[0/3] Add SBOM generation with debsbom

Message ID	20250909080528.95765-1-christoph.steiger@siemens.com
Headers	show Return-Path: <isar-users+bncBD5JFAGZXEJBBVV777CQMGQEATWVKXA@googlegroups.com> Received-SPF: pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com> To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger <christoph.steiger@siemens.com> Subject: [PATCH 0/3] Add SBOM generation with debsbom Date: Tue, 9 Sep 2025 10:05:25 +0200 Message-Id: <20250909080528.95765-1-christoph.steiger@siemens.com> MIME-Version: 1.0 Feedback-ID: 519:519-1328957:519-21489:flowmailer Reply-To: Christoph Steiger <christoph.steiger@siemens.com> Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
Series	Add SBOM generation with debsbom \| expand [0/3] Add SBOM generation with debsbom [1/3] meta: package python libraries for SBOM generation [2/3] meta: package python3-debsbom [3/3] meta: add SBOM generation with debsbom

Message ID

20250909080528.95765-1-christoph.steiger@siemens.com

Headers

Received-SPF: pass (google.com: domain of
 fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com
 designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227;
From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com,
        gernot.hillier@siemens.com, cedric.hombourger@siemens.com,
        Christoph Steiger <christoph.steiger@siemens.com>
Subject: [PATCH 0/3] Add SBOM generation with debsbom
Date: Tue,  9 Sep 2025 10:05:25 +0200
Message-Id: <20250909080528.95765-1-christoph.steiger@siemens.com>
MIME-Version: 1.0
Feedback-ID: 519:519-1328957:519-21489:flowmailer
Reply-To: Christoph Steiger <christoph.steiger@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com

Series

Add SBOM generation with debsbom | expand

Message

Christoph Steiger Sept. 9, 2025, 8:05 a.m. UTC

This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.

The generation is itself is handled by a SBOM generator  `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.

This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.

[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ


Christoph Steiger (3):
  meta: package python libraries for SBOM generation
  meta: package python3-debsbom
  meta: add SBOM generation with debsbom

 meta/classes/image.bbclass                    |  2 +-
 meta/classes/rootfs.bbclass                   |  6 +-
 meta/classes/sbom.bbclass                     | 60 +++++++++++++++++++
 meta/classes/sdk.bbclass                      |  2 +-
 .../sbom-chroot/sbom-chroot.bb                | 31 ++++++++++
 .../python3-beartype/files/rules              |  8 +++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-python-lib/files/rules  |  8 +++
 .../python3-cyclonedx-python-lib_9.1.0.bb     | 56 +++++++++++++++++
 ...icense-description-in-pyproject.toml.patch | 28 +++++++++
 .../python3-debsbom/files/rules               |  8 +++
 .../python3-debsbom/python3-debsbom_0.0.1.bb  | 54 +++++++++++++++++
 .../python3-packageurl-python/files/rules     |  8 +++
 .../python3-packageurl-python_0.16.0.bb       | 33 ++++++++++
 .../python3-py-serializable/files/rules       |  8 +++
 .../python3-py-serializable_2.0.0.bb          | 42 +++++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++
 .../python3-spdx-tools_0.8.3.bb               | 56 +++++++++++++++++
 19 files changed, 462 insertions(+), 3 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/python3-cyclonedx-python-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
 create mode 100644 meta/recipes-support/python3-packageurl-python/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl-python/python3-packageurl-python_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb