdayhoAvKe2R9E6oGyhlQWm3rpl+zB9owW
         CIzawTElUKg7YFf4ivcyIBjfDdw12NlMmWSZpQygvcrH6xpbGmh3lM/sI3up2vsuroai
         M2ejJwu9iMmeS5pvsyCRp6KkilVm1t+yVK29/o5jgShG1Jp3YFWFFYVP9eSl7i6QDO8q
         qa9Q6gsRffST8I5giFEci/wIpTwyZg3kXOm+ZJyJtZTzjdJVlj0K1ZY3VQLOMc1sV4dF
         HIlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765444514; x=1766049314;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence
         :x-original-authentication-results:x-original-sender:in-reply-to
         :from:content-language:references:cc:to:subject:user-agent
         :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender
         :from:to:cc:subject:date:message-id:reply-to;
        bh=7ha1QRFW/XkeUb6UzFBhqIzCbqmvC6zKTHyMY1DjAvw=;
        b=nUtOfojxw9A88oke8iidDku7k2THdTig6OrFH0QY1uZwr+Cnqod6jMPztSRObb6Bdi
         OMD7agjQJTQ+CsNH3THW0DpIEM/IRikjkrN0An0084WzhAP17n1hdSTg5xrnWBqV0M1q
         guHzN956pWn4DinJgkgRkcVFhYOb1k3RopKDTozNzA3O1uZlqmCgWx0oYuhiabGIMSx2
         ljHBVOxZRZEcQoNuFyOc58LsFI2XMs442KSWo30/eBf5qBKsXgNDK38RLzdjsdBctt0I
         Ugc+pt10Q4D1/r8FEel4fC97nYx6ZolppkohU1WBYrRY9zSBC+7HYmLbxuq7y8QBNiiO
         guCg==
Sender: isar-users@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUkTkKER1P7KTmXUESbkLX9lbKne8pVPoY9afgc8bKGBKQJPO3MdGpCzr9zHZSuiTbuLRAt@ilbers.de
X-Gm-Message-State: AOJu0Ywry36Okn7iY1KfXLFgXRmnzKlA4qxk8HX/uw0oGdmw9nQ0v4n3
	go1nusT39yrfAklxyTNBvUV4YPO/VatatHT+zgzPdVLpl7gYA7l3R8Tj
X-Google-Smtp-Source: AGHT+IGTV3DMgLqmz3KSxFPOSsvuMdM5Dw488wTMlIb52iQ1Mzabf5rQQzWOFMGlzcv25etuVWAzXw==
X-Received: by 2002:a5d:64c6:0:b0:42b:3e0a:64b8 with SMTP id ffacd0b85a97d-42fa39d2ee6mr5658372f8f.24.1765444513405;
        Thu, 11 Dec 2025 01:15:13 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com; h="AWVwgWbNXuI0K11P9ibnKjpTyQKYTa8G8TP4/NaZtdP8oeufhA=="
Received: by 2002:a05:6000:2601:b0:42f:9ff2:9098 with SMTP id
 ffacd0b85a97d-42fa8b9ae91ls391899f8f.2.-pod-prod-08-eu; Thu, 11 Dec 2025
 01:15:11 -0800 (PST)
X-Forwarded-Encrypted: i=2; AJvYcCWGpZ3m25HR1Csjvds/XQR60tAUjZ/NZsuyS5UgQWFBPtmBO8M93k/P1KcjuVi1arglSgpSrUb1TmMD@googlegroups.com
X-Received: by 2002:a5d:64e9:0:b0:42b:324a:b9c8 with SMTP id ffacd0b85a97d-42fa39caafamr5566570f8f.3.1765444510723;
        Thu, 11 Dec 2025 01:15:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1765444510; cv=none;
        d=google.com; s=arc-20240605;
        b=eo74lmXXXpa7G0UVpN6m48rZ60KNJ5MWyj5/9F2vpc1I7+yDfRWgf3Onrig5OtImDy
         rHAUm9/kAl4/0nL2iX36RkOBkDYQEm2T8YVUg6mjNPl9pvhwIdFsH9AD4VS1tY2RoIYi
         6lth5RM8RVPXlMJrpd0VTLxSSoJZKPhoW6thFGXYUIiFVfXZ4vNbLAqIkNiG2CODfDfH
         tbtvPEtdKgPmOOcU2aGJ7lLzIfhul688UFSwfP+5bgUg8bOAM0mysQEfTk2/p6sDKrlR
         SKNqgm8o7sVyieWFA5yxyC8KlahLe7CXZP+956g5bBV83mQFTZg+8K4mYpmquW10YY+O
         7SOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id;
        bh=dV2pK46441as2y/AkQ07rF86+nIwMWL68bIepmBufUk=;
        fh=KxuzQJaKET/BytpkIhEFTopEdBRTvhBw7JSrBnisyuE=;
        b=fOdoeEN9ynp0eRydmWeZTYPbICyI8PxKeixP5gBR6HdWkAAYtPhwGDmOlriFguKK03
         WDWSJ8pmwdtol1rGOBFU0pZBW8ccENBkLJhM9MYlIwz9bmxM/CngqdcQmm3e4vqKQsKh
         oT5RepB0O1VZ2vgJ6vMsN5eOXA6YUoBoTLVfmkUnDMe7/6I7adBslOX1Zq7Sh8OdnmJo
         Gysmm7SXgxjlFPYfIa16hPvuwOYXBDUvlhyJMSeAPbh3kr0EwpKvw3/Poy+nSuvKPd7+
         i4hY9DTQjfT7dWDjQ8khmRtPCpQ9uaImoVHmMm0BLvRNbLd/MPxmYaO307z+iInaxKE0
         ORkQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de
Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166])
        by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-42fa8b84549si42684f8f.6.2025.12.11.01.15.10
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 11 Dec 2025 01:15:10 -0800 (PST)
Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166;
Received: from [192.168.178.24] (dslb-090-186-034-039.090.186.pools.vodafone-ip.de [90.186.34.39])
	(authenticated bits=0)
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 5BB9F95m017991
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 11 Dec 2025 10:15:09 +0100
Message-ID: <96aeaacc-3977-43f5-9f0b-e72d595a06fb@ilbers.de>
Date: Thu, 11 Dec 2025 10:15:09 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v6 00/10] Add SBOM generation with debsbom
To: Felix Moessbauer <felix.moessbauer@siemens.com>,
        isar-users@googlegroups.com
Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com,
        jan.kiszka@siemens.com, quirin.gylstorff@siemens.com
References: <20251201085813.1616095-1-felix.moessbauer@siemens.com>
Content-Language: en-US
From: Zhihang Wei <wzh@ilbers.de>
In-Reply-To: <20251201085813.1616095-1-felix.moessbauer@siemens.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,
	RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-Original-Sender: wzh@ilbers.de
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted
 sender) smtp.mailfrom=wzh@ilbers.de
Precedence: list
Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>, <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>, <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-TUID: +uKetidofcQj

p1-5 were applied to next, thanks.

Zhihang

On 12/1/25 09:58, 'Felix Moessbauer' via isar-users wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator  `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v5:
>
> - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to
>    machine changes made in image file)
> - rebased onto next
>
> Changes since v4:
>
> - rebased onto next
> - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE})
>
> Changes since v3:
>
> - fix issue on external bullseye initramfs (we now disable sbom generation
>    on all unsupported distros rootfs instances)
> - update debsbom to v0.4.0
> - rebased onto next
>
> Changes since v2:
>
> - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
> - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
> - generate SBOM for imager as well and create merged sbom of .wic image
> - resend imager manifest + wic manifest patches to reduce conflicts
>
> Note, that the patches p1-p5 are most important as they add basic SBOM
> support. The remaining patches address the imager + .wic bom part,
> which also can be merged later on.
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
>    onwards)
> - update debsbom (includes bug fixes and more information for source
>    packages)
>
>
> Christoph Steiger (3):
>    meta: package python libraries for SBOM generation
>    meta: package python3-debsbom
>    meta: add SBOM generation with debsbom
>
> Felix Moessbauer (7):
>    refactor: move get_rootfs_distro from sdk into rootfs
>    override distro vendor in SBOM on Ubuntu
>    add support to add imager dependencies to BOM
>    wic: create uniform manifest describing all image components
>    qemuamd64: add IMAGER_BOM entries
>    imager: create SBOM of IMAGER_BOM packages
>    wic: create uniform SBOM describing all image components
>
>   doc/user_manual.md                            |  1 +
>   meta-isar/conf/distro/ubuntu-common.inc       |  2 +
>   meta-isar/conf/machine/qemuamd64.conf         |  1 +
>   .../recipes-core/images/isar-image-ci.bb      |  1 +
>   meta/classes/image-tools-extension.bbclass    | 29 +++++++++
>   meta/classes/image.bbclass                    |  7 ++
>   meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
>   meta/classes/initramfs.bbclass                |  3 +-
>   meta/classes/rootfs.bbclass                   | 23 ++++++-
>   meta/classes/sbom.bbclass                     | 65 +++++++++++++++++++
>   meta/classes/sdk.bbclass                      | 10 +--
>   .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
>   .../python3-beartype/files/rules              |  8 +++
>   .../python3-beartype_0.19.0.bb                | 29 +++++++++
>   .../files/pybuild.testfiles                   |  1 +
>   .../python3-cyclonedx-lib/files/rules         |  8 +++
>   .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
>   ...icense-description-in-pyproject.toml.patch | 28 ++++++++
>   .../python3-debsbom/files/rules               |  8 +++
>   .../python3-debsbom/python3-debsbom_0.4.0.bb  | 45 +++++++++++++
>   .../python3-packageurl/files/rules            |  8 +++
>   .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
>   .../python3-py-serializable/files/rules       |  8 +++
>   .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
>   .../python3-spdx-tools/files/rules            | 25 +++++++
>   .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
>   26 files changed, 524 insertions(+), 11 deletions(-)
>   create mode 100644 meta/classes/sbom.bbclass
>   create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
>   create mode 100644 meta/recipes-support/python3-beartype/files/rules
>   create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
>   create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
>   create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
>   create mode 100644 meta/recipes-support/python3-debsbom/files/rules
>   create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb
>   create mode 100644 meta/recipes-support/python3-packageurl/files/rules
>   create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
>   create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
>   create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
>   create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
>   create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/96aeaacc-3977-43f5-9f0b-e72d595a06fb%40ilbers.de.