[PATCH v2 0/2] Make SBOM naming more robust against downstream changes

[PATCH v2 0/2] Make SBOM naming more robust against downstream changes

['Felix Moessbauer' via isar-users]

The related inconsistencies have been found on isar-cip-core tests
(kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
where the IMAGE_FULLNAME variable is changed and no longer equal to
ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.

This patch should go into the v1.0 release, as it is critical for isar-cip-core
(rc-1 fails on CIP).

Changes since v1:

- rebased onto next
- adjusted test case to new (consistent) naming
- no code changes

Best regards,
Felix

Felix Moessbauer (2):
  sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
  sbom: use ROOTFS_PACKAGE_SUFFIX on merging

 meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
 meta/classes/sbom.bbclass                  | 2 +-
 testsuite/cibase.py                        | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260331073856.1281781-1-felix.moessbauer%40siemens.com.

[PATCH v2 1/2] sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX

['Felix Moessbauer' via isar-users]

Previously we open coded the name of the rootfs image, however this
breaks in case the name is changed in a downstream layer. We now
directly use the ROOTFS_PACKAGE_SUFFIX variable.

By that, we also adjust the sbom test, as SBOMs generated for non image
rootfs have a different ROOTFS_PACKAGE_SUFFIX.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/sbom.bbclass | 2 +-
 testsuite/cibase.py       | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index caab3f24..10a99f37 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -50,7 +50,7 @@ generate_sbom() {
         --bind ${SBOM_CHROOT} / \
         --bind ${ROOTFSDIR} /mnt/rootfs \
         --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
-        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+        -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${ROOTFS_PACKAGE_SUFFIX}' \
             --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
             --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
             --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
diff --git a/testsuite/cibase.py b/testsuite/cibase.py
index fd6a3df9..3205b4be 100755
--- a/testsuite/cibase.py
+++ b/testsuite/cibase.py
@@ -154,11 +154,11 @@ class CIBaseTest(CIBuilder):
         )
 
         for t in targets:
-            ds, pn, distro, machine = \
-                CIUtils.getVars('DEPLOY_DIR_SBOM', 'PN', 'DISTRO', 'MACHINE',
+            ds, rootfs_name = \
+                CIUtils.getVars('DEPLOY_DIR_SBOM', 'ROOTFS_PACKAGE_SUFFIX',
                                 target=t)
             for t in ["cdx", "spdx"]:
-                sbom_path = os.path.join(ds, f'{pn}-{distro}-{machine}.{t}.json')
+                sbom_path = os.path.join(ds, f'{rootfs_name}.{t}.json')
                 self.log.info(f"Check {t} SBOM in {sbom_path}")
                 with open(sbom_path) as f:
                     sbom = json.load(f)
-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260331073856.1281781-2-felix.moessbauer%40siemens.com.

[PATCH v2 2/2] sbom: use ROOTFS_PACKAGE_SUFFIX on merging

['Felix Moessbauer' via isar-users]

Previously we used the IMAGE_FULLNAME, which is normally identical with
the ROOTFS_PACKAGE_SUFFIX. However some downstream layers like cip
append to the IMAGE_FULLNAME variable while keeping the
ROOTFS_PACKAGE_SUFFIX as is. This breaks the sbom merging, as rootfs
SBOM is created under the ROOTFS_PACKAGE_SUFFIX name.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index f31ea61f..daa6f867 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -219,7 +219,7 @@ merge_wic_sbom() {
     INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
     sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
 
-    cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+    cat ${DEPLOY_DIR_IMAGE}/${ROOTFS_PACKAGE_SUFFIX}.$BOMTYPE.json \
         ${@ '${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json' if d.getVar('IMAGE_INITRD') else '' } \
         ${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
     bwrap \
-- 
2.53.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260331073856.1281781-3-felix.moessbauer%40siemens.com.

Re: [PATCH v2 0/2] Make SBOM naming more robust against downstream changes

[Zhihang Wei]

On 3/31/26 09:38, Felix Moessbauer wrote:
> The related inconsistencies have been found on isar-cip-core tests
> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
> where the IMAGE_FULLNAME variable is changed and no longer equal to
> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.
>
> This patch should go into the v1.0 release, as it is critical for isar-cip-core
> (rc-1 fails on CIP).
Noted. On CI now.

Zhihang
> Changes since v1:
>
> - rebased onto next
> - adjusted test case to new (consistent) naming
> - no code changes
>
> Best regards,
> Felix
>
> Felix Moessbauer (2):
>    sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
>    sbom: use ROOTFS_PACKAGE_SUFFIX on merging
>
>   meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
>   meta/classes/sbom.bbclass                  | 2 +-
>   testsuite/cibase.py                        | 6 +++---
>   3 files changed, 5 insertions(+), 5 deletions(-)
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/ea63e775-081c-4be6-843c-d93999e5d7e7%40ilbers.de.

Re: [PATCH v2 0/2] Make SBOM naming more robust against downstream changes

[Zhihang Wei]

On 3/31/26 09:40, Zhihang Wei wrote:
>
>
> On 3/31/26 09:38, Felix Moessbauer wrote:
>> The related inconsistencies have been found on isar-cip-core tests
>> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml) 
>>
>> where the IMAGE_FULLNAME variable is changed and no longer equal to
>> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP 
>> variant cannot be built.
>>
>> This patch should go into the v1.0 release, as it is critical for 
>> isar-cip-core
>> (rc-1 fails on CIP).
> Noted. On CI now.
>
> Zhihang
Passed with CI, will be merged soon.

Zhihang
>> Changes since v1:
>>
>> - rebased onto next
>> - adjusted test case to new (consistent) naming
>> - no code changes
>>
>> Best regards,
>> Felix
>>
>> Felix Moessbauer (2):
>>    sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
>>    sbom: use ROOTFS_PACKAGE_SUFFIX on merging
>>
>>   meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
>>   meta/classes/sbom.bbclass                  | 2 +-
>>   testsuite/cibase.py                        | 6 +++---
>>   3 files changed, 5 insertions(+), 5 deletions(-)
>>
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/9ce4debc-0826-40cd-aab3-520f7399d25c%40ilbers.de.

Re: [PATCH v2 0/2] Make SBOM naming more robust against downstream changes

[Zhihang Wei]

Applied to next, thanks.

Zhihang

On 3/31/26 09:38, Felix Moessbauer wrote:
> The related inconsistencies have been found on isar-cip-core tests
> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
> where the IMAGE_FULLNAME variable is changed and no longer equal to
> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.
>
> This patch should go into the v1.0 release, as it is critical for isar-cip-core
> (rc-1 fails on CIP).
>
> Changes since v1:
>
> - rebased onto next
> - adjusted test case to new (consistent) naming
> - no code changes
>
> Best regards,
> Felix
>
> Felix Moessbauer (2):
>    sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
>    sbom: use ROOTFS_PACKAGE_SUFFIX on merging
>
>   meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
>   meta/classes/sbom.bbclass                  | 2 +-
>   testsuite/cibase.py                        | 6 +++---
>   3 files changed, 5 insertions(+), 5 deletions(-)
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/d3d2429f-bdf6-4f21-94e9-2be90b2988ca%40ilbers.de.