| Message ID | 20250220095944.114203-1-felix.moessbauer@siemens.com |
|---|---|
| Headers | show
Return-Path: <isar-users+bncBCZK33MGWUCRBAX33O6QMGQEJZOW7QQ@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
Thu, 20 Feb 2025 11:01:46 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-oa1-f63.google.com (mail-oa1-f63.google.com
[209.85.160.63])
by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
51KA1ivX007827
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <iupwgm@isar-build.org>; Thu, 20 Feb 2025 11:01:45 +0100
Received: by mail-oa1-f63.google.com with SMTP id
586e51a60fabf-2bca27b686bsf1098732fac.1
for <iupwgm@isar-build.org>; Thu, 20 Feb 2025 02:01:45 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1740045699; cv=pass;
d=google.com; s=arc-20240605;
b=GZmWv5PVIJxM95Ne+eAxzh+a+GQLt89/W2OGaLGt6VXsGov2UAfyjQJVHOi/bEbHrh
USnaCztnUjYO6SvRDp6BdCGJQz5oEjIe2qKwamP29avVNzw0iMpbzyHRdseo/1aGs2/U
zPQZiFV4/dR8rguy4XAoPdMTOwoTwV2g93sbt52pq5ESsCK76hS2Q5nyDlFRZVYnKeSX
Jkqyvv4xqWa85DhVFBFPBAXL1YkRsrJ1pfZEp+oQtAN+YTnAMvQSU0Na2EIkwWsEKhxv
G5uDbT+saA/1sR91sIgcGPhG3gdy58r0mHtdfls153oJo/Abq9UlsQj00P+qlXSrghD1
AXpA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=;
fh=aFlIKDXO8zR7MkrUhHkcuY9Pig2ETiA1WPZw1D3sKJs=;
b=ZkKvFPqVAES28gzqIuZciJ6MbhrxGVi9BflylBFraPYszrZd1brQeuV1i6IzVcNCc3
ZOvwo2dgL0yIDmUZ9OiL1cbqAt97MwgE5Zx+AtSJT3yCpY6M4aDxTu3ErheouapDL3pt
ne76bmXv+QEAOsl+j4LcNoZsBYQ1HgujER4F28x9X5iyLJaB7RZWGY0Ig5CmZSg3P/TK
B3Y4ZQ7gUm6MfbdWTQb6xhY0lOfNxEHneCIBnM9rZqR6K3U1rtVE11Hgov988gy+UulH
/emc1wKGCpxvtuKfSiAP9IsXnkeZ4ISkF6hr3ahuE9U/NkeFulvYV6jhzcgL2SZMyQrk
uWKw==;
darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd;
spf=pass (google.com: domain of
fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com
designates 185.136.65.225 as permitted sender)
smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1740045699; x=1740650499;
darn=isar-build.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:feedback-id
:mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject
:date:message-id:reply-to;
bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=;
b=tx0xN6aF33l+OMnNYmI5IX1c9/SR0QEo8zIbKcU/ANViUMiWpYVSQFgKSBYd2jiKqX
XifkURIsqzPYANPrTOKylJjVrqAwUa/08BP/ErLDpPtsu2ANXMI1vUw8D16bnAp5ve6X
lkaUsn+tPNGuALDTtu8ShrwkoETY5dBTgi/hDhW/bEZFlH5od+OrENQib8qOGlp1lFNn
SQqP47jagQ5I1A4JeeMwI+c6Vn8dAmAlPQlXPIYdD0V2c4HZPfY6dbSkc+tqZwK46xDK
EPrGAcvEt3kYBO6nb53oJZslPptb6Ye9GI0Yk9sI3vqWbHX+MofaGuoedNstW+Wpvu87
O+KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1740045699; x=1740650499;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:feedback-id
:mime-version:message-id:date:subject:cc:to:from:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=WAliMICTDztumyIeXdirZ5tonLvXhR14rFB7XOG+LTI=;
b=Znu3BbjMinGfMVqDFVeyll8UgXJ/qiMWGD4nHKvlGmsu4ipldyBVDlovSGmLk2E2eS
FeHmxompQ/9cS1AdCytXbZRRSDtCrTtOAkUWMT3Y2FNi/isAewaFCzEstcIkcp0EDxgD
u2Qeg2JH22Sj4j+bIqrLIrWm2zDQMjIDPGE/95hSwFhbF/OfZfWmj/JY7dbT+WjRTNc1
3kjp/vw1LVw/Knb2M11hKSfnraD/4eGu80ggZMRGGyyYjIUOJcIBU0gu4m6hTlYJz4w8
e6Mrxh43zbRkk0u4SNn9ld2CsS/Rir7pmSgrnnwSXkQ8D/Q2oK2nz+t0FPwrLCfaPDCg
qkiw==
X-Forwarded-Encrypted: i=2;
AJvYcCW9AZz+QVF6XZvL9ixuI6bNZsxVsxgSvnDlPXDpI90sVI0uqlbFWIDzgbqyggHHOxyQKF76DgY=@isar-build.org
X-Gm-Message-State: AOJu0Yz+NeG4YYbVSkWbCa6mUgI+WGxULqkfB3zW2KtIHfz1AvyfIuU5
/3LjsvaNVTgTCOrkYkz+hw7KSXoscD3umVIzu7Z1G5BRti3MWXih
X-Google-Smtp-Source:
AGHT+IHoBT7QEv8voSZZyFG/dEjwSCe1Tdm9yMfqcYjosOjmvPYnjIxysqCtyP6JCPqLli5X/s+zUA==
X-Received: by 2002:a05:6870:e07:b0:29d:e45d:dc51 with SMTP id
586e51a60fabf-2bd2fb86387mr1863997fac.2.1740045698836;
Thu, 20 Feb 2025 02:01:38 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com;
h=Adn5yVGHJ/oYnV4kwztV5++yeaNKbI1li6vJ9AdEkX2+13XVxA==
Received: by 2002:a05:6870:210:b0:2b8:9182:e0ff with SMTP id
586e51a60fabf-2bd2f8f19d5ls361711fac.1.-pod-prod-00-us; Thu, 20 Feb 2025
02:01:37 -0800 (PST)
X-Received: by 2002:a05:6871:5813:b0:2b8:a5a9:c615 with SMTP id
586e51a60fabf-2bd2faa7d8emr2074954fac.3.1740045697611;
Thu, 20 Feb 2025 02:01:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1740045697; cv=none;
d=google.com; s=arc-20240605;
b=MW8RAxGHbJWe1+NM8uckRlY52zcw+gCoNvoTTAhpvwu3SkwIX82pVmjMC1gk5coOLE
HT6NtR5iQeXFCgegENL1BdE7ae2/WM8NQMrafyU8CzE5oYKEyO4Jb6ub1mfKU/vrMWXR
DGUclITXJ8Uh4pCRuHmlpILUyxxN52HsOiRRyrcHwzjqrc3+LLaghdb6rMQbuukjELOk
Nxs4Yd6dR4HEswMfU27oDHq7A/etXqwNrkAPp9fUZPTYDiGR7CKwh5WUnA+CTf99DqJ5
dBO7NvPmnaqUMvw3m+d/tjrkJ5ibwKfKef4cSr6dRtqgRd9mdVemmj+jNAdccA81xVjM
e8cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=feedback-id:content-transfer-encoding:mime-version:message-id:date
:subject:cc:to:from:dkim-signature;
bh=k2Iqs69Zr58EKp4E/x6JTYXbTLsMAeF9Lq2jBl/eR7M=;
fh=PpyLtIeScdGtM1qIVvjnfD1pEoqYOXRK4rwVDEPyj3g=;
b=fddn4i9hs2K8sNei2tWCvIrd/4F/6EqczblsDbDajith1vYjLM9wxZjuJ1b2JFojxZ
T/GtHJxaOGUhuqDBSFmyzO4shIbczBcndKv+cEMKcUpPjl/1PLnye7TjKjlrSxrgrNNd
5gwA8oqRQfmhO2lHjFsGBH+6y7NIuBsm++HNPmQ6AANBANFKt98xBKVXePC0sTqsmrY7
OnYav86j6clf+vWuPHU24FSTjcshipz7NlQGapLq5lAp06bIUn5yDWDHhgm2EuNKuLYl
dRb4J+RrLuC6p+W2ZTbBeFgaDfskK9xULfa87XJ0EA7opn5WB8OCAWZ+EkFYssb1NHtD
h1jg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd;
spf=pass (google.com: domain of
fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com
designates 185.136.65.225 as permitted sender)
smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-65-225.siemens.flowmailer.net
(mta-65-225.siemens.flowmailer.net. [185.136.65.225])
by gmr-mx.google.com with ESMTPS id
586e51a60fabf-2b9639d7b4bsi741658fac.4.2025.02.20.02.01.37
for <isar-users@googlegroups.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 20 Feb 2025 02:01:37 -0800 (PST)
Received-SPF: pass (google.com: domain of
fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com
designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225;
Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id
202502201001356f58ab67d22743b0ba
for <isar-users@googlegroups.com>;
Thu, 20 Feb 2025 11:01:35 +0100
From: "'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, gernot.hillier@siemens.com,
Christoph Steiger <christoph.steiger@siemens.com>
Subject: [RFC PATCH 0/1] SBOM Generation for isar
Date: Thu, 20 Feb 2025 10:59:43 +0100
Message-ID: <20250220095944.114203-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1321639:519-21489:flowmailer
X-Original-Sender: felix.moessbauer@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@siemens.com header.s=fm1 header.b=FyN5ugNd; spf=pass
(google.com: domain of
fm-1321639-202502201001356f58ab67d22743b0ba-0uxts_@rts-flowmailer.siemens.com
designates 185.136.65.225 as permitted sender)
smtp.mailfrom=fm-1321639-202502201001356f58ab67d22743b0ba-0uxtS_@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Felix Moessbauer <felix.moessbauer@siemens.com>
Reply-To: Felix Moessbauer <felix.moessbauer@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
<mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
<mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
<mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe:
<mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
|
| Series |
SBOM Generation for isar
|
expand
|
From: Christoph Steiger <christoph.steiger@siemens.com> This patch would add SBOM generation support for isar. We already generate a manifest as part of the do_rootfs task which is used by some people internally at Siemens to create SBOMs, but it has a proprietary format and is not documented. It also has become apparent that more information than in the manifest is required. To create the SBOMs we parse the dpkg status file in a given image and have some python scripts to build a valid SBOM for the two standard formats (CycloneDX and SPDX). The python scripts are a very minimal implementation to generate SBOMs, as all other tools have heavier dependencies that are not packaged in debian. As we also require only a small subset of these libraries (we only generate a specific version and format, using also only a small part of the data structures) I chose to quickly implement this myself. The current implementation also emits source package information in the SPDX format. Unfortunately the CDX standard does not allow to map the relationship between a debian source and binary package in a satisfactory way, so I omitted it for now. There is talks internally about how to represent this relationship, but it is probably a good idea to leave it empty for now. TODOs/next steps: - license/copyright parsing: debian has no machine-readable format for these, but they are very valuable for clearing purposes - tigther bitbake integration: if we hook into each recipe we could add more information and correctly represent vendor packages Please tell me what you think and how we could land SBOM generation here :-) Christoph Steiger (1): meta: add CycloneDX/SPDX SBOM generation meta/classes/create-sbom.bbclass | 49 ++++ meta/classes/image.bbclass | 2 + meta/lib/sbom.py | 446 +++++++++++++++++++++++++++++++ meta/lib/sbom_cdx_types.py | 82 ++++++ meta/lib/sbom_spdx_types.py | 95 +++++++ 5 files changed, 674 insertions(+) create mode 100644 meta/classes/create-sbom.bbclass create mode 100644 meta/lib/sbom.py create mode 100644 meta/lib/sbom_cdx_types.py create mode 100644 meta/lib/sbom_spdx_types.py