From patchwork Tue Sep 9 08:05:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Steiger X-Patchwork-Id: 286 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 09 Sep 2025 10:05:52 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f62.google.com (mail-wm1-f62.google.com [209.85.128.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58985pP6007110 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 9 Sep 2025 10:05:51 +0200 Received: by mail-wm1-f62.google.com with SMTP id 5b1f17b1804b1-45b920a0c89sf21843265e9.2 for ; Tue, 09 Sep 2025 01:05:51 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1757405146; cv=pass; d=google.com; s=arc-20240605; b=kOdrLOriggesT2JmX2LRpW6upTbAPU966N8TDkMKpA/CqBLn9JS+/+82n8oxAwuZWk YLS8jObWQKjJH/LY9XL6T1HpFJPd1NbKnfKjyWHKco2eca92lSvqDdY/4oid4XWE3p5W eNVE0M9nCItT1vSQ2aikXEgmJB71vvaLMPxHLPSKeQ+N/+PxA08pboB7IJKDF1noXSfc zW3jYjOO7TIHyKBbVgNlP0TgBPgmL2obFuybI7KH3yoUiJWSBbtixGnVzxW13xEemj56 nhwC8XgfEGJnB6SVB8ZKKNGkGV6Mw19t3hMO5xrUnZrklS+ekIiJRnz8Li9r7dPATRyO jxTg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; fh=hsl+sTMOnhIDVgPuBIDIsqcE8pxwy/rx6TMzIqEfCQY=; b=W/ar3h3ir0Clfjwi5SdNbOx/NSDEK83XrlJTC1Be3lufCPW5zinqIUMa0AERn7dX/f 1xzOUaPHogT8hjsWYU/yFAizG557s6o1aMwRPg5Aurw5OOcldxKyz/JK9kcaey2kGhf4 u+uMOnVI4gO1+FNmnsL4R5cRWXyD7Sif6V0NPF5vESwLguk3ppRPmsyIRaOsfsUi4jNz ovwrBEXVF6Fs3Dl8X6KaPgwFmboXXTr5+8/KmFe/ZClK0SsRKEaz182J8kFEWOu9xT+L Gicjlr7Htb9ZBE0do8pokdq/NLmuOhbwm9Toa2AiIvga1FugEcJ9BgYtgrrRC3E0cLvY 7daQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1757405146; x=1758009946; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; b=FMOPXm185SXD5pDvmGP7SKTo/mzmmlUy37VoDCAkd3IbpZuMCU49QGieR1nUnFrHpt XGjG3aMSWxw3CgsiX0q08/a8f6JyNMHHObqcsoRJAaQhcB3ACH6zgcHraW3c70qJ7/sf RwUdSBfB8Jawdy+mLcKFG/0m9OhHznI1DM3vNj2CcBjKh4Y3Gt3pgI+YG6q1VapQ6YeN GRe/S/nPP/5LHP7gnu3XF9BYR/fxAJhbSluJBIeX6rpKAwy6hDwIeCJm4Ue3aLOYIy4B g062O6WvEYhW+R3Ne2yg5EWf4wUQnPrFZRVFCw5RnZbD87l0Dhi9Xdze4dzfam5GapTp sang== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757405146; x=1758009946; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fqI0Hl7IdMIWlEbtFJ0BZDaLrzM+HNlIhtbW0m4E7v8=; b=re3NF59X332vUelieQm5SiuQ2w9qB9BQkNXbEB1fCCDnVwk/081xsQhnf1/p0rJM0t iXv7fTdesuHwFPMG2e9GkWA6bDnh/tRFgnglkGUdyGC4HW3WrjG0or5PBo/gR9eedikD XO+NbYA09INAlYfVVopNgT4HydX/0T3TAgJxm1ggff2OftuM1r0t64xb/mT9a6zlSl8T r/rH83m1WvFldTNhYOvrDvlkDCql1gxZXIWOWLYtWh8p74eDJ5SrSoFYZU/S8WVPgemk hPm6rRn1qIrVKYrfza6QOhUzzQ1L5ld/OLkmaPVlzPEPxyZLCnVttAbBPKq2Un3mJByb MKwQ== X-Forwarded-Encrypted: i=2; AJvYcCWYIq3sroJCD+et7v8oifx0MKVTFJ66qOtUrm0CiuzEBmBPkJcEriOKLznQxaPC55iqDIX825E=@isar-build.org X-Gm-Message-State: AOJu0YxixTKv1+NDlFe1VsWK+gYsSrVbP29k8lQYc7Yjxs41rB0tMkao tqaiHCPAZhTxoHI4J77UTTP1JrQKG4tW0RwW/Op7GrZwUmkkfKPmZFm/ X-Google-Smtp-Source: AGHT+IEfx1J6xB9mBuoCBl7aGMZOEZ2xbnsFXf0jxBcHxXTRFcUWZ0ozuY9xb3xxqpaHU97cQUUImg== X-Received: by 2002:a05:600c:1e8c:b0:455:f187:6203 with SMTP id 5b1f17b1804b1-45dddef01e4mr78665555e9.27.1757405144169; Tue, 09 Sep 2025 01:05:44 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcgTrGIKxop+WAuJCO5yf5zRyT+feE83drYN1Zia/Joew== Received: by 2002:a05:600c:628d:b0:45d:d5d8:c718 with SMTP id 5b1f17b1804b1-45dd85172dals24503095e9.1.-pod-prod-06-eu; Tue, 09 Sep 2025 01:05:40 -0700 (PDT) X-Received: by 2002:a05:600c:4452:b0:45d:d291:5dc1 with SMTP id 5b1f17b1804b1-45dddec28demr98946705e9.15.1757405140178; Tue, 09 Sep 2025 01:05:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1757405140; cv=none; d=google.com; s=arc-20240605; b=cPRZrYEqcbhcs/tlVWrPX5kYdZ03Mfxp2AJvhah3bMGXaMdxEi6o8BPabXLW2yZrjW FCsJ+RoJGaKvSwd/mG7sLk8xZuD+53weMEvzfgzC/mZINUF2DB7wiuLSbYPtYVE4lv7i thMv3EDx56LTWjz4yqv4TZlUDKaSlrRgVubmoG20jweLtuTTLPsXYx1DztieYZskESSz 1ZlCTPedYPO0dE/Qcm77eeqea9Bf3yPcUsv8+SoY5KoBxIqL9hea9M4ujYOnzn4vCPiK xNp1Q1ZXGAdlgh5wtP6URNmSHGGZiOX+lukATK8Jgjn5eIxX/rOlyHn6S5v2KO2Wd1OG CPrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=3dn1Zzg08sIgopK6+l2QalZ7LfreR5C7miU7L07NBXg=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=KRwLS7i3FVjxa+mfQrCXY7DYmNDspBEkCOwPJSQD2SpTIZ3IR6mu+mUVHifzPijCuX o8lp6HW17i8WR0Zm/go+i9jtTBHlfpNbjqInH9SkPyJ/HmJc/UaxB7648ZNA19JbP6RP WYKsfZhcyVzSqnYJa/fANLr7kRMdpOYYKNrGueYm6jHgq0Xd91EjFcCkjUap/9H4/pr0 tEz+CbBccLS67BdBpCXGELaXlAcAcLIykRxEZ5nGk1PpRakxK92giCrk6WqlF4TtOSnx JJ0YR1vkkehqgy+ZozQlk/9/0iN0+oB3bbhvrmAsBh7mye4htkdq1Z+eblBACvwhlsh3 AjMA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-45defa06cb8si103365e9.0.2025.09.09.01.05.40 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Sep 2025 01:05:40 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250909080539298105e13e000207e3 for ; Tue, 09 Sep 2025 10:05:39 +0200 X-Patchwork-Original-From: "'Christoph Steiger' via isar-users" From: Christoph Steiger To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH 0/3] Add SBOM generation with debsbom Date: Tue, 9 Sep 2025 10:05:25 +0200 Message-Id: <20250909080528.95765-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=uZVu8jfV; spf=pass (google.com: domain of fm-1328957-20250909080539298105e13e000207e3-jb3kmw@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1328957-20250909080539298105e13e000207e3-jb3KMW@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom meta/classes/image.bbclass | 2 +- meta/classes/rootfs.bbclass | 6 +- meta/classes/sbom.bbclass | 60 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 31 ++++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-python-lib/files/rules | 8 +++ .../python3-cyclonedx-python-lib_9.1.0.bb | 56 +++++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 +++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.0.1.bb | 54 +++++++++++++++++ .../python3-packageurl-python/files/rules | 8 +++ .../python3-packageurl-python_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 42 +++++++++++++ .../python3-spdx-tools/files/rules | 25 ++++++++ .../python3-spdx-tools_0.8.3.bb | 56 +++++++++++++++++ 19 files changed, 462 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-python-lib/python3-cyclonedx-python-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb create mode 100644 meta/recipes-support/python3-packageurl-python/files/rules create mode 100644 meta/recipes-support/python3-packageurl-python/python3-packageurl-python_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb