From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 01 Aug 2025 09:54:11 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f186.google.com (mail-il1-f186.google.com [209.85.166.186]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5717s8RI031171 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 1 Aug 2025 09:54:09 +0200 Received: by mail-il1-f186.google.com with SMTP id e9e14a558f8ab-3e409d5c3basf11680045ab.3 for ; Fri, 01 Aug 2025 00:54:09 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1754034843; cv=pass; d=google.com; s=arc-20240605; b=MQ4JdGb0RZXgDchuZh+5g/p21B9d/4NtBm7eai/WQxDg3SjmlQWbxMbgu43XAY2ZYv ko3VXwiV3htTQlGp3KORyhsPEAqTAqml7eGtsbNw44SxH+3UoEjAYpL/dcZjNVsL7kPt IRVaU8Zw5pHj5PC0oUAzkzer4YZnRYP0HBSKaFwXBDqna1SYHrzX6ikL9zCmwSPpB8VZ RrljPqVAJYbx2QXuqP+IgnA3xhu/j9fPGdUDzxV/77i7KGmGq+ymCBgxCiO9pWFh4NLz zwXJdhHC7zobnmLqlj/xNya2piKNPAlCY8LY1oFaR0Amb0D+3onRot1cO3iDPDjboPUl twyg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature; bh=ZTwlmJsaZC5vhLeg6uKU3JN8Y4rUDQSCpedO9Wk33yk=; fh=4js7DsTIwKkxt6y6YH4ZedzcGadQ7vNc+7SXjy+uzF8=; b=PE8c/FS76zcMcIXAFfeYEYcsQlpI5rBzDXcZK7j6iRWrURSUejBB18FQfYCYbEywsz vPrQV0+zHv504BTXxn01rkDVeRUw9B8v1r6YN1SezG5WLASLrLer1cF/hfdqojT5IZOQ HlGCpx9Nh3UDwQ+IlefrZGhZul/4OA1O2uOE1EJ32u7lnbO36nsCMdre5VTzL/fbJl01 SSJpvAlw1AbcWDZh/8z24R+LVF/O5hQ3RQsk/nBaGuJwdWZBx1Xgtka/PBz5VJcPHesr B8CxYA+iULbOWFNz1o+eJAAlmINRejsvRDgWhFtVgXhvLKLLdKpR0eG09gN0TIVMRQBD IKLA==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q3sXT7mY; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1754034843; x=1754639643; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZTwlmJsaZC5vhLeg6uKU3JN8Y4rUDQSCpedO9Wk33yk=; b=olmp5b2MKtTYigygFM6Dl4fydvmdhXamyrVNtrIvMMygMbqp/9DRspTekggcDITTzA ST2fUqcTIlzNSItdd9hE9wTCNPkrVuo/7nYROSLgRNMNpmF84UgVN7njgXNmm21Z1vUV as7+VJsY+Adzyi2GXpZXG0bvMfPjTzhOdIgU+osnhf/gU3edDmgYpfzlTT+YS3CknUOG QE3g8BikHYxTFI+v0cCYlzlbRQ/qPRA0oo3Ls1NILrSPgT8F/f5qejNZNH6rGPKMk82z x14hpUEx9nhAHlTa2InZ8UCBZY0iGgFQL6YQ4NW9Ak9Z6p4NK49IS1QYPpsby+RSOAMB ZV5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754034843; x=1754639643; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-transfer-encoding:content-id:user-agent:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:x-beenthere:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZTwlmJsaZC5vhLeg6uKU3JN8Y4rUDQSCpedO9Wk33yk=; b=JRv5/+cz8qg6xqqzsO0yu9KAtr+pjnL1vzvtPh+6xSKThTWvqxzh7/6n0VjZqEn9nS Z8hf0EigEaM/oMuk7BP9IqaGQwhGnNySN/ZGGX2ryvBScmw/fx4z+UvuFG5IiG3nY8/1 /2A/Yu9uHUFuhu2UpwXaBLpwk05wcsF9y7Zaz/UUwZO7xBqAze31OymTDra9/mOPMLOc FDw070YPY9Qu2lxM9Zo/fYm3+6XKTwr8i3zDXBlFgAqhmqrIMBaKBpeapARMkwovGbvo SxsnzsHAp2miaZEZGwHx7yoIfqjEdi3XypF7HGE6k+eeyu600etpUMsPb0Zf9BJ53eJ6 suVw== X-Forwarded-Encrypted: i=3; AJvYcCWX8SW/GDP5lqqSDjTjS7YIXAbcZQSwA1IX8cTLZomMEt0p7HRqn85uGtlMtOq0uYzVPAxc@ilbers.de X-Gm-Message-State: AOJu0YwNpjrn7BzAUYBZfg+wzk88eWmA4ibMxzvFP6oHsE/5BvwD+Wd7 n/ubIe+t/pPTaeGiQB3qUCw8wr3QPbmXNPxhejbe2n+9gp5lgUJqAE/m X-Google-Smtp-Source: AGHT+IE8ZMF+Cz9ej7AjN+GrqzaLgwYC79ifgYm0sdvF4mvIdPlgmAQ+nq4i+mEVJ/0iikLLrkx5iA== X-Received: by 2002:a05:6e02:12c8:b0:3e4:ba:807d with SMTP id e9e14a558f8ab-3e400ba82damr105176155ab.11.1754034842944; Fri, 01 Aug 2025 00:54:02 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcVXyNJim//a+kAo9WAK89254VULQrMTjAQbCRRT/mQxQ== Received: by 2002:a05:6e02:330c:b0:3de:1366:8612 with SMTP id e9e14a558f8ab-3e400a09ddbls15373585ab.0.-pod-prod-03-us; Fri, 01 Aug 2025 00:54:01 -0700 (PDT) X-Received: by 2002:a05:6602:6809:b0:87c:3495:41b3 with SMTP id ca18e2360f4ac-88137485f2dmr1554427439f.1.1754034841728; Fri, 01 Aug 2025 00:54:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1754034841; cv=pass; d=google.com; s=arc-20240605; b=QRhO0HQlqb/8uK6mXMF4ygv4Vd4v05pOW+AYNE/Aht2bC3fs36DR8gD42bKrh1XE5S XjQtwOgFa0ZiCh7oC4OIYhoKvcrATnAiFb9R9mM6n0YxYhQtRC8jChrRzbGxqKeKBtfp qAfbivPVO8GSFZAPVvxE21HneOvAxjnoKBbUkwDnQUIEStLJhW677ughOuaf9+cKKY5E eWhVOF9wDnKZs0KmXfMKCV54N+mgiZzOPSUmicFS5U851HY9p6CYLvh9XE1ufnViqQfA yBTd0HlsvJczL35YcJyzaq6az8lq3H4bNwAdb1FBiIovT+xofpJd+ld7FyG+/nB6GyOY tCzg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:content-id:user-agent :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=Ru3jZOm0wUAbXbCFbYfBYM1Nn0EgpbA/RnniNDbEGnQ=; fh=j31XC/ljOkT24Cowl/8nqs/NKzRsqJKzGOFnMCboqHI=; b=TqAFCdVuJ7XAXbK/e4onZFmWQgNe+OTFnbYmPE9xWxdabcKR1whFQge2FxvOHaEkLG GTtlD4ZmpJBju4Sq9Ao+YZTIKt8EAq20O+z0iXJJaM4M+JjT0We5BcrHD5ZlWeMdKm5W 89BroZ72Y9URTny1dp97NK6vl4IAaf+qK9lBYzS7tf3oSBTlBGZwuMuxk1ggJqrM3qaZ U6V7GcxhPhpYmnPG0FH1Nd0hC8Ea7AI9TYukQDwxQdk4NmI6HYGLwzYdaqNsvKPu+8Ip a/EwGKaSQwNBh8lOgn/zxThBhKXzHywR2I4GYYOgyPINwjwfC6Yai2PVBoviqb9CR7l4 yAOg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q3sXT7mY; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c200::3]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-8814de2baa3si12030539f.0.2025.08.01.00.54.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Aug 2025 00:54:01 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) client-ip=2a01:111:f403:c200::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=N1NTnaJB2G6JS6mpr7lce1ZDAtYBBflIg6T4aNH5PLJnehnhARzTMNseK4AO2n+Wqx2iC86Naoit3XoyWBPl5qeGjAfRkNUOd59mlmV2r5oZLFVtRyPiyPIA/YlAYazySIeemY5e3sFy7hv4QfJ+SDux0SRLRTlKb1cAjCQ34D26v5wsbXppmm0oGYFhAlUgDU/CLBAv4JUaEiTZKp4tf/C88ukk7DB3URghoFuCa3vKAJ7vXsEJFDMeWCVuA3RoZQD79T9Gsn/CpWtLhXbE6Zoxwfjt0NS8G4cL/KFAE255IAkuvL1AfP/LYQT3wRw+f5ofjgklPUq1jDNn3FqICQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ru3jZOm0wUAbXbCFbYfBYM1Nn0EgpbA/RnniNDbEGnQ=; b=qb1MqReUmYEpiMX+2IV+JZA/RyWIjQivkmaDZwUjT72OXmHYH0QsgdPG2uRgD+IPyvC0xJuAErCcx1SRdeyMegjmlWtIvh7874+ja0fKOso060jhJeFdEK2pDaWZLaOhOKkNpyxRYgKbH1VV0eUtqUHNTx32/eZ7GTbY65yeSoo0wITAsOan+EXQbsXCepm2maNjJec1rpea9Uww75ozg5e7h2IRIl+gQra5tor4S2G6rU1CzKzP/zGlFfM+bwxLOx2Sp0hvqleE59ONchj84DGPkyBX+UP4FjoZwILn9EcKCssmIzmBviqczXqDpwx7asB2GRLHZ8yQZRXDh7gzLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GV1PR10MB9159.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:1d6::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8989.14; Fri, 1 Aug 2025 07:53:57 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%5]) with mapi id 15.20.8989.013; Fri, 1 Aug 2025 07:53:57 +0000 From: "'MOESSBAUER, Felix' via isar-users" To: "isar-users@googlegroups.com" CC: "Steiger, Christoph" , "Kiszka, Jan" , "cedric.hombourger@siemens.com" , "Hillier, Gernot" Subject: Re: [RFC PATCH 1/1] meta: add CycloneDX/SPDX SBOM generation Thread-Topic: [RFC PATCH 1/1] meta: add CycloneDX/SPDX SBOM generation Thread-Index: AQHbg351t3lZQ1oNB0WCUyYW/TIxzbROa96A Date: Fri, 1 Aug 2025 07:53:57 +0000 Message-ID: <9c17b432a88fe4a1154b90213a872531b5309ed6.camel@siemens.com> References: <20250220095944.114203-1-felix.moessbauer@siemens.com> <20250220095944.114203-2-felix.moessbauer@siemens.com> In-Reply-To: <20250220095944.114203-2-felix.moessbauer@siemens.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Evolution 3.56.1-1 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DU0PR10MB6828:EE_|GV1PR10MB9159:EE_ x-ms-office365-filtering-correlation-id: 6380e998-1fe5-44b4-c3df-08ddd0d091b6 x-ms-exchange-atpmessageproperties: SA x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|10070799003|38070700018; x-microsoft-antispam-message-info: =?utf-8?B?VGowcnpocmEzZEY3RGZHN3ZETnZDUklFOCs4aFM3V0ZuNzF0RnVxVFBqTXRN?= =?utf-8?B?blN5SUZoOVRzQVAyRldsYUZ3OFhKZFN3Y2VOSDFiQXd6dk5wenlwSWlnRE5K?= =?utf-8?B?TXpTOXJXbTM3OVRHUHJBaXl2Vk4xaHhWamFCQnJYZHAvcDgxTTVUSGpPdG1q?= =?utf-8?B?Mm83MnVnbGsxRCs3KzlkbkZPeXB5U3hpQndnK2NYVjFjV2ZPVnYxTXdqN3E3?= =?utf-8?B?KzNMKzR0THg2NE9Vblk1MXJUeFo4RXpUcU51NHUzQzdEa0I2MEZBUE1xcEd0?= =?utf-8?B?d1dNUHcrbXQ1MzFpUjRSYmd4cy9IQndLNVlPTVROeUhTc2pueE4vdmEvZXl5?= =?utf-8?B?NXplaUhtMWVEWkxsK09MOWdyeXpFRkU5dWhuY0FDQ1E3U3lZcllGc0ltekVY?= =?utf-8?B?bHBWUCtjdzd2b3p1WGQzK3FYbFB3WE9YNFl4anJMRHVHU045bHJnM3ZONW0y?= =?utf-8?B?SDBpNnJlNUcxazZhclNFTkZKSTN2TjRRcVdvSTFWYXQ0SmVjVVdKNS9SbWRh?= =?utf-8?B?TC9ncDNDU3hmWldCQm0rejBhUGFNZXhQbnVMNHFqV3hMMGR3RWhxcmF2SjNx?= =?utf-8?B?Y3JXMzdCVDBMbERGNjFMQ3RIOW1vamc4ZUdYWFMzN3VNQ1VyRkFwMFpob1BR?= =?utf-8?B?eFVpa29LOFVtNTVlQmN2WEZYZS9yNVpzVnEzeStCcXZZSjZFRHYxazQ4ZzJE?= =?utf-8?B?alhZdlhWTmZLSER2djNud1h2ZS9Cc2VKUVdoeTZ2bEloUm9sVUpIVUd0aHFP?= =?utf-8?B?b3Nhd2dta1paZVlTREdOUzNaNy9veE9FenZIcXp5ZzdZVHNNTHZrOXVsc3F3?= =?utf-8?B?MUVqci9JVlN3Ry81eTZ2OFp2VmdHMjZuM25na1YzRm5vclJnUThkQnRGY2dK?= =?utf-8?B?VVBzQUMwaTZBazdPYmlwR1lhWTN1QmdRbmg3aXRZeThaRmJXYXdXaDVCU0pH?= =?utf-8?B?Q294YkUvQkc3RldKUXQ0WElxeU8rblJNOVJOL0hvZGtwOEdhc1h4OGxPWFhQ?= =?utf-8?B?c0lYU2svMGVOVHo4bWVSRWVybXdYYU1PeWdUMHZSRXhQdmdVQWFuRFRReVBX?= =?utf-8?B?WU1OVFB4MVF0ZktkVHFIdTdqUVk0c2d6WjZFNktaVzJDdEtGUEdIc0RWaStj?= =?utf-8?B?NHA3ejJqZ1VxMGhoRXRiM0xtVXloMk5iSjRZVmxOdTQ3QVF0b0hIclh0R2Nz?= =?utf-8?B?b1FMb20xYW56QWNHMVkrT1NiUS9GL1FXVTN5SDVXSVpXRnpOaXVlRW11Y0R4?= =?utf-8?B?Vm9iTnVKVUlFNGRwbDMyd2F6aEQ4aW1Na1d4QUYzVFZJdnJSeGU3bkpIY0ho?= =?utf-8?B?Z2xxdDRyV3lLbWVEYld0VGJSQUF6TnE1R0pPYTROaHpIa0REZUFTZmk4MkdJ?= =?utf-8?B?Tit2VGVzTWtldnhMM1J0TTFENnFZSmd6NWdlQlZjZGJPUXhOS3dkckFDZmFk?= =?utf-8?B?Z09xZjgrSEdFM1VIclNxTUltS1M0bDVwUzdzZVVJM08yM3ZiL3B6L0FSM21m?= =?utf-8?B?TElVNmwzcE1oTU5NT2x5NU1ub3VyMUpzcEQ4YThOQVJ3MzhpTGw5dWJ2TTRk?= =?utf-8?B?RXVOT2I1bFNiemxEYmhYMjFxYjhaK0FxRDFNK2VjT1RVRzFQb1JZL01hZG9X?= =?utf-8?B?UGpqRnVxZ2daTUZqZVV4VFVVVnV4NFFSUGZmRGprbVphVHpWVVorU3lKbDZq?= =?utf-8?B?cG1jaE0xZnZjUmhQL1pLUzVvSUpwQ1Y5NEd2YlpjdlpzVFNqcjJ1Ym5hc1Zh?= =?utf-8?B?bk9wc0d1ZmVRVmpCR2ttNkxtU1hNb0Y0NzBxcnB5Y2VNc0JQcm5oeE1SMFVX?= =?utf-8?B?SmRFODMzbVF1YngyVDZIOFN4dExYU2IwMnE5RGorMFg0MzRhck1BWmVGd3Bk?= =?utf-8?B?clBlTDgvUDNIOWd6VHRlMlhHWjR4djU0Q1dvb0lLdDV0OGdqYVZVZXZIVGxT?= =?utf-8?Q?lKqRauKBObY=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(10070799003)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?cnBCYTZla3R1dTB3TEZuRUVkSDNVOEJRQWtTVkt5QzIyYjlkOUxvV2FJUzN3?= =?utf-8?B?d3hNeE55aEM1K0tUNitzZlNLSDN5NEF1V1QzVENKbDcwQVRVSm8wWnVXYWs1?= =?utf-8?B?QVBnYkJzTW5wYTBzUTlCcnlPR1IxbXZac3l4OTlaMHN6dG1tdHM4emtEUW5t?= =?utf-8?B?a2pTeGFwSko5d2FRSkZxRkJvYWRKVjhpMlRlNDd5cU9mR01GNVQxQ0FJdTEv?= =?utf-8?B?YzR4ZDJ5aHJNaWdpN3RUaEg2b0svWmRjNk8yOEhrbmp5TUlHREZWVVMyQ0g2?= =?utf-8?B?RXpXRFBwa0srSUhRYkU3RUUxR1NOMVFoQk40K012NVovcEFBaUpXVDJaSVE5?= =?utf-8?B?bTRPcFVxVlc3ZHgxenJwYWwvZmZmaG9TWWxoWjlTSmdzY2lONk51QSs4T3V6?= =?utf-8?B?YWNPNXVLSW5tU3ppV09PZ051cVJDRitMeGZmNHVGUkovTmdURm4yWW9nWWd2?= =?utf-8?B?MlRNOW8vSFNIZExhaXFidzkxc28xa0RjYXNZNEJweEM2eTRXYkhaZjA3bDVi?= =?utf-8?B?cGVSWnlTRk9MbmxHZFh4aE8rQ1MrSUlaTXJTb0hMYTc0bWRpT0xCRTArSmJQ?= =?utf-8?B?MmkyWkJ2R3hWR2VNUzRKRUN2UkxkTTYzUTlwUEtDUGZoTWZzZ0U5anIydjh3?= =?utf-8?B?bDJVWEhncWVBK2ZGQmdDRU9iRnhVZnVtQnhIa2RnNXRYV1F6S1JtNXc1OUFW?= =?utf-8?B?bTAvdWpxc0NqaisvRXhSSml4Yk9MWTI0Umk2bERkM0JGYzgydExhTVJubG41?= =?utf-8?B?aTU4VU5wZXUwajU0Wk4zWnpYNUZWd0J4aEtjZHN6YkpvaVc3K0VFYUgwWnIv?= =?utf-8?B?aFN6aXh4SHo4djdabkh2dU12QkdLUDdDNlduMENPVWY0UjFHeHJaMnFLclpJ?= =?utf-8?B?QzUyZ0JkWW91YWtPSGthTzErMWlpODVoVGxBckdwY2ZyOEJBanV6WXhiWDIv?= =?utf-8?B?V2V0U0czUHJxTU9oN2N6eGFZdVJ4Q2RMN2F4aERYTnNKd0JYbDhuZm4wcytH?= =?utf-8?B?UXVNcGd0dGJjOFBTdVNqd3ZlVFkyN2JYUmswZy9ubGI2LzhBSHdQSGIybWRJ?= =?utf-8?B?Umhvajl0Nk5VemY2L01lR2pKeHRmVTlIaldOWVVDZWQwRkNQNFlHUjVVNmox?= =?utf-8?B?cUoxNXZ0WVgxNWVZRk5TNEhiY2k0Y1ZMdi94ZlozN1ZmNXJnMWY4YW9GRVMr?= =?utf-8?B?bTdjRGRtSDBIcGdnLzFrU2tUMkw2V2lyMU9TQndKTWlHdUZkcnE4NGN3Y0V6?= =?utf-8?B?VHNVTUZOekdYQ2lwOThaSGx4amlRRndDbGFjMFU5cUVhRzQ1YmFEUE14RW5I?= =?utf-8?B?MzZVVmhiNDRlOVFSQm5HKzRmWlNUOEdnZmgxTHY5am1CWERGVm94TFFrcE9S?= =?utf-8?B?dVlDUTI3OWlUcmJkZHErRWl3Zk9obG1jMk9vSGs4MjVyWXFKRUJ1d09HMGN0?= =?utf-8?B?Y1F5Y293NGl3VFZ2VndScDZpVkg0eGhYMHJBSS9mc3YrVWhPd0xQZWNhdXUw?= =?utf-8?B?WEpSTWQ0SVp0VFVWdURjWUVxR283KzJLeTFyclI3cWwvNzJJWFIzaFZsTS9E?= =?utf-8?B?MFNFZVh6QThmTitzNXZ5Y005N21jS2xmbTkwNXE2R0VDR1RBK2phUGtNR3g4?= =?utf-8?B?R0JUMUMvamNUM1loamttRnI5bEhiMzdzaWhFemRjc3o1Ty95cTFjd3ZWMjVx?= =?utf-8?B?UWQyMXFUbXVNekJFbFlGTVRsako5TGwzbkkrelJHd0VPRG5peFhVRUpnY3BB?= =?utf-8?B?TTJDdVllcTR6WUhTQXA4cGx0VkRydk9yZFhHUDNJSXp2UkxEMHF2WExScm14?= =?utf-8?B?dGVwSzhKbkVPbVlDUjdrWndzQVZmUDRJaGs3bjMxK0d0dFNqdmZmREpaend6?= =?utf-8?B?SlRGT1pHdDZWd1QzZkRLcDZyN2hBN0FVOHVabUVFM2M1aDlUd0lnQVE5ZXV1?= =?utf-8?B?Zm9za1ZuUjNlSE5MMmk0VDVzSG5BcG5aN0JKUDNHdUhKUHBsSWMxWVZ5K0tn?= =?utf-8?B?a0s3Rkc2clhGV1h5UE45UzRPbm5VTXhFbTdXVXBoamNpUldqMUt4MWdSMG5X?= =?utf-8?B?L3VVNE9sSVhBZFJ4dlB0NGFJTFBUYjBoK2gzTGY2ZXVtcGFrTWRRTS9EcGdP?= =?utf-8?B?RWpUZTF1dEVqOFNrdjRCRW9KUXpqZWx3V1I2NTlhM096Y2p2L3U0UDJ1T1VE?= =?utf-8?B?cktYaGJ2b2lMMytybkEyeGxzTE1sUnBVakJxSnBmaVZJdURGK25TSW1aZUhn?= =?utf-8?B?TkJXOWZYZFVxdG9HREFWeDRvc3FnPT0=?= Content-Type: text/plain; charset="UTF-8" Content-ID: <0DB45EE0EBC8124482A7B92CD3AEA0A7@EURPRD10.PROD.OUTLOOK.COM> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 6380e998-1fe5-44b4-c3df-08ddd0d091b6 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2025 07:53:57.2361 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: M6P6eI+M9ArQoHhR/dxZhrYO5fCLYz9jbqW5sk8yiyzphDXXdTCIztEf2StN50QwMcCqPB8kT5zDSuQbcUo+8eGksczy8Ch4gqQvUlqLRlg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR10MB9159 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q3sXT7mY; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: "MOESSBAUER, Felix" Reply-To: "MOESSBAUER, Felix" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: NP+zGB8glMBP On Thu, 2025-02-20 at 10:59 +0100, 'Felix Moessbauer' via isar-users wrote: > From: Christoph Steiger >=20 > Add a new class to allow generation of software bill of materials > (SBOM). Supported are the two standard SBOM formats CycloneDX and > SPDX. > SBOM generation is enabled per default for all images. >=20 > Both formats support the minimal usecase of binary packages > information > and their dependencies. Unfortunately there is no proper way to > express > the relationships of debian source packages and their corresponding > binary packages in the CDX format, so it is left out there. >=20 > The information included in the SBOM is parsed from the dpkg status > file found in the created image. >=20 > Signed-off-by: Christoph Steiger > --- > =C2=A0meta/classes/create-sbom.bbclass |=C2=A0 49 ++++ > =C2=A0meta/classes/image.bbclass=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2= =A0=C2=A0 2 + > =C2=A0meta/lib/sbom.py=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 446 > +++++++++++++++++++++++++++++++ > =C2=A0meta/lib/sbom_cdx_types.py=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2= =A0 82 ++++++ > =C2=A0meta/lib/sbom_spdx_types.py=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 9= 5 +++++++ > =C2=A05 files changed, 674 insertions(+) > =C2=A0create mode 100644 meta/classes/create-sbom.bbclass > =C2=A0create mode 100644 meta/lib/sbom.py > =C2=A0create mode 100644 meta/lib/sbom_cdx_types.py > =C2=A0create mode 100644 meta/lib/sbom_spdx_types.py >=20 > diff --git a/meta/classes/create-sbom.bbclass b/meta/classes/create- > sbom.bbclass > new file mode 100644 > index 00000000..8c647699 > --- /dev/null > +++ b/meta/classes/create-sbom.bbclass > @@ -0,0 +1,49 @@ > +# This software is a part of ISAR. > +# Copyright (C) 2025 Siemens AG > +# > +# SPDX-License-Identifier: MIT > + > +# sbom type to generate, accepted are "cyclonedx" and "spdx" > +SBOM_TYPE ?=3D "cyclonedx spdx" > + > +# general user variables > +SBOM_DISTRO_SUPPLIER ?=3D "ISAR" > +SBOM_DISTRO_NAME ?=3D "ISAR-Debian-GNU-Linux" > +SBOM_DISTRO_VERSION ?=3D "1.0.0" > +SBOM_DISTRO_SUMMARY ?=3D "Linux distribution built with ISAR" > +SBOM_DOCUMENT_UUID ?=3D "" > + > +# SPDX specific user variables > +SBOM_SPDX_NAMESPACE_PREFIX ?=3D "https://spdx.org/spdxdocs" > + > +SBOM_DEPLOY_BASE =3D "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}" > + > +SBOM_GEN_VERSION =3D "0.1.0" > + > +# adapted from the isar-cip-core image_uuid.bbclass > +def generate_document_uuid(d): > +=C2=A0=C2=A0=C2=A0 import uuid > + > +=C2=A0=C2=A0=C2=A0 base_hash =3D d.getVar("BB_TASKHASH") > +=C2=A0=C2=A0=C2=A0 if base_hash is None: > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 bb.warn("no BB_TASKHASH avail= able, SBOM UUID is not > reproducible") > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return uuid.uuid4() > +=C2=A0=C2=A0=C2=A0 return str(uuid.UUID(base_hash[:32], version=3D4)) > + > +python do_create_sbom() { > +=C2=A0=C2=A0=C2=A0 import sbom > + > +=C2=A0=C2=A0=C2=A0 dpkg_status =3D d.getVar("IMAGE_ROOTFS") + "/var/lib/= dpkg/status" > +=C2=A0=C2=A0=C2=A0 packages =3D sbom.Package.parse_status_file(dpkg_stat= us) > + > +=C2=A0=C2=A0=C2=A0 if not d.getVar("SBOM_DOCUMENT_UUID"): > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 d.setVar("SBOM_DOCUMENT_UUID"= , generate_document_uuid(d)) > + > +=C2=A0=C2=A0=C2=A0 sbom_type =3D d.getVar("SBOM_TYPE") > +=C2=A0=C2=A0=C2=A0 if "cyclonedx" in sbom_type: > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sbom.generate(d, packages, sb= om.SBOMType.CycloneDX, > d.getVar("SBOM_DEPLOY_BASE") + ".cyclonedx.json") > +=C2=A0=C2=A0=C2=A0 if "spdx" in sbom_type: > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sbom.generate(d, packages, sb= om.SBOMType.SPDX, > d.getVar("SBOM_DEPLOY_BASE") + ".spdx.json") > +} > + > +addtask do_create_sbom after do_rootfs before do_build > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > index 56eca202..e9da6a61 100644 > --- a/meta/classes/image.bbclass > +++ b/meta/classes/image.bbclass > @@ -81,6 +81,8 @@ inherit image-postproc-extension > =C2=A0inherit image-locales-extension > =C2=A0inherit image-account-extension > =C2=A0 > +inherit create-sbom Hi, is there a particular reasons, why we add the SBOM generation to the image class instead of the rootfs? I'm also wondering if we could model the SBOM generation as a rootfs feature. By that, we could easily switch it on / off for relevant rootfs' like the external initrd or a container rootfs. In the image class, we could add an additional sbom-merger, that merges the rootfs SBOMs into one big one that contains all data which finally ends up in the image. Felix > + > =C2=A0# Extra space for rootfs in MB > =C2=A0ROOTFS_EXTRA ?=3D "64" > =C2=A0 >=20 --=20 Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/= 9c17b432a88fe4a1154b90213a872531b5309ed6.camel%40siemens.com.