From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 09 Feb 2026 15:36:27 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f60.google.com (mail-lf1-f60.google.com [209.85.167.60]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 619EaQm8007646 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 9 Feb 2026 15:36:27 +0100 Received: by mail-lf1-f60.google.com with SMTP id 2adb3069b0e04-59de4460e35sf1434255e87.3 for ; Mon, 09 Feb 2026 06:36:27 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770647781; cv=pass; d=google.com; s=arc-20240605; b=bNIzOzQ+K/VIDDWTVy7f7VX8x6dFHuphd7sM7KSJww++A6QXPu1Vl1+XhVtfKtFCZ/ dtBL00A/Ulh78MM+7P/QDGZZdO5tqDRNsUQegnfgeDRkJtuMaRy1M/ExtRoY69AwZ5dr 1hKq85emQ6ZJWl+oCN7o6kgGHv/wWcL/ROgO9tHwyiH45aM7237hd5XR6nt9X21Exa+l nE8OEPRecdz3I8JqIbGOK8OrCNZbmb7Gxnbi4GWEerJ2A+JGmx1oKdAHINVFaJL/jAHe OS1+T+1fOFKI6mjh4U5283yaor9o4V3qCG+sObtCC/XXh32ibBhPHtVFcrim2FB9qQ0F jnVA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=Yl7rjXl+I1rMp2NPi586hiYTGP7/9MrESyseFMt8lmw=; fh=KPHVrsKR4/bzHijta8zkK3IL/RMFbijC4b11A/k2iQE=; b=FUi9D1krOvw5Kq4GGwMCXdCHZ3cZtrYfU8HKx1Cc6WdUkuHl9y3SJteKn5wzNhPpt8 /YD0PGfS0s9E+C/CX0w6fVTxDbua0SsBcJ0oYYRdNESllQmv6fh+KbGfZfDldg4I8Zeu RDXbcwblL1N2vPYI2MtwIslcm4FoI84XCA27ft/dLG44q+DexoajPCe734L95eEW1aW/ Q0Tfx4m3IISZY2CZby0b0QFuxA50OFh3p64vlMfk6lCM51mImVnALObx+3fT76o4UJz5 DnMyek4+he7NhWnaN+vqnu0uLOO4EWWtaDFL1cDo2zSiJnGiBZcENC/0vbkuuSBtqVG0 9FTg==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770647781; x=1771252581; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:cc :to:subject:user-agent:mime-version:date:message-id:sender:from:to :cc:subject:date:message-id:reply-to; bh=Yl7rjXl+I1rMp2NPi586hiYTGP7/9MrESyseFMt8lmw=; b=kufVtRHIk70Uv7+ETEMN3VlS1ZZx0Mw0SsAC5Kawp7YW0WF2BGNXeCSOs2OCmpNuQR CGoS46AUvyYR0c1b6wbeBZWWglKi72uhRiB6icVKUrELdiZ2NPhNpZKqO357mqocQRJN 2cQMkLNj2+CD697ZQQGtG/sQkZYo2SSqEfNXEpzBJsgoLVQLHZ778rrIzCdes802cWe+ C/dPtJdf+U9opVwi+1NSxtzAVdGtwrzI84u4Ec20xFwSdQF1J+mvmpqJSA11rZlNQo3V x7dmOUgudPeSm7u3+8bUW7CnFDa1rTXrVszb6NoEMo/Io2Wh6dQ5X4unW2Oa8+T5Cl37 ROBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770647781; x=1771252581; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:cc:to:subject:user-agent :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender :from:to:cc:subject:date:message-id:reply-to; bh=Yl7rjXl+I1rMp2NPi586hiYTGP7/9MrESyseFMt8lmw=; b=TT44ELYJ0/QcqLKR2Rg+VmZ2dWisimpeXbzg3D5wxCECfuFscfGxBD3U6TVray1TJs K9onHn6zuEYsJt4Gq2AxPEg/Va2Dnqz0iAvE8Mr1xnq6DImhdmmCpAkNo0cQIDy5/os4 bMWx8xlEu00E575dQYiZhaz8nX+CrlToOTljkEpabmqohGl4C0L+qU+qfF5BU9Ijgczi WoazwXNdmNX2RQCUXyVJPO1YMraFfoKGZdhJ23RXU18KjoWQ+sapD2wUFXhXMvkgtzq+ +bZSyPd26eBprEWhT/z1XG5GVp7bYuZL9r7V9BnpJhLH/xh02NYx9GQndmD5pSMD5F8l Y+KA== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCU2pzbufOUwynZIjiwZkNgtHk63+rfafyr2rbwOSSzvpEJ9/spkHzEqmaDqK1AybiRuPPlK@ilbers.de X-Gm-Message-State: AOJu0YxKE8EAc6m9PXPC9MEMKaCfLM3UnkoqQ3idBqrK8Vogf+LwNw7k EukhwbUCGfcw4qXtqcTxZRvadJlJ12wU23XfZnXaofKNK0CSl5W/FNjB X-Received: by 2002:a05:6512:2388:b0:59e:16c8:98ed with SMTP id 2adb3069b0e04-59e4504e4f5mr3972781e87.17.1770647780896; Mon, 09 Feb 2026 06:36:20 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+GUVYYRi0XngVM6VMDWr68+4GKBA7UojW1B8jc7HBZv9g==" Received: by 2002:a05:6512:2215:b0:59b:6a98:7132 with SMTP id 2adb3069b0e04-59e3c47e656ls539227e87.2.-pod-prod-05-eu; Mon, 09 Feb 2026 06:36:18 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUmNlxFm3B8fbRjgf9Jbpv/0J/N7Iohu04ZphUBk7l0PT9VQdRqxVfhMjOMX55B+80TduuAqpSBnyPS@googlegroups.com X-Received: by 2002:a05:6512:3044:b0:59d:f473:aa8e with SMTP id 2adb3069b0e04-59e451582cfmr4034823e87.27.1770647778125; Mon, 09 Feb 2026 06:36:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770647778; cv=none; d=google.com; s=arc-20240605; b=DUS2xiJJ2oKTTsD114+q08jkYFimeFNiiDLWD0WkQ2qrBvtUD7Ts3/Cv96gfV8X9rV HGOFiPFIn2fVwbcoAfMk++4L6o0ZkuU46IvlEpv+SVzqEV+gGFOuuvM96gWomG5Yr8Y2 j3Cddmqcum68zX/6wNoSZDSqQlukeGzOgtn7p08wo4EntM/HEOn/uo2opP634sFlQvTy MNdZu3+okKZueF8pF8ZM1bM1m5FmKcDdjRjLJOh+w2BUJDVmJvu1jyfVLH07KDn8SwBS Smx6lMnL174/aAc8+bj0Cks70Qii91qPYGj5ecWV62iEichl1kGW5CiZV6XGSlJI5koO ATJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=rKWV8Ts2JGUjajpVwGEmQpOrqH+iTDDpHtk41rawlnA=; fh=Soc8cThCfbwUm5MQWM0KoS2YCC47Di1J40Bg94tdTXo=; b=V39Dkr20qn+1LKUDkVihulIQCIsOnML2V+aPDBHA+zX/hTm0LeTOSPNR1q3obCflWf lPaqD7+Xtv2ZbqJOs/rylUL8rhf8TC7oM7u/X9fU5SjaGYf+fsYwMA3lcQiPlsf6H/rN DQdwTs75pg7OKfa9+TSbuT/ry4RflYY6vuKM1qyLzzm4lW2zyqisl38iwGcym5GGQ2Mf dDQwrqBtAhFKG/kvZP1de0xGdLohkeI68jQPmkMTo8vOcbGOrljTEfenkBQrDptdC8f+ E2s2na+upNk++Pssc4ThAvAwqUzw89xuBAk1KCBDjXObRKsnGtDWtPIcZtxZqDMJCCHe HIEg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-59e44d1b6e4si224019e87.8.2026.02.09.06.36.17 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Feb 2026 06:36:18 -0800 (PST) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.117] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 619EaB79007634 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 9 Feb 2026 15:36:16 +0100 Message-ID: Date: Mon, 9 Feb 2026 15:36:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v8 0/7] Add SBOM generation with debsbom To: Felix Moessbauer , isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, stefan-koch@siemens.com References: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Language: en-US From: Zhihang Wei In-Reply-To: <20260206114054.3010883-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: 58RTizj0QEOH On 2/6/26 12:40, 'Felix Moessbauer' via isar-users wrote: > This patchset adds proper SBOM generation in the two standard formats > SPDX and CycloneDX during the rootfs generation process. > > The generation is itself is handled by a SBOM generator `debsbom` [1] > which is developed as an open source project at Siemens. It is still > early in development, but it has enough features for what we require > in isar. The required dependencies which are not yet available as > Debian packages were minimally packaged directly in isar too. > > This is a followup of the previous RFC [2]. Since then the series has > changed a lot. The SBOM generation was moved from a simple OE lib to > `debsbom`. This also meant the introduction of a separate chroot was > necessary. The SBOM generation process was also moved from the image > step to the rootfs step, along with a lot of minor changes and > improvements. > > [1] https://github.com/siemens/debsbom > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ > > Changes since v7: > > - update debsbom to 0.6.1 > - fix various errors on merging rootfs + initrd + imager sboms > (as I'm now able to execute the testsuite, I was able to test this on > DevTest and CrossTest) > - move testsuite adoption to p3 to make change atomic > - only merge sboms if sbom generation is enabled for image rootfs > > Changes since v6: > > - fixed imager bom failure on transitive image types (detected in isar-cip, > wic -> squashfs). > - updated debsbom to 0.6.0+git > - add support for license information > - rebased onto next > > Note: I'm still not able to run the full testsuite. The related patches > to cleanup the testsuite are pending on the list for quite some time. I > did some extensive local testing with isar-cip core and product layers, > but any additional testing is highly welcome. > > Changes since v5: > > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to > machine changes made in image file) > - rebased onto next > > Changes since v4: > > - rebased onto next > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) > > Changes since v3: > > - fix issue on external bullseye initramfs (we now disable sbom generation > on all unsupported distros rootfs instances) > - update debsbom to v0.4.0 > - rebased onto next > > Changes since v2: > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 > - generate SBOM for imager as well and create merged sbom of .wic image > - resend imager manifest + wic manifest patches to reduce conflicts > > Note, that the patches p1-p5 are most important as they add basic SBOM > support. The remaining patches address the imager + .wic bom part, > which also can be merged later on. > > Changes since v1: > > - remove tarball > - refactor packaging (auto-derive python dependencies) > - only build missing packages (varies on bookworm, trixie, noble) > - add ubuntu support > - only generate sboms for supported distributions (bookworm/jammy and > onwards) > - update debsbom (includes bug fixes and more information for source > packages) > > Felix Moessbauer (7): > debsbom: update to version 0.6.1 > feat: add license information to SBOM as well > add support to add imager dependencies to BOM > wic: create uniform manifest describing all image components > qemuamd64: add IMAGER_BOM entries > imager: create SBOM of IMAGER_BOM packages > wic: create uniform SBOM describing all image components > > doc/user_manual.md | 1 + > meta-isar/conf/machine/qemuamd64.conf | 1 + > .../recipes-core/images/isar-image-ci.bb | 1 + > .../image-tools-extension.bbclass | 29 +++++++++++++++++ > meta/classes-recipe/image.bbclass | 9 ++++++ > meta/classes-recipe/imagetypes_wic.bbclass | 32 +++++++++++++++++++ > meta/classes/sbom.bbclass | 3 +- > ...sbom_0.5.1.bb => python3-debsbom_0.6.1.bb} | 3 +- > 8 files changed, 77 insertions(+), 2 deletions(-) > rename meta/recipes-support/python3-debsbom/{python3-debsbom_0.5.1.bb => python3-debsbom_0.6.1.bb} (91%) > v8 has passed CI. I'll wait until tomorrow morning to apply it, just in case of more comments. Zhihang -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/ceaa3275-421f-4171-9aec-9a181739d1b9%40ilbers.de.