* [PATCH v2 1/4] meta: package python libraries for SBOM generation
2025-09-17 6:33 [PATCH v2 0/4] Add SBOM generation with debsbom 'Christoph Steiger' via isar-users
@ 2025-09-17 6:33 ` 'Christoph Steiger' via isar-users
2025-09-17 6:33 ` [PATCH v2 3/4] meta: add SBOM generation with debsbom 'Christoph Steiger' via isar-users
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: 'Christoph Steiger' via isar-users @ 2025-09-17 6:33 UTC (permalink / raw)
To: isar-users
Cc: jan.kiszka, felix.moessbauer, gernot.hillier, cedric.hombourger,
Christoph Steiger
Package python libraries for SBOM generation in isar. The packages are
unfortunately not (yet) packaged in Debian, thats why we need to do it
here. With these libraries it is now possible to easily create CDX and
SPDX SBOMs in different file formats.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
.../python3-beartype/files/rules | 8 ++++
.../python3-beartype_0.19.0.bb | 29 +++++++++++
.../files/pybuild.testfiles | 1 +
.../python3-cyclonedx-lib/files/rules | 8 ++++
.../python3-cyclonedx-lib_9.1.0.bb | 48 +++++++++++++++++++
.../python3-packageurl/files/rules | 8 ++++
.../python3-packageurl_0.16.0.bb | 33 +++++++++++++
.../python3-py-serializable/files/rules | 8 ++++
.../python3-py-serializable_2.0.0.bb | 38 +++++++++++++++
.../python3-spdx-tools/files/rules | 25 ++++++++++
.../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++++++
11 files changed, 252 insertions(+)
create mode 100644 meta/recipes-support/python3-beartype/files/rules
create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
create mode 100644 meta/recipes-support/python3-packageurl/files/rules
create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
diff --git a/meta/recipes-support/python3-beartype/files/rules b/meta/recipes-support/python3-beartype/files/rules
new file mode 100644
index 00000000..0ca517a1
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = beartype
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
new file mode 100644
index 00000000..b8bc2708
--- /dev/null
+++ b/meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/beartype-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), dh-python, python3-all, python3-setuptools, pybuild-plugin-pyproject, python3-hatchling"
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+# this is 01/01/1980, any earlier and zip in the wheel building process will not accept it
+DEBIAN_CHANGELOG_TIMESTAMP = "315532800"
+DESCRIPTION = "Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python."
+
+SRC_URI = "\
+ https://github.com/beartype/beartype/archive/refs/tags/v0.19.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "e7ad00eebf527d60f30e0b391209b561dabd2074b608c50e26c94c2d8250a6cd"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
new file mode 100644
index 00000000..cc736a36
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
@@ -0,0 +1 @@
+pyproject.toml
diff --git a/meta/recipes-support/python3-cyclonedx-lib/files/rules b/meta/recipes-support/python3-cyclonedx-lib/files/rules
new file mode 100644
index 00000000..fe72dd1a
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = cyclonedx-python-lib
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
new file mode 100644
index 00000000..738ed1b3
--- /dev/null
+++ b/meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
@@ -0,0 +1,48 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+DEPENDS:append:bookworm = " python3-packageurl python3-py-serializable"
+DEPENDS:append:noble = " python3-packageurl python3-py-serializable"
+
+S = "${WORKDIR}/cyclonedx_python_lib-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+ dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ pybuild-plugin-pyproject, \
+ python3-poetry, \
+ python3-py-serializable, \
+ python3-packageurl, \
+ python3-sortedcontainers, \
+ python3-ddt, \
+ python3-defusedxml, \
+ python3-license-expression, \
+ python3-jsonschema, \
+ python3-lxml, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+ https://github.com/CycloneDX/cyclonedx-python-lib/releases/download/v9.1.0/cyclonedx_python_lib-9.1.0.tar.gz \
+ file://rules \
+ file://pybuild.testfiles \
+ "
+SRC_URI[sha256sum] = "86935f2c88a7b47a529b93c724dbd3e903bc573f6f8bd977628a7ca1b5dadea1"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ cp "${WORKDIR}"/pybuild.testfiles "${S}"/debian
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-packageurl/files/rules b/meta/recipes-support/python3-packageurl/files/rules
new file mode 100644
index 00000000..50e1b74c
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = packageurl-python
+export PYBUILD_SYSTEM = distutils
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
new file mode 100644
index 00000000..27209429
--- /dev/null
+++ b/meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/packageurl_python-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "debhelper (>= 11~), \
+ dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "A purl aka. Package URL parser and builder"
+
+SRC_URI = "\
+ https://github.com/package-url/packageurl-python/releases/download/v0.16.0/packageurl_python-0.16.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "69e3bf8a3932fe9c2400f56aaeb9f86911ecee2f9398dbe1b58ec34340be365d"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-py-serializable/files/rules b/meta/recipes-support/python3-py-serializable/files/rules
new file mode 100644
index 00000000..0cf845dd
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = py-serializable
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
new file mode 100644
index 00000000..5bc48c0f
--- /dev/null
+++ b/meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
@@ -0,0 +1,38 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/py_serializable-${PV}"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = " \
+ dh-sequence-python3, \
+ pybuild-plugin-pyproject, \
+ python3-all, \
+ python3-defusedxml, \
+ python3-lxml, \
+ python3-poetry-core, \
+ python3-setuptools, \
+ xmldiff, \
+"
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "Library for serializing and deserializing Python Objects to and from JSON and XML."
+
+SRC_URI = "\
+ https://github.com/madpah/serializable/releases/download/v2.0.0/py_serializable-2.0.0.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "e9e6491dd7d29c31daf1050232b57f9657f9e8a43b867cca1ff204752cf420a5"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
diff --git a/meta/recipes-support/python3-spdx-tools/files/rules b/meta/recipes-support/python3-spdx-tools/files/rules
new file mode 100644
index 00000000..ac87528a
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/files/rules
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = spdx-tools
+export PYBUILD_SYSTEM = distutils
+
+# skip tests that require hard-to-package dependencies and tests that rely on relative file paths
+# TODO: figure out a way to make these tests work
+export PYBUILD_TEST_ARGS=--ignore tests/spdx3/validation/json_ld/test_shacl_validation.py \
+ -k 'not test_examples \
+ and not test_parse_from_file \
+ and not test_annotation_parser \
+ and not test_snippet_parser \
+ and not test_creation_info_parser \
+ and not test_json_ld_writer \
+ and not test_extracted_licensing_info_parser \
+ and not test_parse_file \
+ and not test_package_parser \
+ and not test_relationship_parser \
+ and not test_graph_parsing_function \
+ and not test_license_expression_parser \
+ '
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
new file mode 100644
index 00000000..30d090a9
--- /dev/null
+++ b/meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
@@ -0,0 +1,46 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/tools-python-${PV}"
+
+DEPENDS:append:bookworm = " python3-beartype"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ python3-beartype, \
+ python3-semantic-version, \
+ python3-license-expression, \
+ python3-pytest <!nocheck>, \
+ python3-rdflib, \
+ python3-uritools, \
+ python3-ply, \
+ python3-click, \
+ python3-xmltodict, \
+ python3-yaml, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+DEB_BUILD_PROFILES += "nocheck"
+DEB_BUILD_OPTIONS += "nocheck"
+
+DESCRIPTION = "SPDX parser and tools."
+
+SRC_URI = "\
+ https://github.com/spdx/tools-python/archive/refs/tags/v0.8.3.tar.gz \
+ file://rules \
+ "
+SRC_URI[sha256sum] = "17cb0140adbaefb58819c9d5d56060dc6a70c673a854fa9bd882ecfa4e062a7f"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917063314.44769-2-christoph.steiger%40siemens.com.
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH v2 3/4] meta: add SBOM generation with debsbom
2025-09-17 6:33 [PATCH v2 0/4] Add SBOM generation with debsbom 'Christoph Steiger' via isar-users
2025-09-17 6:33 ` [PATCH v2 1/4] meta: package python libraries for SBOM generation 'Christoph Steiger' via isar-users
@ 2025-09-17 6:33 ` 'Christoph Steiger' via isar-users
2025-09-17 6:33 ` [PATCH v2 4/4] override distro vendor in SBOM on Ubuntu 'Christoph Steiger' via isar-users
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: 'Christoph Steiger' via isar-users @ 2025-09-17 6:33 UTC (permalink / raw)
To: isar-users
Cc: jan.kiszka, felix.moessbauer, gernot.hillier, cedric.hombourger,
Christoph Steiger
Generate SBOMs for every rootfs that is created. These SBOMs are placed
in the image deploy directory.
For the generation a small chroot with debsbom installed is created and
from that the rootfs of the image is scanned.
The sbom generation is bound to the rootfs feature `generate-sbom`
which is activated per default now.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta/classes/image.bbclass | 8 ++-
meta/classes/rootfs.bbclass | 7 ++-
meta/classes/sbom.bbclass | 62 +++++++++++++++++++
meta/classes/sdk.bbclass | 2 +-
.../sbom-chroot/sbom-chroot.bb | 30 +++++++++
5 files changed, 106 insertions(+), 3 deletions(-)
create mode 100644 meta/classes/sbom.bbclass
create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index bd1b8552..220f5aa3 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -66,7 +66,13 @@ inherit multiarch
inherit essential
ROOTFSDIR = "${IMAGE_ROOTFS}"
-ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache"
+ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache generate-sbom"
+# only supported from bookworm / jammy on
+ROOTFS_FEATURES:remove:buster = "generate-sbom"
+ROOTFS_FEATURES:remove:bullseye = "generate-sbom"
+ROOTFS_FEATURES:remove:jammy = "generate-sbom"
+ROOTFS_FEATURES:remove:focal = "generate-sbom"
+
# when using a custom initrd, do not generate one as part of the image rootfs
ROOTFS_FEATURES += "${@ '' if d.getVar('INITRD_IMAGE') == '' else 'no-generate-initrd'}"
ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 7b7859b9..98f5b24c 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -3,6 +3,8 @@
inherit deb-dl-dir
+inherit sbom
+
ROOTFS_ARCH ?= "${DISTRO_ARCH}"
ROOTFS_DISTRO ?= "${DISTRO}"
ROOTFS_PACKAGES ?= ""
@@ -350,6 +352,9 @@ cache_dbg_pkgs() {
fi
}
+# The sbom generator needs the apt-cache, hence run before cleaning it
+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}"
+
ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}"
rootfs_postprocess_clean_package_cache() {
sudo -E chroot '${ROOTFSDIR}' \
@@ -512,7 +517,7 @@ python do_rootfs() {
}
addtask rootfs before do_build
-do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}"
SSTATETASKS += "do_rootfs_install"
SSTATECREATEFUNCS += "rootfs_install_sstate_prepare"
diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
new file mode 100644
index 00000000..60c89877
--- /dev/null
+++ b/meta/classes/sbom.bbclass
@@ -0,0 +1,62 @@
+# This software is a part of ISAR.
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+# sbom type to generate, accepted are "cdx" or "spdx"
+SBOM_TYPES ?= "spdx cdx"
+
+SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}"
+
+# general user variables
+SBOM_DISTRO_SUPPLIER ?= "ISAR"
+SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux"
+SBOM_DISTRO_VERSION ?= "1"
+SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR"
+SBOM_BASE_DISTRO_VENDOR ??= "debian"
+SBOM_DOCUMENT_UUID ?= ""
+
+# SPDX specific user variables
+SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs"
+
+DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
+
+SBOM_DIR = "${DEPLOY_DIR}/sbom"
+SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
+
+# adapted from the isar-cip-core image_uuid.bbclass
+def generate_document_uuid(d):
+ import uuid
+
+ base_hash = d.getVar("BB_TASKHASH")
+ if base_hash is None:
+ bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible")
+ return uuid.uuid4()
+ return str(uuid.UUID(base_hash[:32], version=4))
+
+def sbom_doc_uuid(d):
+ if not d.getVar("SBOM_DOCUMENT_UUID"):
+ d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d))
+
+generate_sbom() {
+ sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir
+
+ TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ bwrap \
+ --unshare-user \
+ --unshare-pid \
+ --bind ${SBOM_CHROOT} / \
+ --bind ${ROOTFSDIR} /mnt/rootfs \
+ --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
+ -- debsbom generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+ --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+ --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+ --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \
+ --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \
+ --timestamp $TIMESTAMP
+}
+
+python do_generate_sbom() {
+ sbom_doc_uuid(d)
+ bb.build.exec_func("generate_sbom", d)
+}
diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass
index 46436d97..644b0623 100644
--- a/meta/classes/sdk.bbclass
+++ b/meta/classes/sdk.bbclass
@@ -55,7 +55,7 @@ def get_rootfs_distro(d):
ROOTFS_ARCH:class-sdk = "${HOST_ARCH}"
ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}"
ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}"
-ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status"
+ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom"
ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}"
diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
new file mode 100644
index 00000000..a9afcbbe
--- /dev/null
+++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
@@ -0,0 +1,30 @@
+# This software is a part of ISAR.
+#
+# Copyright (C) 2025 Siemens
+
+LICENSE = "gpl-2.0"
+LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe"
+
+PV = "1.0"
+
+inherit rootfs
+
+ROOTFS_ARCH = "${HOST_ARCH}"
+ROOTFS_DISTRO = "${HOST_DISTRO}"
+ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}"
+
+ROOTFS_FEATURES = "no-generate-initrd"
+
+# additional packages for the SBOM chroot
+SBOM_IMAGE_INSTALL = "python3-debsbom"
+
+DEPENDS = "python3-debsbom"
+
+ROOTFSDIR = "${WORKDIR}/rootfs"
+ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
+
+do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
+do_sbomchroot_deploy() {
+ ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
+}
+addtask do_sbomchroot_deploy before do_build after do_rootfs
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917063314.44769-3-christoph.steiger%40siemens.com.
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH v2 4/4] override distro vendor in SBOM on Ubuntu
2025-09-17 6:33 [PATCH v2 0/4] Add SBOM generation with debsbom 'Christoph Steiger' via isar-users
2025-09-17 6:33 ` [PATCH v2 1/4] meta: package python libraries for SBOM generation 'Christoph Steiger' via isar-users
2025-09-17 6:33 ` [PATCH v2 3/4] meta: add SBOM generation with debsbom 'Christoph Steiger' via isar-users
@ 2025-09-17 6:33 ` 'Christoph Steiger' via isar-users
2025-09-17 7:33 ` [PATCH v2 2/4] meta: package python3-debsbom 'Christoph Steiger' via isar-users
2025-10-20 8:44 ` [PATCH v2 0/4] Add SBOM generation with debsbom Zhihang Wei
4 siblings, 0 replies; 7+ messages in thread
From: 'Christoph Steiger' via isar-users @ 2025-09-17 6:33 UTC (permalink / raw)
To: isar-users
Cc: jan.kiszka, felix.moessbauer, gernot.hillier, cedric.hombourger
From: Felix Moessbauer <felix.moessbauer@siemens.com>
When generating an SBOM for Ubuntu, the vendor component of the PURL
needs to be ubuntu (instead of debian). We now set it accordingly.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
meta-isar/conf/distro/ubuntu-common.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-isar/conf/distro/ubuntu-common.inc b/meta-isar/conf/distro/ubuntu-common.inc
index 88a3b4f0..3e930c14 100644
--- a/meta-isar/conf/distro/ubuntu-common.inc
+++ b/meta-isar/conf/distro/ubuntu-common.inc
@@ -45,3 +45,5 @@ SYSTEMD_BOOTLOADER_INSTALL:jammy = "systemd:${DISTRO_ARCH}"
# snapshot mirror for reproducible builds
DISTRO_APT_SNAPSHOT_PREMIRROR ??= "(http|https)://archive.ubuntu.com/(.*) https://snapshot.ubuntu.com/\2/${ISAR_APT_SNAPSHOT_DATE}\n"
+
+SBOM_BASE_DISTRO_VENDOR ?= "ubuntu"
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917063314.44769-4-christoph.steiger%40siemens.com.
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH v2 2/4] meta: package python3-debsbom
2025-09-17 6:33 [PATCH v2 0/4] Add SBOM generation with debsbom 'Christoph Steiger' via isar-users
` (2 preceding siblings ...)
2025-09-17 6:33 ` [PATCH v2 4/4] override distro vendor in SBOM on Ubuntu 'Christoph Steiger' via isar-users
@ 2025-09-17 7:33 ` 'Christoph Steiger' via isar-users
2025-10-20 8:44 ` [PATCH v2 0/4] Add SBOM generation with debsbom Zhihang Wei
4 siblings, 0 replies; 7+ messages in thread
From: 'Christoph Steiger' via isar-users @ 2025-09-17 7:33 UTC (permalink / raw)
To: isar-users
Cc: jan.kiszka, felix.moessbauer, gernot.hillier, cedric.hombourger,
Christoph Steiger
Package the python tool debsbom for SBOM generation for Debian based
distributions.
Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
---
...icense-description-in-pyproject.toml.patch | 28 ++++++++++++
.../python3-debsbom/files/rules | 8 ++++
.../python3-debsbom/python3-debsbom_0.0.1.bb | 44 +++++++++++++++++++
3 files changed, 80 insertions(+)
create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
create mode 100644 meta/recipes-support/python3-debsbom/files/rules
create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
diff --git a/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
new file mode 100644
index 00000000..c9137e25
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
@@ -0,0 +1,28 @@
+From 8f926ab0ed1585656ba7de80a82cc802c3ccbdbf Mon Sep 17 00:00:00 2001
+From: Christoph Steiger <christoph.steiger@siemens.com>
+Date: Mon, 8 Sep 2025 17:17:49 +0200
+Subject: [PATCH 1/1] Use old license description in pyproject.toml
+
+Older setuptools versions may require a different license field.
+
+Signed-off-by: Christoph Steiger <christoph.steiger@siemens.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index cc34bdb..701da4a 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -22,7 +22,7 @@ maintainers = [
+ ]
+ description = "Generate SBOMs for Debian-based distributions."
+ readme = "README.md"
+-license = "MIT"
++license = {text = "MIT"}
+ classifiers = [
+ "Intended Audience :: Developers",
+ "Operating System :: POSIX :: Linux",
+--
+2.39.5
+
diff --git a/meta/recipes-support/python3-debsbom/files/rules b/meta/recipes-support/python3-debsbom/files/rules
new file mode 100644
index 00000000..a414114d
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/files/rules
@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+export PYBUILD_NAME = debsbom
+export PYBUILD_SYSTEM = pyproject
+
+%:
+ dh $@ --with python3 --buildsystem=pybuild
diff --git a/meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb b/meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
new file mode 100644
index 00000000..6f88c185
--- /dev/null
+++ b/meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
@@ -0,0 +1,44 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "python3-spdx-tools"
+DEPENDS:append:bookworm = " python3-packageurl python3-cyclonedx-lib"
+DEPENDS:append:noble = " python3-packageurl python3-cyclonedx-lib"
+
+S = "${WORKDIR}/git"
+
+MAINTAINER = "Christoph Steiger <christoph.steiger@siemens.com>"
+DPKG_ARCH = "all"
+DEBIAN_BUILD_DEPENDS = "dh-python, \
+ python3-all, \
+ python3-setuptools, \
+ pybuild-plugin-pyproject, \
+ python3-packageurl, \
+ python3-cyclonedx-lib, \
+ python3-spdx-tools, \
+ python3-debian, \
+ python3-requests, \
+ "
+
+DEBIAN_DEPENDS = "\${python3:Depends}, \${misc:Depends}"
+
+DESCRIPTION = "debsbom generates SBOMs for Debian based distributions."
+
+SRC_URI = "git://github.com/siemens/debsbom.git;protocol=https;branch=main; \
+ file://rules \
+ file://0001-Use-old-license-description-in-pyproject.toml.patch \
+ "
+SRCREV = "c9f0a028fec9c11ab6978ad27d5bed8c12bb8e53"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+ deb_debianize
+}
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250917073346.58002-1-christoph.steiger%40siemens.com.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2 0/4] Add SBOM generation with debsbom
2025-09-17 6:33 [PATCH v2 0/4] Add SBOM generation with debsbom 'Christoph Steiger' via isar-users
` (3 preceding siblings ...)
2025-09-17 7:33 ` [PATCH v2 2/4] meta: package python3-debsbom 'Christoph Steiger' via isar-users
@ 2025-10-20 8:44 ` Zhihang Wei
2025-10-20 10:16 ` 'MOESSBAUER, Felix' via isar-users
4 siblings, 1 reply; 7+ messages in thread
From: Zhihang Wei @ 2025-10-20 8:44 UTC (permalink / raw)
To: Christoph Steiger, isar-users
Cc: jan.kiszka, felix.moessbauer, gernot.hillier, cedric.hombourger
Hello,
When testing this patch set on full CI, the following test failed:
- citest.py:ReproTest.test_repro_signed
Error log follows:
[stdlog] 2025-10-07 12:02:43,784 avocado.app cibuilder L0322 ERROR|
ERROR: mc:qemuarm64-bookworm:isar-image-base-1.0-r0
do_rootfs_postprocess:
ExecutionError('/build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/temp/run.generate_sbom.2562126',
255, None, None)
[stdlog] 2025-10-07 12:02:43,788 avocado.app cibuilder L0322 ERROR|
ERROR: Logfile of failure stored in:
/build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/temp/log.do_rootfs_postprocess.2562126
[stdlog] 2025-10-07 12:02:43,788 avocado.test cibuilder L0320 INFO | Log
data follows:
[stdlog] 2025-10-07 12:02:43,789 avocado.app cibuilder L0322 ERROR|
ERROR: Task
(mc:qemuarm64-bookworm:/build/isar_wzh_devel_2/8/meta-isar/recipes-core/images/isar-image-base.bb:do_rootfs_postprocess)
failed with exit code '1'
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing python function do_rootfs_postprocess
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function rootfs_do_mounts
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function rootfs_do_mounts finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function rootfs_do_qemu
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function rootfs_do_qemu finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function image_posprocess_disable_systemd_firstboot
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
Created symlink /etc/systemd/system/systemd-firstboot.service -> /dev/null.
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function image_posprocess_disable_systemd_firstboot finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function image_postprocess_sshd_key_regen
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
find:
'/build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/rootfs/etc/ssh/':
No such file or directory
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function image_postprocess_sshd_key_regen finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function image_postprocess_machine_id
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
uninitialized
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function image_postprocess_machine_id finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function image_postprocess_mark
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
WARNING: You are using external layers that will not be considered in
the build_id. Consider changing ISAR_RELEASE_CMD.
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
BUILD_ID="v0.11-79-g7dcbb204"
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
VARIANT="Isar target filesystem"
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
VARIANT_VERSION="1.0"
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function image_postprocess_mark finished
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function image_postprocess_configure
[stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function image_postprocess_configure finished
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing python function do_generate_sbom
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function generate_sbom
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
ERROR:debsbom.cli:'Origin'
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
debsbom: error: 'Origin'
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
WARNING: exit code 255 from a shell command.
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Python function do_generate_sbom finished
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Executing shell function rootfs_do_umounts
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Shell function rootfs_do_umounts finished
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
DEBUG: Python function do_rootfs_postprocess finished
[stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO |
NOTE: recipe isar-image-base-1.0-r0: task do_rootfs_postprocess: Failed
I think it is complaining about some packages does not have the optional
"Origin" field. This has been fixed in debsbom repo with
034fc6af775a796cd67f5e4bfca013e99f7b8a5f, but your python-sbom receipe
pulls a earlier version which does not contain this patch.
You can redo the test on your machine using avocado:
1. Have a clean clone of isar, checkout to branch next and apply your
patches:
$ git clone -b next https://github.com/ilbers/isar.git
$ cd isar
$ git am /path-to/0001-my-contribution-to-isar.patch
2.Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
$ ./kas/kas-container shell kas/isar.yaml --command \
"rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
3.Run the failed test:
$ cd /work/testsuite
$ avocado run citest.py:ReproTest.test_repro_signed
Best regards,
Zhihang
On 9/17/25 08:33, 'Christoph Steiger' via isar-users wrote:
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.
>
> The generation is itself is handled by a SBOM generator `debsbom` [1]
> which is developed as an open source project at Siemens. It is still
> early in development, but it has enough features for what we require
> in isar. The required dependencies which are not yet available as
> Debian packages were minimally packaged directly in isar too.
>
> This is a followup of the previous RFC [2]. Since then the series has
> changed a lot. The SBOM generation was moved from a simple OE lib to
> `debsbom`. This also meant the introduction of a separate chroot was
> necessary. The SBOM generation process was also moved from the image
> step to the rootfs step, along with a lot of minor changes and
> improvements.
>
> [1] https://github.com/siemens/debsbom
> [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
>
> Changes since v1:
>
> - remove tarball
> - refactor packaging (auto-derive python dependencies)
> - only build missing packages (varies on bookworm, trixie, noble)
> - add ubuntu support
> - only generate sboms for supported distributions (bookworm/jammy and
> onwards)
> - update debsbom (includes bug fixes and more information for source
> packages)
>
> Christoph Steiger (3):
> meta: package python libraries for SBOM generation
> meta: package python3-debsbom
> meta: add SBOM generation with debsbom
>
> Felix Moessbauer (1):
> override distro vendor in SBOM on Ubuntu
>
> meta-isar/conf/distro/ubuntu-common.inc | 2 +
> meta/classes/image.bbclass | 8 ++-
> meta/classes/rootfs.bbclass | 7 ++-
> meta/classes/sbom.bbclass | 62 +++++++++++++++++++
> meta/classes/sdk.bbclass | 2 +-
> .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> .../python3-beartype/files/rules | 8 +++
> .../python3-beartype_0.19.0.bb | 29 +++++++++
> .../files/pybuild.testfiles | 1 +
> .../python3-cyclonedx-lib/files/rules | 8 +++
> .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
> ...icense-description-in-pyproject.toml.patch | 28 +++++++++
> .../python3-debsbom/files/rules | 8 +++
> .../python3-debsbom/python3-debsbom_0.0.1.bb | 44 +++++++++++++
> .../python3-packageurl/files/rules | 8 +++
> .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> .../python3-py-serializable/files/rules | 8 +++
> .../python3-py-serializable_2.0.0.bb | 38 ++++++++++++
> .../python3-spdx-tools/files/rules | 25 ++++++++
> .../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++
> 20 files changed, 440 insertions(+), 3 deletions(-)
> create mode 100644 meta/classes/sbom.bbclass
> create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> create mode 100644 meta/recipes-support/python3-beartype/files/rules
> create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
> create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
>
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/e8579e77-f714-4611-89cd-d67fb68dc5cd%40ilbers.de.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2 0/4] Add SBOM generation with debsbom
2025-10-20 8:44 ` [PATCH v2 0/4] Add SBOM generation with debsbom Zhihang Wei
@ 2025-10-20 10:16 ` 'MOESSBAUER, Felix' via isar-users
0 siblings, 0 replies; 7+ messages in thread
From: 'MOESSBAUER, Felix' via isar-users @ 2025-10-20 10:16 UTC (permalink / raw)
To: Steiger, Christoph, isar-users, wzh
Cc: Kiszka, Jan, cedric.hombourger, Hillier, Gernot
On Mon, 2025-10-20 at 10:44 +0200, Zhihang Wei wrote:
> Hello,
>
> When testing this patch set on full CI, the following test failed:
> - citest.py:ReproTest.test_repro_signed
>
> Error log follows:
> [stdlog] 2025-10-07 12:02:43,784 avocado.app cibuilder L0322 ERROR|
> ERROR: mc:qemuarm64-bookworm:isar-image-base-1.0-r0
> do_rootfs_postprocess:
> ExecutionError('/build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/temp/run.generate_sbom.2562126',
> 255, None, None)
> [stdlog] 2025-10-07 12:02:43,788 avocado.app cibuilder L0322 ERROR|
> ERROR: Logfile of failure stored in:
> /build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/temp/log.do_rootfs_postprocess.2562126
>
> [stdlog] 2025-10-07 12:02:43,788 avocado.test cibuilder L0320 INFO | Log
> data follows:
> [stdlog] 2025-10-07 12:02:43,789 avocado.app cibuilder L0322 ERROR|
> ERROR: Task
> (mc:qemuarm64-bookworm:/build/isar_wzh_devel_2/8/meta-isar/recipes-core/images/isar-image-base.bb:do_rootfs_postprocess)
> failed with exit code '1'
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing python function do_rootfs_postprocess
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function rootfs_do_mounts
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function rootfs_do_mounts finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function rootfs_do_qemu
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function rootfs_do_qemu finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function image_posprocess_disable_systemd_firstboot
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> Created symlink /etc/systemd/system/systemd-firstboot.service -> /dev/null.
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function image_posprocess_disable_systemd_firstboot finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function image_postprocess_sshd_key_regen
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> find:
> '/build/isar_wzh_devel_2/8/build/tmp/work/debian-bookworm-arm64/isar-image-base-qemuarm64/1.0-r0/rootfs/etc/ssh/':
> No such file or directory
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function image_postprocess_sshd_key_regen finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function image_postprocess_machine_id
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> uninitialized
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function image_postprocess_machine_id finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function image_postprocess_mark
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> WARNING: You are using external layers that will not be considered in
> the build_id. Consider changing ISAR_RELEASE_CMD.
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> BUILD_ID="v0.11-79-g7dcbb204"
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> VARIANT="Isar target filesystem"
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> VARIANT_VERSION="1.0"
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function image_postprocess_mark finished
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function image_postprocess_configure
> [stdlog] 2025-10-07 12:02:43,811 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function image_postprocess_configure finished
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing python function do_generate_sbom
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function generate_sbom
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> ERROR:debsbom.cli:'Origin'
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> debsbom: error: 'Origin'
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> WARNING: exit code 255 from a shell command.
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Python function do_generate_sbom finished
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Executing shell function rootfs_do_umounts
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Shell function rootfs_do_umounts finished
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO | |
> DEBUG: Python function do_rootfs_postprocess finished
> [stdlog] 2025-10-07 12:02:43,812 avocado.test cibuilder L0320 INFO |
> NOTE: recipe isar-image-base-1.0-r0: task do_rootfs_postprocess: Failed
>
> I think it is complaining about some packages does not have the optional
> "Origin" field. This has been fixed in debsbom repo with
> 034fc6af775a796cd67f5e4bfca013e99f7b8a5f, but your python-sbom receipe
> pulls a earlier version which does not contain this patch.
Hi, thanks for testing this. I noticed another bug on HOST_ARCH !=
DISTRO_ARCH when creating a derived distro (e.g. in isar-cip-core). All
these will be fixed in a v3. We plan to cut a v0.3 release this week
and then send out a patch series with the fixes.
By then, we also will have a "merging" support in the sbom tooling to
merge the SBOMs of the initrd, imaging and rootfs into a uniform
document. This should finally solve the issue of missing dependencies
in the BOM.
>
> You can redo the test on your machine using avocado:
> 1. Have a clean clone of isar, checkout to branch next and apply your
> patches:
> $ git clone -b next https://github.com/ilbers/isar.git
> $ cd isar
> $ git am /path-to/0001-my-contribution-to-isar.patch
> 2.Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
>
> $ ./kas/kas-container shell kas/isar.yaml --command \
> "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
> 3.Run the failed test:
> $ cd /work/testsuite
> $ avocado run citest.py:ReproTest.test_repro_signed
Many thanks, that helps a lot. Maybe this could also be added to the
contributing guide (if not already) as some of these steps were not
obvious for me.
Best regards,
Felix
>
> Best regards,
> Zhihang
>
> On 9/17/25 08:33, 'Christoph Steiger' via isar-users wrote:
> > This patchset adds proper SBOM generation in the two standard formats
> > SPDX and CycloneDX during the rootfs generation process.
> >
> > The generation is itself is handled by a SBOM generator `debsbom` [1]
> > which is developed as an open source project at Siemens. It is still
> > early in development, but it has enough features for what we require
> > in isar. The required dependencies which are not yet available as
> > Debian packages were minimally packaged directly in isar too.
> >
> > This is a followup of the previous RFC [2]. Since then the series has
> > changed a lot. The SBOM generation was moved from a simple OE lib to
> > `debsbom`. This also meant the introduction of a separate chroot was
> > necessary. The SBOM generation process was also moved from the image
> > step to the rootfs step, along with a lot of minor changes and
> > improvements.
> >
> > [1] https://github.com/siemens/debsbom
> > [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ
> >
> > Changes since v1:
> >
> > - remove tarball
> > - refactor packaging (auto-derive python dependencies)
> > - only build missing packages (varies on bookworm, trixie, noble)
> > - add ubuntu support
> > - only generate sboms for supported distributions (bookworm/jammy and
> > onwards)
> > - update debsbom (includes bug fixes and more information for source
> > packages)
> >
> > Christoph Steiger (3):
> > meta: package python libraries for SBOM generation
> > meta: package python3-debsbom
> > meta: add SBOM generation with debsbom
> >
> > Felix Moessbauer (1):
> > override distro vendor in SBOM on Ubuntu
> >
> > meta-isar/conf/distro/ubuntu-common.inc | 2 +
> > meta/classes/image.bbclass | 8 ++-
> > meta/classes/rootfs.bbclass | 7 ++-
> > meta/classes/sbom.bbclass | 62 +++++++++++++++++++
> > meta/classes/sdk.bbclass | 2 +-
> > .../sbom-chroot/sbom-chroot.bb | 30 +++++++++
> > .../python3-beartype/files/rules | 8 +++
> > .../python3-beartype_0.19.0.bb | 29 +++++++++
> > .../files/pybuild.testfiles | 1 +
> > .../python3-cyclonedx-lib/files/rules | 8 +++
> > .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++
> > ...icense-description-in-pyproject.toml.patch | 28 +++++++++
> > .../python3-debsbom/files/rules | 8 +++
> > .../python3-debsbom/python3-debsbom_0.0.1.bb | 44 +++++++++++++
> > .../python3-packageurl/files/rules | 8 +++
> > .../python3-packageurl_0.16.0.bb | 33 ++++++++++
> > .../python3-py-serializable/files/rules | 8 +++
> > .../python3-py-serializable_2.0.0.bb | 38 ++++++++++++
> > .../python3-spdx-tools/files/rules | 25 ++++++++
> > .../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++
> > 20 files changed, 440 insertions(+), 3 deletions(-)
> > create mode 100644 meta/classes/sbom.bbclass
> > create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > create mode 100644 meta/recipes-support/python3-beartype/files/rules
> > create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
> > create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
> > create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
> > create mode 100644 meta/recipes-support/python3-debsbom/files/rules
> > create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
> > create mode 100644 meta/recipes-support/python3-packageurl/files/rules
> > create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
> > create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
> > create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
> > create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
> > create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb
> >
--
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/ad7c6e06fc9b6524768a23c2e3d4c4c1df1615eb.camel%40siemens.com.
^ permalink raw reply [flat|nested] 7+ messages in thread