From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 15 Dec 2025 08:36:00 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pf1-f188.google.com (mail-pf1-f188.google.com [209.85.210.188]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5BF7Zxpm016106 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 15 Dec 2025 08:36:00 +0100 Received: by mail-pf1-f188.google.com with SMTP id d2e1a72fcca58-7b8a12f0cb4sf3873740b3a.3 for ; Sun, 14 Dec 2025 23:36:00 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1765784153; cv=pass; d=google.com; s=arc-20240605; b=QeJei2zuqvYazE6Wk+UG/DML4YzwsbcxyNMPM4Od89xi+JIv5XcXVltIWMg1tNJBoP qCaKwLnFgcbcdCBXByY8Tq9DEGx7QBvsVnNXgslE6eTYG1qqN6meJRyj1WOos3psj6iL vZ7J43eW+wGYUbIQ80209+Kl9wQafmIjNEOJBsFkbi3ImmBgLdTtZb/9BrBbGR533mzP KRlEHp9hIbWEZ1fdcO2fZdYnBd9Je7ziLidbAjBvn6XCuesFD50KVjBCSYBk1lxPGegk gHNBeqLWDw2AC2qyH4ngLOKnmy7nxRgK/7tufxIPoQ0XtjH1RGrEekZwF6wEzy6tY2hU eRIQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:content-id :user-agent:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature; bh=TtQFi90m/Lyy0XO6vJZHUX3+1rRmpFgaicjKgGu3qA0=; fh=hWdoXoRs6eVlZYiqJelJh1w5MVRbLGqP4DDgz+3zEf0=; b=bnAH5fQQlsnZXG9wYOEyU6hgBVaQXmb0aIVIPjTUDID8UK1FN5I+vNFeuj6E0dhdxB oxmegguyRQYsRxPpSm4/SRA9E6rBNCM6dhxvAaTpL6+3rS3l+wYzWBtv8o54gzAF8vuX LSjEKzbLQ0QHfim8tUzq56NjuYHeVpPPTAXiDEkTSAC8ApocCWUSzc/Ie1k49Lx1P+st yGa3ZxslodL+Oufmrz8fVHUfKJ0AHe6q71qTDtIk9blxK1irNAhH5SZW4e+BvyFWA9ud B8Mlv2yeoif0PkWYUGJlyKZ6a3kkmY1ZK3l3XwwN1zfOL19Szr+TS8CpaQTI5HS/Ilzt XeYg==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=jjQ6Zsru; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1765784153; x=1766388953; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-id:user-agent:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=TtQFi90m/Lyy0XO6vJZHUX3+1rRmpFgaicjKgGu3qA0=; b=tPKt51Ey6dls5JdUjEPbYvu4iRioq3CPRDHGNvFL2MaO1iL7PQ3c6/JQir4xwPBAxv RLahZkCyiXI5yp3TWF9eUUeGIWN+m5T2INPaXaWVDsduzVDMM9QuFnvwaAJ+elpZi9Dp 6mvVAMgueCxOyrNFOtZ7jPam1YTNOs+e2HK784S5aJrwG6DLM5RSY86NhMye54AHv73k 29mSHLN8CX/KwLZnCYbJ2vdqY3gS7CHW6YjmJ+AHhW0s9LJBuxxBiQGFe/Seg/Rb9gf4 wHrKDHOTXehZVhuvMGFDcnf89FQepqp4b1VCZcrKYEkxEBwR7sXhv0zdAATeNZ2epLZD UArw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765784153; x=1766388953; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :content-id:user-agent:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TtQFi90m/Lyy0XO6vJZHUX3+1rRmpFgaicjKgGu3qA0=; b=Xz5XZo0wOddvFhUQphNQxJZsxsuFhQjE6tOj1PQ9gqNkQ7K3zbnv+J0xO95PbAgZCW ti3WH4h4ZjQ1XreL1WeH19xYkGRYWSpF2lzy+1dmX+hVNjf8CnkEJOR08Umz38mz8orN NPepAE7w7hqEIJ1P7XX+UDNcsM/kOavf/ui7q5NecyuATdpZA8ef+KGkHtCS58wQrFmP UenL/60c4Hx7lcTag03JcvNIwbPx2JqrFQxYTHizv2rduHs1XAobSQrKhYDV5PF0Gqth o5nAFPVKkcZFgAIliIJrJtP4TnPNqK/MOA4PkLH4el6hiPAxzooq5qhkMCUohBEi9T3M TsnA== X-Forwarded-Encrypted: i=3; AJvYcCUjLWt4SNy45ruzFvmT5S8SkSYQ0cUlDJEzFETywZP+lnE/Z1cpC/f1czy08pk7i2BMDA3C@ilbers.de X-Gm-Message-State: AOJu0YwHDoag7/PAcVyilMYGOBkgTuWT5fL7c+8sKDgDr9wVL6fzt+aB SYOvyZ1EIV4753G+aq0dxhLhcDKzRS1lsQczIBbet67MxevOoNj53yqi X-Google-Smtp-Source: AGHT+IFh3Z/qpYADebltglUVIgJmZtv7o7laszIzZPKBmUud0RItvdmDB0GVhcmSHh8Z1C8v81Deiw== X-Received: by 2002:a05:6a21:50a:b0:35e:bfe5:ee7a with SMTP id adf61e73a8af0-369adbc9f7emr9567768637.32.1765784153302; Sun, 14 Dec 2025 23:35:53 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AWVwgWah6U0S/YYaIoVBTsSO8pjnr3OMCw0LMUof4BQlUCBTPw==" Received: by 2002:a17:90b:3d4:b0:340:be45:629a with SMTP id 98e67ed59e1d1-34abccd2f54ls2327163a91.2.-pod-prod-09-us; Sun, 14 Dec 2025 23:35:51 -0800 (PST) X-Received: by 2002:a05:6a21:9986:b0:35f:6e12:184c with SMTP id adf61e73a8af0-369afc00340mr9613841637.60.1765784151393; Sun, 14 Dec 2025 23:35:51 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1765784151; cv=pass; d=google.com; s=arc-20240605; b=YYp+Prmu5y5E9Zts67EqBzQFgQ52FiCIGOPTpO9jBcBIxL5uIYvPLque762IvySLiY BAGKJFkWFtc99Kx4U+C4xQy8jkg8e4Os/MASwDmy61Y/nRfG5Z/A7jG0YhZpibWAs93n 3k66tIZPzG+FL/qzPN3v6WPL/EPddLfIfLEKpXD50FwQVCfP8TUNB8Jz4ynZ/FF8KDG3 0H1rpWeRjLUHKoIYJlc4AWN+R5oeMpT9j6bvf0l9jUnMvy2v4LRsZpGy+gSNxXBTB9f8 dp3fkxrhnZlo5aTgBhke5pIw+LqU8CRmelBOPb42fNaCN0BV9I0nvqzuh4uj9Pmov+5F oyzw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:content-id:user-agent :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=wSym0JT8/ywBDQBFPDj8O3i4patYNq3uSjBlbZyNaeU=; fh=5/fZ3i12yKj3KdF39xI9eXILQiv171Y9B6KWYyc6mkM=; b=I2IwxYDDlZ05tjIER8NNfFHa3Hh/BpIEad4Vuu/vLsv6fiaBd/M7ZZmkxZb4f94YSl NE2KlS2VoEndx+A0s8Z9R9PruxeZZNrO8iMj5wbCEziomN1MYQGOp5bo4kP0oyZVdj+M 8SkAI3ZvSBg2IbtcoOkOVQmp3aqe8aUsU0tt4zMfnblCaTu/DEfUU294EJ3I9II6xZxU 1gOwYc5uSTHmIXT+LQCdWEMqWmJ971vWxXmQrc6KdrGiRNea+g+HyaFv0L/fiZ20Pgsv bqC++1ApVyIk0If1NEGRRn+oG0m/vFm/b9P0yZwgYdkgozv0tsvLWKeXaEOQz9yzX3YD Fozg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=jjQ6Zsru; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazlp170100001.outbound.protection.outlook.com. [2a01:111:f403:c201::1]) by gmr-mx.google.com with ESMTPS id 98e67ed59e1d1-34abe2a2916si93839a91.3.2025.12.14.23.35.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Dec 2025 23:35:51 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) client-ip=2a01:111:f403:c201::1; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PjPASnHR51rdHYDkLyIViCGmL+CxSJrIgafK/feyW/Inw2Tz182GTBAq/BAZ+qiq2njJPOtdFFXz1cSKg6jOwnCtNmtHJq/qJKmJk7qmtKqbXVEBNyHMM4o3yWURfLEJbd1S7kiGqgoYWv0MV5SwCUO9nLaEqO5z3oGSSHQlzdprWRYDeeMM3WpjUNew4UDeraAoNh/e+aJ4waIMRmebTptYjcTUBsCMEMQa8FO5uiT0zVxNo2EPk1wBWAR5EuSgLU9y+lZ7jfQLVedX9Qa+uLp1H3MHGplUomAew0VZFzQkBCuxSJXQnpH1fcEmApmRu1gJ3Z6HgvPE/U/9yBPxyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wSym0JT8/ywBDQBFPDj8O3i4patYNq3uSjBlbZyNaeU=; b=Oj+k4aTIc+YigTbm8oHza7ITFi3L705U37cypwZIB8oTE39gnwSKYqYjA/4KhrlVZFMcgyGC5XW3tU9J4Zx1ZIl4nQGdHfvRcaf3WccZoiI7giwIeM1EbcCsPdmDHJpxZoI937rMeNoUpsByyqsFRVTHEkGrcaVUrtfLEi1yXcXDS077jHvyxyBpQdtCPUlRC9S7/kZUkpigtNvGovDSoCFkA2MJyB8FOwJ5IjBSuQufPh/dxScF2lhUCBVh/uUSv4Ip8mW6H8RD78GyCXHWPOkDam9/e5JV4rvszmodwBBY/2lthZsJSd0Ax+jOi62l8OV/UFJtSsLqmLf00+K2Lg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by PA1PR10MB9385.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:4fb::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9412.13; Mon, 15 Dec 2025 07:35:48 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9412.011; Mon, 15 Dec 2025 07:35:48 +0000 From: "'MOESSBAUER, Felix' via isar-users" To: "isar-users@googlegroups.com" , "Kiszka, Jan" CC: "Steiger, Christoph" , "Gylstorff, Quirin" , "Hombourger, Cedric" Subject: Re: [PATCH v6 00/10] Add SBOM generation with debsbom Thread-Topic: [PATCH v6 00/10] Add SBOM generation with debsbom Thread-Index: AQHcYqCqMJoYNW/wIUSbsBb048Q1krUd3baAgASH44A= Date: Mon, 15 Dec 2025 07:35:48 +0000 Message-ID: References: <20251201085813.1616095-1-felix.moessbauer@siemens.com> <7b9b5669-fb6f-4dfe-b146-25a6f35b2583@siemens.com> In-Reply-To: <7b9b5669-fb6f-4dfe-b146-25a6f35b2583@siemens.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Evolution 3.56.2-8 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DU0PR10MB6828:EE_|PA1PR10MB9385:EE_ x-ms-office365-filtering-correlation-id: 6944f846-df5d-4e06-ad14-08de3bac90af x-ms-exchange-atpmessageproperties: SA x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|366016|38070700021; x-microsoft-antispam-message-info: =?utf-8?B?MDFxaDFETXBaRkFIdnpZZTc1WEZoSlptVGhDNUNkMGFDRVFUcXhueDJjRWk1?= =?utf-8?B?R0ozN0FmNGQxRFRVU1htUGdXeWJUZU5Ebk80S2pNOUlKUG5rRDhad09XS3d5?= =?utf-8?B?SGovR0doOTJUTCtJQmhnbWZOQUI3Z1dPNjdKa3YxNVJZN0JwZzFEdnhHM2dM?= =?utf-8?B?N3JmUGdaUld2U3VFY1Z1NXcwT09MOTczNGlkRDE4Ym9Xd3d6WEY1NHQ2TjlU?= =?utf-8?B?bUFLc29EblNiMjMrbElzcCtrSStjRXlmRkxiSlNycHhsVWdUemtwVW5FWCt0?= =?utf-8?B?eVR4Q1lKT2t3L0phdlJoY3I1Qk5QVHozNEhXN3RqSGUya1N6TU0ydUtocTRS?= =?utf-8?B?YzcwSlZ0cVY3VnhNV1BkRDNUMk1lNllIblZoZFpuaEREMUh1TmszblhKRkVL?= =?utf-8?B?eUI2azd4WFJSUHU5a0QwcFRNcTY3OXNNcUVPRzJ2WnhGZWI1UUFXWFg3QlMw?= =?utf-8?B?c2NwbC9RaU1Sak9nS0RETkFCNHR0SUlMRld2SUxRcFNCQVpQK0hQOU4zRDJr?= =?utf-8?B?Uk0xS1ZhQ21kNFd3SGw0MTZ0NndoR2w0bG1JMWRvL1BSNFdUQ2RwenJRbUlz?= =?utf-8?B?MEVDSEVGWGRoOEduOGJPdWsvdFhGc25lWFNvOG9pSFIxbzJxTHpzdm9QRG5H?= =?utf-8?B?VkVNaFJDN1BzbEdkTGo1ZnZwZGhGQ0RoMkZnV0tLYUZ0ZUhGZXRCOGc3TW9j?= =?utf-8?B?Y08zWE9DTkZyK29IbzBzdkY5WnhDcVJuTEQ3K2pLNnFOYVZDcnM4OGMyakkv?= =?utf-8?B?emxCNFRrbTB0ZDdka1QxbGRobmxqVDJqZmVxQmlnSjNrdnJVa01iRHozK2tj?= =?utf-8?B?OFhZcW1YRkhGYXZmYngzVmVaaHlTTGhxUnA1a2ZmSVlXaHY2VW93RElzelZi?= =?utf-8?B?enluNEZ6K2xBRmphYiszbmk0T2Z5OERPaVZpRnVYZFI5UDQ0ZndVelRKdVBH?= =?utf-8?B?VTg2NnJ2OVo3NnNEU3JIYzdwajFUWSs3aWtzRWJGUEJjVFptOFp0MmJQMjkx?= =?utf-8?B?ZlBFek8zeWI2dm9KbjdFWk9WaVhRcVpaZWpkaDlCQlhWdGE5R1VaTnZUakQr?= =?utf-8?B?emVQV2VLUzhZTDVQQ2J2RjlhSVBpSFJ6OHlvcklZK1Fid1VXZ2dkNDZIVFhE?= =?utf-8?B?WmxpcTQ3bkVSUUZjb3gvSHNMNTVDTGJRaUlTT0xMUTlSazhQOUxwRVMwYThU?= =?utf-8?B?WWpyVXNNWm1GWkFOUmdHN0txTXo4TnRKV2dxY3ZqZlNmbHRQM1hRMmQwNTJF?= =?utf-8?B?V3JzbXozQWtEVmJBL1dDNWh2MHU1WUtSQlptbERtZG9GTzJZY1dJT0lyRFZI?= =?utf-8?B?WDM3eWZuNzhmb1JYOXAycUVzdUxrQUFsR3k4RFlpZGNYRnpjZFVLUDQ2UEFF?= =?utf-8?B?UlJyeE8zNjlwVFR6Y0FGcDJmOFE0c2ZSdnVIZUV5SGpoR0xJVjJHbmNuREJh?= =?utf-8?B?cHJ6NVdSR1ZmaGJMb0lUc1lqL1JMSEo5UEdQaG02RlcxOGNuUklOdnlDRi9i?= =?utf-8?B?V2R4c1o5aFVOZ3JuTXBYVSttOEdFV1FYZFpVQlpOT05tS3hCbnFDM3RGek54?= =?utf-8?B?V0ZQOU5tRk5ocGtrRWl3Rzl5ZFR5VGJ1bGV6SjNDY1F3VHdTTTdqMXp2NVhC?= =?utf-8?B?RHg4ZGl1WGsyU3dkckRZRlh2U0ZUdENEcFFna2ltZUZhS0xrUHNhRHRoT1E5?= =?utf-8?B?K2QzaEIwcndnK3g3UUYzN2t6WGsrczlwYXRHdXZPakpmTWxjVW1ham14UEFr?= =?utf-8?B?QTlHSS9McWRBb3pVZHpncjlYb1NVcmwxMDQ2MTJVcTZZd3hLSjgvRzhVU3Nn?= =?utf-8?B?T2RDRDExMTFGQ3FiSUtHL2d4NjMvSkdzVmdBNk5pRXUyNlI4dVdrZU0vbVJE?= =?utf-8?B?eW54UTh5VnBoOXdaQmhlenhlT3p6MG5JODRzNnMvQ1Yxbmx2Qlpkekw2VEJ6?= =?utf-8?B?RFU4VWU2MTRkQVBVNTBHSk9SMFZ6ZGhkN29mYmxwTlB3ZTBLQnNDR0VMOXhU?= =?utf-8?B?dy9zUitZa01Gdk1RQmdmQVJHcnRBYmdxL1A4bEsrbmJFSnRZU0cwRkl2NlZw?= =?utf-8?Q?BY0zdn?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(366016)(38070700021);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?UXprRUxFNm8yLzZHaFU3bGRkcjBtYjZNUi82TzZ6azdmTTBWQUk2cFdSMGlP?= =?utf-8?B?Q0k4cXNnSVNiYWk4dy94SDYzbmFaUDRXNWUrck5XTmNmWXU0a3dybDBMZUhp?= =?utf-8?B?UnpoZE1keXBZZVlGYlViK3JhV1dMcU9wSm02WC9kNGFYUDdIOGRrcHpIZHZ3?= =?utf-8?B?dzhOd01ZbkV4d3h5VldLc2pqWEJHZ3Yrdzl4bkRGWEdJNE5lNjlBSDBLaEU2?= =?utf-8?B?NEVrdHc4ZnhCM1BkckVUeXpNNzdmMW5ZRFh5SmZjejJNK0FuYlJ4ZDdiSkow?= =?utf-8?B?djUwVmgzR0w1d1ltaXMxZk94R1YxV0doeEY2UUVFQ2Q5T21EdzBqVEN0bTRt?= =?utf-8?B?a0RCR0FLalRBM1RjOXlqelI1YWl1TDZZSVZ4c2ZyRlRJSllES25RbFAzQVRC?= =?utf-8?B?bkk5MU11MTE0TEJXT2xBRTlSYXpuWC9pNnBzdWloaC8rcmdaQVg0NUd6aUF3?= =?utf-8?B?L2VRWnRFVEdJMEV5bEQraFZiR3RPdEVpRlZCamJCWFdHU0dTRFhzVWNVcktI?= =?utf-8?B?emU2c1hSakMwdHYwUVlmdE4yZGgzcElhSDQ0Lzc4TjFxZ2tiYXpURFJYRklE?= =?utf-8?B?eENpNzBpVTJ2cCtvNnlKbGwwaUJxUU12bzUxbW9OWm5iZFU5a3lHT3pFaXNR?= =?utf-8?B?L0hWdGp4d05hTzl6NXdOWGdraWNtZklabzZkdytVa2I5YXNoZ045eEJXUTZJ?= =?utf-8?B?NzJ2K1VucnQ1N3B6OW1MSDI0Y2VSRXVVQ3dBWUEwWGtIeUQ2SE1Ta3l3RW4x?= =?utf-8?B?TFZvYzJqVW1TLy9PUVRLS3lBdkx4Yk4xQ0YvekkrK0lSOG9ST08vVXhzRFgz?= =?utf-8?B?Z3dtWktnZ2paL21qbjcwbWdZcmE3V0lkc0d0eW4rbU5DY1laMkRmVTVvcXFH?= =?utf-8?B?aGoxcFNWVmtGUVQ5YkVIQWhtNVV3MWZLY2lvRHJCbE50ajhsdHhqVkZQelpa?= =?utf-8?B?ODJHeTRQSVJwM202cm1BR1NVSWpxQlpUcWFuWkpDMnd0OW83bHMwVzdsNklq?= =?utf-8?B?ekVLSktlQU5ZUW50NzVWOEh6OTBSaksxNU56TWtvd1BQVkMvRGtaV2FjL3Na?= =?utf-8?B?dFRxaEczOTBCcWIyNDBNZTlOMUY0allqRDIveXFzdVhPWTFvWE5sZHZ2dHlN?= =?utf-8?B?MWJrUkxkWU01VGpiWkxTbmIzc0hmWWJpa3hwREdjSTA4STNaTHRWa1VmREpP?= =?utf-8?B?MGVxV0h3YXpOUmlQNyt6R0YyWEx3Q0dFVHJ4eHVJaCtoblRFMGtuZG1pRGtm?= =?utf-8?B?dkVRd2FCeDFZRGU5a05xSFg1eGpZTCsySy9la3NRT3lZWkN5Uk1UOEJGSGJB?= =?utf-8?B?VnNGaDczTCtTYnhXancxb3UzVU9hZ0lPeFVTc3hKeWpVUHUrZTVibWYrZlFn?= =?utf-8?B?L1JYSnNLaDJyVHJuTnNYZXNjbVBwVlVlQ01oUkYzcUNmMlFoMk80VzkxdDNk?= =?utf-8?B?SHhrMzd5eW85WlRDN3BIcTVRU2hMSkpJdWpMT0RJTFVlOUsvNVpLYnhaNWY4?= =?utf-8?B?RUMrVWxBNnhtcUtXdTFhUzRIY2hqNTFiTGNicmJJK3NxQ0pUVUVKY0RIaG8x?= =?utf-8?B?L3NwZ29BNDVrVkFyTGExeGZYWnlaazJMTkdrbVBXUFd4NG5hRUYwemRaeGc1?= =?utf-8?B?bmN4RzVQRXdtN0xKMytPN2hmaS9uR3pqYWdhZmxIcHZSQ1U0eDRyYVBZLzk3?= =?utf-8?B?T2ZaZmFmSXZqeVBQemVPdUdhYUduOVZSTG1PMTZ2YnA0clhLWXB4Zzl2ZTBI?= =?utf-8?B?SDVvcmxLZ0VYV0FYazc1RHVoRE0rRTcxbGF1STAzRXl2U2phRG1HMnFvL0VP?= =?utf-8?B?NXFJUFlNQVprMS9UY0R0MFJSWjJhdzhneU05Lzcwd2U5N1JKNnJBZlpJM3ZD?= =?utf-8?B?cHl2OXJ4VUtzT1lzSEVBOC81aGVUYkR4dERhd2ZLQzVWQTNuZnNCMk5PeHMr?= =?utf-8?B?eGpMNS9xK29mUGdtbFM0V0w1RmRTUlFUYXJBaVkrc0hXWURRZlYrMmJsSW9Q?= =?utf-8?B?UDJZdG9BTXNic2w3WEVDdGVjalNDMHBYZ2lTMGxWRHdEVXhGMjVxUkVjTVlU?= =?utf-8?B?SG9sS0xiVUZvY2Q4UW9CWVo1cFMrZjBGY3B1Y0FvQi8wWnphU2RQa1ZJcHRl?= =?utf-8?B?akRDSHRoQ2JyVDBwWXNSbzBPTS9aWkw5UDZSbjZ6d0pjVElIRnFqOVAzVVFw?= =?utf-8?B?QlpEZ0pZUmJVVlJYNmJuV3pqVEpIU2FkVkN4WnpkVXJWVWlJbURQcE1xYmZV?= =?utf-8?B?SVlZcFN1TG9XTmZFUFhZWDByaFR3PT0=?= Content-Type: text/plain; charset="UTF-8" Content-ID: <6EE39BEAE9EF07409E8171A1355B5A44@EURPRD10.PROD.OUTLOOK.COM> MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 6944f846-df5d-4e06-ad14-08de3bac90af X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2025 07:35:48.0825 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iJ9zAIBroU7giAA6YwavDn3vDYKE4knAebIYWsABzICLMg7l+hYG29k3iwvr3O1RHycApxwsipU0LZc6n3ZFEFvswg/HkiRQCQ4JzyNhmHA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1PR10MB9385 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=jjQ6Zsru; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: "MOESSBAUER, Felix" Reply-To: "MOESSBAUER, Felix" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 1z33zbMokGzc On Fri, 2025-12-12 at 11:24 +0100, Jan Kiszka wrote: > On 01.12.25 09:58, Felix Moessbauer wrote: > > This patchset adds proper SBOM generation in the two standard formats > > SPDX and CycloneDX during the rootfs generation process. > > > > The generation is itself is handled by a SBOM generator `debsbom` [1] > > which is developed as an open source project at Siemens. It is still > > early in development, but it has enough features for what we require > > in isar. The required dependencies which are not yet available as > > Debian packages were minimally packaged directly in isar too. > > > > This is a followup of the previous RFC [2]. Since then the series has > > changed a lot. The SBOM generation was moved from a simple OE lib to > > `debsbom`. This also meant the introduction of a separate chroot was > > necessary. The SBOM generation process was also moved from the image > > step to the rootfs step, along with a lot of minor changes and > > improvements. > > > > [1] https://github.com/siemens/debsbom > > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ > > > > Changes since v5: > > > > - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to > > machine changes made in image file) > > - rebased onto next > > > > Changes since v4: > > > > - rebased onto next > > - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) > > > > Changes since v3: > > > > - fix issue on external bullseye initramfs (we now disable sbom generation > > on all unsupported distros rootfs instances) > > - update debsbom to v0.4.0 > > - rebased onto next > > > > Changes since v2: > > > > - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions > > - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 > > - generate SBOM for imager as well and create merged sbom of .wic image > > - resend imager manifest + wic manifest patches to reduce conflicts > > > > Note, that the patches p1-p5 are most important as they add basic SBOM > > support. The remaining patches address the imager + .wic bom part, > > which also can be merged later on. > > > > Changes since v1: > > > > - remove tarball > > - refactor packaging (auto-derive python dependencies) > > - only build missing packages (varies on bookworm, trixie, noble) > > - add ubuntu support > > - only generate sboms for supported distributions (bookworm/jammy and > > onwards) > > - update debsbom (includes bug fixes and more information for source > > packages) > > > > > > Christoph Steiger (3): > > meta: package python libraries for SBOM generation > > meta: package python3-debsbom > > meta: add SBOM generation with debsbom > > > > Felix Moessbauer (7): > > refactor: move get_rootfs_distro from sdk into rootfs > > override distro vendor in SBOM on Ubuntu > > add support to add imager dependencies to BOM > > wic: create uniform manifest describing all image components > > qemuamd64: add IMAGER_BOM entries > > imager: create SBOM of IMAGER_BOM packages > > wic: create uniform SBOM describing all image components > > > > doc/user_manual.md | 1 + > > meta-isar/conf/distro/ubuntu-common.inc | 2 + > > meta-isar/conf/machine/qemuamd64.conf | 1 + > > .../recipes-core/images/isar-image-ci.bb | 1 + > > meta/classes/image-tools-extension.bbclass | 29 +++++++++ > > meta/classes/image.bbclass | 7 ++ > > meta/classes/imagetypes_wic.bbclass | 30 +++++++++ > > meta/classes/initramfs.bbclass | 3 +- > > meta/classes/rootfs.bbclass | 23 ++++++- > > meta/classes/sbom.bbclass | 65 +++++++++++++++++++ > > meta/classes/sdk.bbclass | 10 +-- > > .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ > > .../python3-beartype/files/rules | 8 +++ > > .../python3-beartype_0.19.0.bb | 29 +++++++++ > > .../files/pybuild.testfiles | 1 + > > .../python3-cyclonedx-lib/files/rules | 8 +++ > > .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ > > ...icense-description-in-pyproject.toml.patch | 28 ++++++++ > > .../python3-debsbom/files/rules | 8 +++ > > .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++ > > .../python3-packageurl/files/rules | 8 +++ > > .../python3-packageurl_0.16.0.bb | 33 ++++++++++ > > .../python3-py-serializable/files/rules | 8 +++ > > .../python3-py-serializable_2.0.0.bb | 38 +++++++++++ > > .../python3-spdx-tools/files/rules | 25 +++++++ > > .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++ > > 26 files changed, 524 insertions(+), 11 deletions(-) > > create mode 100644 meta/classes/sbom.bbclass > > create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb > > create mode 100644 meta/recipes-support/python3-beartype/files/rules > > create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb > > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles > > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules > > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb > > create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch > > create mode 100644 meta/recipes-support/python3-debsbom/files/rules > > create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb > > create mode 100644 meta/recipes-support/python3-packageurl/files/rules > > create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb > > create mode 100644 meta/recipes-support/python3-py-serializable/files/rules > > create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb > > create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules > > create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb > > > > Can we please make sbom generation opt-in for distros that require > building the tool with all its dependencies manually? It's those extra > package targets that are only interesting if you plan to ship, not so > much while you are developing. I'm not against making this opt-in in general. It also significantly slows down the CI. Opinions? However, currently all SBOM related changes are blocked behind the testsuite refactoring, so it might take a while to continue here. Felix > > Jan > > -- > Siemens AG, Foundational Technologies > Linux Expert Center -- Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/d050b4824cc7d99f908e70bbe1df86c92f99acb2.camel%40siemens.com.