[PATCH v3 00/10] Add SBOM generation with debsbom

[PATCH v3 00/10] Add SBOM generation with debsbom

['Felix Moessbauer' via isar-users]

This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.

The generation is itself is handled by a SBOM generator  `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.

This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.

[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ

Changes since v2:

- fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
- update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
- generate SBOM for imager as well and create merged sbom of .wic image
- resend imager manifest + wic manifest patches to reduce conflicts

Note, that the patches p1-p5 are most important as they add basic SBOM
support. The remaining patches address the imager + .wic bom part,
which also can be merged later on.

Changes since v1:

- remove tarball
- refactor packaging (auto-derive python dependencies)
- only build missing packages (varies on bookworm, trixie, noble)
- add ubuntu support
- only generate sboms for supported distributions (bookworm/jammy and
  onwards)
- update debsbom (includes bug fixes and more information for source
  packages)

Christoph Steiger (3):
  meta: package python libraries for SBOM generation
  meta: package python3-debsbom
  meta: add SBOM generation with debsbom

Felix Moessbauer (7):
  refactor: move get_rootfs_distro from sdk into rootfs
  override distro vendor in SBOM on Ubuntu
  add support to add imager dependencies to BOM
  wic: create uniform manifest describing all image components
  qemuamd64: add IMAGER_BOM entries
  imager: create SBOM of IMAGER_BOM packages
  wic: create uniform SBOM describing all image components

 doc/user_manual.md                            |  1 +
 meta-isar/conf/distro/ubuntu-common.inc       |  2 +
 meta-isar/conf/machine/qemuamd64.conf         |  1 +
 meta/classes/image-tools-extension.bbclass    | 29 +++++++++
 meta/classes/image.bbclass                    | 14 +++-
 meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
 meta/classes/initramfs.bbclass                |  3 +-
 meta/classes/rootfs.bbclass                   | 16 ++++-
 meta/classes/sbom.bbclass                     | 64 +++++++++++++++++++
 meta/classes/sdk.bbclass                      | 10 +--
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 .../python3-beartype/files/rules              |  8 +++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 +++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
 ...icense-description-in-pyproject.toml.patch | 28 ++++++++
 .../python3-debsbom/files/rules               |  8 +++
 .../python3-debsbom/python3-debsbom_0.3.0.bb  | 45 +++++++++++++
 .../python3-packageurl/files/rules            |  8 +++
 .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
 .../python3-py-serializable/files/rules       |  8 +++
 .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
 25 files changed, 521 insertions(+), 12 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb

-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-1-felix.moessbauer%40siemens.com.

[PATCH v3 01/10] refactor: move get_rootfs_distro from sdk into rootfs

['Felix Moessbauer' via isar-users]

This helper is rootfs (not sdk) specific and can be re-used to reliably
compute the distro of a rootfs (also transient ones like the ones used
by sbuild). As the SDK always is included into a rootfs, we just move it
there and make it reusable.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/rootfs.bbclass | 9 +++++++++
 meta/classes/sdk.bbclass    | 8 --------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 4d73bfec..6413c057 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -26,6 +26,15 @@ ROOTFS_PACKAGE_SUFFIX ?= "${PN}-${DISTRO}-${DISTRO_ARCH}"
 # path to deploy stubbed versions of initrd update scripts during do_rootfs_install
 ROOTFS_STUBS_DIR = "/usr/local/isar-sbin"
 
+# helper to compute the rootfs distro also under cross building
+def get_rootfs_distro(d):
+    host_arch = d.getVar('HOST_ARCH')
+    distro_arch = d.getVar('DISTRO_ARCH')
+    if host_arch == distro_arch:
+        return d.getVar('DISTRO')
+    else:
+        return d.getVar('HOST_DISTRO')
+
 # Useful environment variables:
 export E = "${@ isar_export_proxies(d)}"
 export DEBIAN_FRONTEND = "noninteractive"
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 46436d97..00cae0da 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -43,14 +43,6 @@ SDK_PREINSTALL += " \
     devscripts \
     equivs"
 
-def get_rootfs_distro(d):
-    host_arch = d.getVar('HOST_ARCH')
-    distro_arch = d.getVar('DISTRO_ARCH')
-    if host_arch == distro_arch:
-        return d.getVar('DISTRO')
-    else:
-        return d.getVar('HOST_DISTRO')
-
 # rootfs/image overrides for the SDK
 ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
 ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-2-felix.moessbauer%40siemens.com.

[PATCH v3 02/10] meta: package python libraries for SBOM generation

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Package python libraries for SBOM generation in isar. The packages are
unfortunately not (yet) packaged in Debian, thats why we need to do it
here. With these libraries it is now possible to easily create CDX and
SPDX SBOMs in different file formats.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
 .../python3-beartype/files/rules              |  8 ++++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 ++++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 +++++++++++++++++++
 .../python3-packageurl/files/rules            |  8 ++++
 .../python3-packageurl_0.16.0.bb              | 33 +++++++++++++
 .../python3-py-serializable/files/rules       |  8 ++++
 .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 ++++++++++++++++++
 11 files changed, 252 insertions(+)
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb

diff --git a/meta/recipes-support/python3-beartype/files/rules b/meta/recipes-support/python3-beartype/files/rules
new file mode 100644
index 00000000..0ca517a1
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = beartype
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
new file mode 100644
index 00000000..b8bc2708
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/beartype-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), dh-python, python3-all, python3-setuptools, pybuild-plugin-pyproject, python3-hatchling"
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+# this is 01/01/1980, any earlier and zip in the wheel building process will not accept it
+DEBIAN_CHANGELOG_TIMESTAMP = "315532800"
+DESCRIPTION = "Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python."
+
+SRC_URI = "\
+    https://github.com/beartype/beartype/archive/refs/tags/v0.19.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "e7ad00eebf527d60f30e0b391209b561dabd2074b608c50e26c94c2d8250a6cd"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
new file mode 100644
index 00000000..cc736a36
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
@@ -0,0 +1 @@
+pyproject.toml
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/rules b/meta/recipes-support/python3-cyclonedx-lib/files/rules
new file mode 100644
index 00000000..fe72dd1a
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = cyclonedx-python-lib
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
new file mode 100644
index 00000000..738ed1b3
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
@@ -0,0 +1,48 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+DEPENDS:append:bookworm = " python3-packageurl python3-py-serializable"
+DEPENDS:append:noble = " python3-packageurl python3-py-serializable"
+
+S = "${WORKDIR}/cyclonedx_python_lib-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+                        dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        pybuild-plugin-pyproject, \
+                        python3-poetry, \
+                        python3-py-serializable, \
+                        python3-packageurl, \
+                        python3-sortedcontainers, \
+                        python3-ddt, \
+                        python3-defusedxml, \
+                        python3-license-expression, \
+                        python3-jsonschema, \
+                        python3-lxml, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+    https://github.com/CycloneDX/cyclonedx-python-lib/releases/download/v9.1.0/cyclonedx_python_lib-9.1.0.tar.gz \
+    file://rules \
+    file://pybuild.testfiles \
+    "
+SRC_URI[sha256sum] = "86935f2c88a7b47a529b93c724dbd3e903bc573f6f8bd977628a7ca1b5dadea1"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp "${WORKDIR}"/pybuild.testfiles "${S}"/debian
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-packageurl/files/rules b/meta/recipes-support/python3-packageurl/files/rules
new file mode 100644
index 00000000..50e1b74c
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = packageurl-python
+export PYBUILD_SYSTEM = distutils
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
new file mode 100644
index 00000000..27209429
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/packageurl_python-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+                        dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "A purl aka. Package URL parser and builder"
+
+SRC_URI = "\
+    https://github.com/package-url/packageurl-python/releases/download/v0.16.0/packageurl_python-0.16.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "69e3bf8a3932fe9c2400f56aaeb9f86911ecee2f9398dbe1b58ec34340be365d"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-py-serializable/files/rules b/meta/recipes-support/python3-py-serializable/files/rules
new file mode 100644
index 00000000..0cf845dd
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = py-serializable
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
new file mode 100644
index 00000000..5bc48c0f
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
@@ -0,0 +1,38 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/py_serializable-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = " \
+    dh-sequence-python3, \
+    pybuild-plugin-pyproject, \
+    python3-all, \
+    python3-defusedxml, \
+    python3-lxml, \
+    python3-poetry-core, \
+    python3-setuptools, \
+    xmldiff, \
+"
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+    https://github.com/madpah/serializable/releases/download/v2.0.0/py_serializable-2.0.0.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "e9e6491dd7d29c31daf1050232b57f9657f9e8a43b867cca1ff204752cf420a5"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
diff --git a/meta/recipes-support/python3-spdx-tools/files/rules b/meta/recipes-support/python3-spdx-tools/files/rules
new file mode 100644
index 00000000..ac87528a
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/files/rules
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = spdx-tools
+export PYBUILD_SYSTEM = distutils
+
+# skip tests that require hard-to-package dependencies and tests that rely on relative file paths
+# TODO: figure out a way to make these tests work
+export PYBUILD_TEST_ARGS=--ignore tests/spdx3/validation/json_ld/test_shacl_validation.py \
+	-k 'not test_examples \
+	and not test_parse_from_file \
+	and not test_annotation_parser \
+	and not test_snippet_parser \
+	and not test_creation_info_parser \
+	and not test_json_ld_writer \
+	and not test_extracted_licensing_info_parser \
+	and not test_parse_file \
+	and not test_package_parser \
+	and not test_relationship_parser \
+	and not test_graph_parsing_function \
+	and not test_license_expression_parser \
+	'
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
new file mode 100644
index 00000000..30d090a9
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
@@ -0,0 +1,46 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/tools-python-${PV}"
+
+DEPENDS:append:bookworm = " python3-beartype"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        python3-beartype, \
+                        python3-semantic-version, \
+                        python3-license-expression, \
+                        python3-pytest <!nocheck>, \
+                        python3-rdflib, \
+                        python3-uritools, \
+                        python3-ply, \
+                        python3-click, \
+                        python3-xmltodict, \
+                        python3-yaml, \
+                        "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+DEB_BUILD_PROFILES += "nocheck"
+DEB_BUILD_OPTIONS += "nocheck"
+
+DESCRIPTION = "SPDX parser and tools."
+
+SRC_URI = "\
+    https://github.com/spdx/tools-python/archive/refs/tags/v0.8.3.tar.gz \
+    file://rules \
+    "
+SRC_URI[sha256sum] = "17cb0140adbaefb58819c9d5d56060dc6a70c673a854fa9bd882ecfa4e062a7f"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-3-felix.moessbauer%40siemens.com.

[PATCH v3 03/10] meta: package python3-debsbom

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Package the python tool debsbom for SBOM generation for Debian based
distributions.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
 ...icense-description-in-pyproject.toml.patch | 28 ++++++++++++
 .../python3-debsbom/files/rules               |  8 ++++
 .../python3-debsbom/python3-debsbom_0.3.0.bb  | 45 +++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb

diff --git a/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
new file mode 100644
index 00000000..c9137e25
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
@@ -0,0 +1,28 @@
+From 8f926ab0ed1585656ba7de80a82cc802c3ccbdbf Mon Sep 17 00:00:00 2001
+From: Christoph Steiger <christoph.steiger@siemens.com>
+Date: Mon, 8 Sep 2025 17:17:49 +0200
+Subject: [PATCH 1/1] Use old license description in pyproject.toml
+
+Older setuptools versions may require a different license field.
+
+Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index cc34bdb..701da4a 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -22,7 +22,7 @@ maintainers = [
+ ]
+ description = "Generate SBOMs for Debian-based distributions."
+ readme = "README.md"
+-license = "MIT"
++license = {text = "MIT"}
+ classifiers = [
+   "Intended Audience :: Developers",
+   "Operating System :: POSIX :: Linux",
+-- 
+2.39.5
+
diff --git a/meta/recipes-support/python3-debsbom/files/rules b/meta/recipes-support/python3-debsbom/files/rules
new file mode 100644
index 00000000..a414114d
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = debsbom
+export PYBUILD_SYSTEM = pyproject
+
+%:
+	dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb b/meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb
new file mode 100644
index 00000000..6aec2429
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb
@@ -0,0 +1,45 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "python3-spdx-tools"
+DEPENDS:append:bookworm = " python3-packageurl python3-cyclonedx-lib"
+DEPENDS:append:noble = " python3-packageurl python3-cyclonedx-lib"
+
+S = "${WORKDIR}/git"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+                        python3-all, \
+                        python3-setuptools, \
+                        pybuild-plugin-pyproject, \
+                        python3-packageurl, \
+                        python3-cyclonedx-lib, \
+                        python3-spdx-tools, \
+                        python3-debian, \
+                        python3-requests, \
+                        python3-zstandard, \
+                        "
+
+DEBIAN_DEPENDS = "python3-apt, \${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "debsbom generates SBOMs for Debian based distributions."
+
+SRC_URI = "git://github.com/siemens/debsbom.git;protocol=https;branch=main; \
+           file://rules \
+           file://0001-Use-old-license-description-in-pyproject.toml.patch \
+           "
+SRCREV = "477381cc46e9921cab6a0fd8e875fd409e9edafe"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-4-felix.moessbauer%40siemens.com.

[PATCH v3 04/10] meta: add SBOM generation with debsbom

['Felix Moessbauer' via isar-users]

From: Christoph Steiger <christoph.steiger@siemens.com>

Generate SBOMs for every rootfs that is created. These SBOMs are placed
in the image deploy directory.

For the generation a small chroot with debsbom installed is created and
from that the rootfs of the image is scanned.

The sbom generation is bound to the rootfs feature `generate-sbom`
which is activated per default now.

Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/image.bbclass                    |  8 ++-
 meta/classes/initramfs.bbclass                |  3 +-
 meta/classes/rootfs.bbclass                   |  7 +-
 meta/classes/sbom.bbclass                     | 64 +++++++++++++++++++
 meta/classes/sdk.bbclass                      |  2 +-
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 6 files changed, 110 insertions(+), 4 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index bd1b8552..220f5aa3 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -66,7 +66,13 @@ inherit multiarch
 inherit essential
 
 ROOTFSDIR = "${IMAGE_ROOTFS}"
-ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache"
+ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache generate-sbom"
+# only supported from bookworm / jammy on
+ROOTFS_FEATURES:remove:buster = "generate-sbom"
+ROOTFS_FEATURES:remove:bullseye = "generate-sbom"
+ROOTFS_FEATURES:remove:jammy = "generate-sbom"
+ROOTFS_FEATURES:remove:focal = "generate-sbom"
+
 # when using a custom initrd, do not generate one as part of the image rootfs
 ROOTFS_FEATURES += "${@ '' if d.getVar('INITRD_IMAGE') == '' else 'no-generate-initrd'}"
 ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}"
diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass
index 658ef0ac..e9b66646 100644
--- a/meta/classes/initramfs.bbclass
+++ b/meta/classes/initramfs.bbclass
@@ -21,11 +21,12 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
 # Bill-of-material
 ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}"
 ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}"
+SBOM_DISTRO_NAME:append = "-initramfs"
 
 DEPENDS += "${INITRAMFS_INSTALL}"
 
 ROOTFSDIR = "${INITRAMFS_ROOTFS}"
-ROOTFS_FEATURES = "generate-manifest"
+ROOTFS_FEATURES = "generate-manifest generate-sbom"
 ROOTFS_PACKAGES = "initramfs-tools ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}"
 
 inherit rootfs
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 6413c057..13b04a8c 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -3,6 +3,8 @@
 
 inherit deb-dl-dir
 
+inherit sbom
+
 ROOTFS_ARCH ?= "${DISTRO_ARCH}"
 ROOTFS_DISTRO ?= "${DISTRO}"
 ROOTFS_PACKAGES ?= ""
@@ -450,6 +452,9 @@ cache_dbg_pkgs() {
     fi
 }
 
+# The sbom generator needs the apt-cache, hence run before cleaning it
+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}"
+
 ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}"
 rootfs_postprocess_clean_package_cache() {
     sudo -E chroot '${ROOTFSDIR}' \
@@ -614,7 +619,7 @@ python do_rootfs() {
 }
 addtask rootfs before do_build
 
-do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}"
 
 SSTATETASKS += "do_rootfs_install"
 SSTATECREATEFUNCS += "rootfs_install_sstate_prepare"
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
new file mode 100644
index 00000000..fd41296c
--- /dev/null
+++ b/meta/classes/sbom.bbclass
@@ -0,0 +1,64 @@
+# This software is a part of ISAR.
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+# sbom type to generate, accepted are "cdx" or "spdx"
+SBOM_TYPES ?= "spdx cdx"
+
+SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}"
+
+# general user variables
+SBOM_DISTRO_SUPPLIER ?= "ISAR"
+SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux"
+SBOM_DISTRO_VERSION ?= "1"
+SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR"
+SBOM_BASE_DISTRO_VENDOR ??= "debian"
+SBOM_DOCUMENT_UUID ?= ""
+
+# SPDX specific user variables
+SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
+
+DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
+
+SBOM_DIR = "${DEPLOY_DIR}/sbom"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+
+# adapted from the isar-cip-core image_uuid.bbclass
+def generate_document_uuid(d, warn_not_repr=True):
+    import uuid
+
+    base_hash = d.getVar("BB_TASKHASH")
+    if base_hash is None:
+        if warn_not_repr:
+            bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible")
+        return uuid.uuid4()
+    return str(uuid.UUID(base_hash[:32], version=4))
+
+def sbom_doc_uuid(d):
+    if not d.getVar("SBOM_DOCUMENT_UUID"):
+        d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
+
+generate_sbom() {
+    sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        --bind ${ROOTFSDIR} /mnt/rootfs \
+        --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
+        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+            --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+            --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \
+            --timestamp $TIMESTAMP
+}
+
+python do_generate_sbom() {
+    sbom_doc_uuid(d)
+    bb.build.exec_func("generate_sbom", d)
+}
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 00cae0da..d57269e5 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -47,7 +47,7 @@ SDK_PREINSTALL += " \
 ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
 ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
 ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}"
-ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status"
+ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom"
 ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
 ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
 
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
new file mode 100644
index 00000000..58200382
--- /dev/null
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -0,0 +1,30 @@
+# This software is a part of ISAR.
+#
+# Copyright (C) 2025 Siemens
+
+LICENSE = "gpl-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+PV = "1.0"
+
+inherit rootfs
+
+ROOTFS_ARCH = "${HOST_ARCH}"
+ROOTFS_DISTRO = "${@get_rootfs_distro(d)}"
+ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}"
+
+ROOTFS_FEATURES = "no-generate-initrd"
+ROOTFS_INSTALL_COMMAND:remove = "rootfs_restore_initrd_tooling"
+
+# additional packages for the SBOM chroot
+SBOM_IMAGE_INSTALL = "python3-debsbom"
+DEPENDS += "python3-debsbom"
+
+ROOTFSDIR = "${WORKDIR}/rootfs"
+ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
+
+do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy() {
+    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+}
+addtask do_sbomchroot_deploy before do_build after do_rootfs
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-5-felix.moessbauer%40siemens.com.

[PATCH v3 05/10] override distro vendor in SBOM on Ubuntu

['Felix Moessbauer' via isar-users]

When generating an SBOM for Ubuntu, the vendor component of the PURL
needs to be ubuntu (instead of debian). We now set it accordingly.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta-isar/conf/distro/ubuntu-common.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/conf/distro/ubuntu-common.inc b/meta-isar/conf/distro/ubuntu-common.inc
index f1e8a1d6..ffc41afe 100644
--- a/meta-isar/conf/distro/ubuntu-common.inc
+++ b/meta-isar/conf/distro/ubuntu-common.inc
@@ -45,3 +45,5 @@ SYSTEMD_BOOTLOADER_INSTALL:jammy = "systemd:${DISTRO_ARCH}"
 
 # snapshot mirror for reproducible builds
 DISTRO_APT_SNAPSHOT_PREMIRROR ??= "(http|https)://archive.ubuntu.com/(.*) https://snapshot.ubuntu.com/\2/${ISAR_APT_SNAPSHOT_DATE_INTERNAL}\n"
+
+SBOM_BASE_DISTRO_VENDOR ?= "ubuntu"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-6-felix.moessbauer%40siemens.com.

[PATCH v3 06/10] add support to add imager dependencies to BOM

['Felix Moessbauer' via isar-users]

Currently the imager dependencies which end up in the image are not
tracked in any BOM (e.g. the manifest file). As these cannot be
automatically derived from the IMAGER_INSTALL packages, we add a new
variable IMAGER_BOM that takes a list of binary packages which are
looked-up using dpkg-query during imaging and added to a local manifest.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 doc/user_manual.md                         | 1 +
 meta/classes/image-tools-extension.bbclass | 7 +++++++
 meta/classes/image.bbclass                 | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index 30d60d4c..2dd80101 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -455,6 +455,7 @@ Some other variables include:
  - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS.
  - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable.
  - `IMAGER_INSTALL` -  The list of package dependencies for an imager like wic.
+ - `IMAGER_BOM` - The list of packages that should be added to the image BOM (e.g. the bootloader). These packages must also be available in the imager rootfs.
 
 ---
 
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 5e248f2e..65258a5a 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -20,6 +20,7 @@ SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt"
 
 imager_run() {
     local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
+    local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
 
     schroot_create_configs
     insert_mounts
@@ -70,6 +71,12 @@ EOAPT
 
     schroot -r -c ${session_id} "$@"
 
+    if [ -n "${local_bom}" ]; then
+        schroot -r -c ${session_id} -d / -- \
+            dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
+        ${WORKDIR}/imager.manifest
+    fi
+
     schroot -e -c ${session_id}
 
     remove_mounts
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 220f5aa3..cbedd787 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -190,6 +190,7 @@ python() {
 
     imager_install = set()
     imager_build_deps = set()
+    imager_bom = set()
     conversion_install = set()
     for bt in basetypes:
         local_imager_install = set()
@@ -220,6 +221,8 @@ python() {
             local_imager_install.add(dep)
         for dep in (d.getVar('IMAGER_BUILD_DEPS:' + bt_clean) or '').split():
             imager_build_deps.add(dep)
+        for dep in (d.getVar('IMAGER_BOM:' + bt_clean) or '').split():
+            imager_bom.add(dep)
 
         # construct image command
         image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean)
@@ -294,11 +297,14 @@ python() {
         bb.build.addtask(task, 'do_image', after, d)
 
         # set per type imager dependencies
+        d.setVar('BOM_image_%s' % bt_clean, d.getVar('IMAGER_BOM'))
+        d.appendVar('BOM_image_%s' % bt_clean, ' ' + ' '.join(sorted(imager_bom)))
         d.setVar('INSTALL_image_%s' % bt_clean, d.getVar('IMAGER_INSTALL'))
         d.appendVar('INSTALL_image_%s' % bt_clean, ' ' + ' '.join(sorted(local_imager_install | local_conversion_install)))
         d.appendVarFlag(task, 'vardeps', ' INSTALL_image_%s' % bt_clean)
 
     d.appendVar('IMAGER_INSTALL', ' ' + ' '.join(sorted(imager_install | conversion_install)))
+    d.appendVar('IMAGER_BOM', ' ' + ' '.join(sorted(imager_bom)))
     d.appendVar('IMAGER_BUILD_DEPS', ' ' + ' '.join(sorted(imager_build_deps)))
 }
 
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-7-felix.moessbauer%40siemens.com.

[PATCH v3 07/10] wic: create uniform manifest describing all image components

['Felix Moessbauer' via isar-users]

A wic image consists of potentially many different components. All these
should be covered by a single BOM.

After creating the wic image, we collect the individual manifest files
(rootfs, initrd, imaging), deduplicate it and deploy it into the image
deploy dir (as .wic.manifest).

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/imagetypes_wic.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index fb0b81a9..c75d481d 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -196,4 +196,9 @@ EOIMAGER
     sudo chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true
     sudo chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"*
     rm -rf ${IMAGE_ROOTFS}/../pseudo
+
+    cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \
+        ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
+        ${WORKDIR}/imager.manifest 2>/dev/null \
+        | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
 }
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-8-felix.moessbauer%40siemens.com.

[PATCH v3 08/10] qemuamd64: add IMAGER_BOM entries

['Felix Moessbauer' via isar-users]

To give an example how to add components to the imager BOM, we set the
corresponding variable for the qemuamd64 target.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta-isar/conf/machine/qemuamd64.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-isar/conf/machine/qemuamd64.conf b/meta-isar/conf/machine/qemuamd64.conf
index 7d5987c6..8d0753a8 100644
--- a/meta-isar/conf/machine/qemuamd64.conf
+++ b/meta-isar/conf/machine/qemuamd64.conf
@@ -7,6 +7,7 @@ KERNEL_NAME ?= "amd64"
 
 IMAGE_FSTYPES ?= "wic"
 WKS_FILE ?= "sdimage-efi"
+IMAGER_BOM:wic += "${GRUB_BOOTLOADER_INSTALL}"
 IMAGER_INSTALL:wic += "${GRUB_BOOTLOADER_INSTALL}"
 
 QEMU_ARCH ?= "x86_64"
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-9-felix.moessbauer%40siemens.com.

[PATCH v3 09/10] imager: create SBOM of IMAGER_BOM packages

['Felix Moessbauer' via isar-users]

This uses the same interface as the .manifest file, but adds the
packagse to an SBOM.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/image-tools-extension.bbclass | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 65258a5a..2576c5ef 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -75,6 +75,8 @@ EOAPT
         schroot -r -c ${session_id} -d / -- \
             dpkg-query -W -f='${source:Package}|${source:Version}|${Package}:${Architecture}|${Version}\n' ${local_bom} > \
         ${WORKDIR}/imager.manifest
+
+        ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'generate_imager_sbom', '', d)}
     fi
 
     schroot -e -c ${session_id}
@@ -82,3 +84,23 @@ EOAPT
     remove_mounts
     schroot_delete_configs
 }
+
+generate_imager_sbom() {
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        --bind $schroot_dir /mnt/rootfs \
+        --bind ${WORKDIR} /mnt/deploy-dir \
+        -- debsbom -vv generate ${SBOM_DEBSBOM_TYPE_ARGS} \
+            --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}-imager' \
+            --distro-name '${SBOM_DISTRO_NAME}-Imager' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
+            --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber $sbom_document_uuid \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+            --timestamp $TIMESTAMP \
+    < ${WORKDIR}/imager.manifest
+}
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-10-felix.moessbauer%40siemens.com.

[PATCH v3 10/10] wic: create uniform SBOM describing all image components

['Felix Moessbauer' via isar-users]

A wic image consists of potentially many different components. All these
should be covered by a single SBOM.

After creating the wic image, we collect the individual sbom files
(rootfs, initrd, imaging) and semantically merge it with the debsbom
tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to
the wic image.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index c75d481d..fe31e4e6 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -201,4 +201,29 @@ EOIMAGER
         ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
         ${WORKDIR}/imager.manifest 2>/dev/null \
         | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
+
+    for bomtype in ${SBOM_TYPES}; do
+        merge_wic_sbom $bomtype
+    done
+}
+
+merge_wic_sbom() {
+    BOMTYPE="$1"
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+
+    cat ${IMAGE_FULLNAME}.${bomtype}.json \
+        ${INITRD_DEPLOY_FILE}.${bomtype}.json \
+        ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        -- debsbom -v merge -t $BOMTYPE \
+            --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber $sbom_document_uuid \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+            --timestamp $TIMESTAMP - -o - \
+     > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
 }
-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251022153921.2494749-11-felix.moessbauer%40siemens.com.

RE: [PATCH v3 00/10] Add SBOM generation with debsbom

['Bouska, Zdenek' via isar-users]

Felix Moessbauer wrote on Sent: Wednesday, October 22, 2025 5:39 PM
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.

I have two warnings when downloading based on generated sbom by
debsbom --progress download --outdir downloads --sources isar-image-base-debian-trixie-qemuamd64.wic.cdx.json

"WARNING:debsbom.download.resolver:no sha256 digest for linux-mainline@6.17.2+r0. Lookup will be imprecise"
I guess mainline kernel and other packages built from source are not yet fully supported. 
But SHA256 for sources with my patches could be computed in the future if I am not missing something. Right?
I understand, that I can't then look them up in Debian, but at least the SBOM
would represent the sources with the patches in the SHA256 and it would be possible to verify if I have correct sources.

"WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise"
Not sure why SHA256 is missing in sbom for openssl. I use it without any change from trixie.

Thank you, I like it!
Zdenek Bouska

-- 
Siemens, s.r.o
Foundational Technologies

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/AS1PR10MB5675C516B1595B00485841F6EBF1A%40AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM.

Re: [PATCH v3 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Fri, 2025-10-24 at 08:33 +0000, Bouška, Zdeněk (FT D EU CZ PDS1 ICC
1) wrote:
> Felix Moessbauer wrote on Sent: Wednesday, October 22, 2025 5:39 PM
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> 
> I have two warnings when downloading based on generated sbom by
> debsbom --progress download --outdir downloads --sources isar-image-base-debian-trixie-qemuamd64.wic.cdx.json
> 
> "WARNING:debsbom.download.resolver:no sha256 digest for linux-mainline@6.17.2+r0. Lookup will be imprecise"
> I guess mainline kernel and other packages built from source are not yet fully supported. 

Hi, this means that the package was not found in the apt-cache. Did you
try this series with a fresh build-dir (sstate cache is ok)?

Unfortunately our rootfs_postprocess_commands are not idempotent and by
that a partial rebuild of only the sbom infrastructure runs the debsbom
tool in an rootfs where the apt cache was already dropped.

Anyways, the debsbom tool also supports the custom / rebuilt packages,
but these will simply not be found on the snapshot mirror. The error
above indicates, that precise information in the SBOM is missing -
indicating that the apt cache was missing at time of creating the sbom.

> But SHA256 for sources with my patches could be computed in the future if I am not missing something. Right?
> I understand, that I can't then look them up in Debian, but at least the SBOM
> would represent the sources with the patches in the SHA256 and it would be possible to verify if I have correct sources.
> 
> "WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise"
> Not sure why SHA256 is missing in sbom for openssl. I use it without any change from trixie.

This time, the warning comes from a package created from a built_using
relation which is not in the apt-cache. I observed the same in a
bookworm container (where I ran an apt-update before). Unfortunately,
the built-using relation does not encode any checksums, but we also
have no easy way to annotate that a package was created from a
built_using relation.

This topic is currently also discussed in [1]. Citing:

 Source packages referenced in built_using only have name and version
 information, but no checksum (and they often cannot be found in  the 
 apt cache)

 Yeah, that feels bad in the abstract. A lot of .buildinfo and
 built-using information (and the signature!) is only valid at the
 point in time of building/ingestion. 

[1] https://lists.debian.org/debian-snapshot/2025/10/msg00004.html

Best regards,
Felix

> 
> Thank you, I like it!
> Zdenek Bouska
> 
> -- 
> Siemens, s.r.o
> Foundational Technologies

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/5762df73039c652fd3a0d82b012361d76e1b104c.camel%40siemens.com.

RE: [PATCH v3 00/10] Add SBOM generation with debsbom

['Bouska, Zdenek' via isar-users]

> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.

I compared wic.manifest and wic.cdx and here are the differences:

$ grep arch=source isar-image-base-debian-trixie-qemuamd64.wic.cdx.json \
| tr -d ' ' |  sed 's/"[a-z]*":'// | sort -u | cut -d '/' -f 3 | cut -d '?' -f 1 | tr '@' '|' \
| sed 's/%2B/+/' | sort -u > list_from_cdx.txt
$ cat isar-image-base-debian-trixie-qemuamd64.wic.manifest | cut -d '|' -f 1,2 | sort -u > list_from_manifest.txt
$ diff list_from_manifest.txt list_from_cdx.txt
34d33
< grub2|2.12-9
71a71,76
> rust-buffered-reader|1.3.1-2
> rustc|1.85.0+dfsg3-1
> rust-nettle|7.3.0-1
> rust-nettle-sys|2.3.1-1
> rust-sequoia-openpgp|2.0.0-2
> rust-sequoia-policy-config|0.8.0-1
80a86
> unicode-data|15.1.0-1

At least grub should be in wic.cdx.

I am not sure about components which are not in manifest but are in wic.cdx. 

Zdenek Bouska

-- 
Siemens, s.r.o
Foundational Technologies

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/AS1PR10MB5675AB0DA90554B46AC129C2EBF1A%40AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM.

Re: [PATCH v3 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Fri, 2025-10-24 at 09:37 +0000, Bouška, Zdeněk (FT D EU CZ PDS1 ICC
1) wrote:
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> 
> I compared wic.manifest and wic.cdx and here are the differences:
> 
> $ grep arch=source isar-image-base-debian-trixie-qemuamd64.wic.cdx.json \
> | tr -d ' ' |  sed 's/"[a-z]*":'// | sort -u | cut -d '/' -f 3 | cut -d '?' -f 1 | tr '@' '|' \
> | sed 's/%2B/+/' | sort -u > list_from_cdx.txt
> $ cat isar-image-base-debian-trixie-qemuamd64.wic.manifest | cut -d '|' -f 1,2 | sort -u > list_from_manifest.txt
> $ diff list_from_manifest.txt list_from_cdx.txt
> 34d33
> < grub2|2.12-9
> 71a71,76
> > rust-buffered-reader|1.3.1-2
> > rustc|1.85.0+dfsg3-1
> > rust-nettle|7.3.0-1
> > rust-nettle-sys|2.3.1-1
> > rust-sequoia-openpgp|2.0.0-2
> > rust-sequoia-policy-config|0.8.0-1
> 80a86
> > unicode-data|15.1.0-1
> 
> At least grub should be in wic.cdx.

Yes, definitely. At least in my SPDX SBOM this is listed (need to
create a CDX one). Are you sure your bash magic is right? The purl is
likely:
pkg:deb/debian/grub2@2.12-9?arch=source

> 
> I am not sure about components which are not in manifest but are in wic.cdx. 

These are components created from the built-using relation. They are
not tracked in the manifest.

Felix

> 
> Zdenek Bouska
> 
> -- 
> Siemens, s.r.o
> Foundational Technologies

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/94f9f4ed78522343bcc4d999d84d3894f3086e31.camel%40siemens.com.

RE: [PATCH v3 00/10] Add SBOM generation with debsbom

['Bouska, Zdenek' via isar-users]

> Yes, definitely. At least in my SPDX SBOM this is listed (need to
> create a CDX one). Are you sure your bash magic is right?

Grub is not in SBOMs even if I look for it by text search.

Reproduce:

$ cat trixie_amd64.yml
header:
  version: 14

build_system: isar

machine: qemuamd64
distro: debian-trixie

target: mc:qemuamd64-trixie:isar-image-base

repos:
  isar:
    path: isar
    layers:
      meta:
      meta-isar:

sudo rm -rf tmp/trixie_amd64_wic
mkdir -p tmp/trixie_amd64_wic
cd tmp/trixie_amd64_wic
git clone https://github.com/ilbers/isar.git
cd isar
git checkout next
git am ../../../isar-v3-Add-SBOM-generation-with-debsbom.patch
cd ..
isar/kas/kas-container --runtime-args --net=host build ../../trixie_amd64.yml
grep grub build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.cdx.json
grep grub build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.spdx.json
grep grub build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.manifest


I still got these SHA256 warnings, same as with custom kernel:

$ debsbom download --outdir downloads --sources tmp/trixie_amd64_wic/build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.cdx.json
WARNING:debsbom.download.resolver:no sha256 digest for linux@6.12.48-1. Lookup will be imprecise
WARNING:debsbom.download.resolver:no sha256 digest for linux-signed-amd64@6.12.48+1. Lookup will be imprecise
WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise
downloading 232 files, 545 MiB (cached: 0, 0 KiB)

> Hi, this means that the package was not found in the apt-cache. Did you
> try this series with a fresh build-dir (sstate cache is ok)?
>
Warnings with custom patched kernel are these. Now I made sure, that I deleted build dir:
WARNING:debsbom.download.resolver:no sha256 digest for linux-mainline@6.17.2+r0. Lookup will be imprecise
WARNING:debsbom.commands.download:not found upstream: linux-mainline@6.17.2+r0  <- this is expected 
WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise

Zdenek Bouska

-- 
Siemens, s.r.o
Foundational Technologies

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/AS1PR10MB5675F15271BD5D53AF21125FEBFCA%40AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM.

Re: [PATCH v3 00/10] Add SBOM generation with debsbom

['MOESSBAUER, Felix' via isar-users]

On Mon, 2025-10-27 at 07:54 +0000, Bouška, Zdeněk (FT D EU CZ PDS1 ICC
1) wrote:
> > Yes, definitely. At least in my SPDX SBOM this is listed (need to
> > create a CDX one). Are you sure your bash magic is right?
> 
> Grub is not in SBOMs even if I look for it by text search.
> 
> Reproduce:
> 
> $ cat trixie_amd64.yml
> header:
>   version: 14
> 
> build_system: isar
> 
> machine: qemuamd64
> distro: debian-trixie
> 
> target: mc:qemuamd64-trixie:isar-image-base
> 
> repos:
>   isar:
>     path: isar
>     layers:
>       meta:
>       meta-isar:
> 
> 

Thanks for insisting on this. I found the bug. It was a simple glitch
in the naming of the imager SBOM which apparently slipped in while
refactoring. The following patch fixes it (will be fixed in the v4 as
well):

diff --git a/meta/classes/image-tools-extension.bbclass
b/meta/classes/image-tools-extension.bbclass
index bfdb8a35..95f003d0 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -93,7 +93,7 @@ generate_imager_sbom() {
         --bind $schroot_dir /mnt/rootfs \
         --bind ${WORKDIR} /mnt/deploy-dir \
         -- debsbom -vv generate ${SBOM_DEBSBOM_TYPE_ARGS} \
-            --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-
${DISTRO}-${MACHINE}-imager' \
+            --from-pkglist -r /mnt/rootfs -o /mnt/deploy-dir/imager \
             --distro-name '${SBOM_DISTRO_NAME}-Imager' --distro-
supplier '${SBOM_DISTRO_SUPPLIER}' \
             --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch
'${DISTRO_ARCH}' \
             --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \


> 
> 
> I still got these SHA256 warnings, same as with custom kernel:
> 
> $ debsbom download --outdir downloads --sources tmp/trixie_amd64_wic/build/tmp/deploy/images/qemuamd64/isar-image-base-debian-trixie-qemuamd64.wic.cdx.json
> WARNING:debsbom.download.resolver:no sha256 digest for linux@6.12.48-1. Lookup will be imprecise
> WARNING:debsbom.download.resolver:no sha256 digest for linux-signed-amd64@6.12.48+1. Lookup will be imprecise
> WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise
> downloading 232 files, 545 MiB (cached: 0, 0 KiB)
> 
> > Hi, this means that the package was not found in the apt-cache. Did you
> > try this series with a fresh build-dir (sstate cache is ok)?
> > 
> Warnings with custom patched kernel are these. Now I made sure, that I deleted build dir:
> WARNING:debsbom.download.resolver:no sha256 digest for linux-mainline@6.17.2+r0. Lookup will be imprecise
> WARNING:debsbom.commands.download:not found upstream: linux-mainline@6.17.2+r0  <- this is expected 
> WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise

All these warnings are from built-using (except maybe for
linux-mainline@6.17.2+r0). We discussed the topic upstream with the
reproducible builds people [1] and finally came to the conclusion, that
a name+version tuple is sufficient to identify a package (at least for
the content of the package, the signature still needs clarification).
By that, we will downgrade that warning to a info message (and add some
explantaion to the documentation) [2].

[1] https://github.com/siemens/debsbom/pull/112
[2] https://lists.debian.org/debian-devel/2025/10/msg00236.html

Best regards,
Felix

> 
> Zdenek Bouska
> 
> -- 
> Siemens, s.r.o
> Foundational Technologies

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/bc0005f268b05309fb135f037c010d316f1ad08d.camel%40siemens.com.