[v2,0/4] Add SBOM generation with debsbom

Message ID	20250917063314.44769-1-christoph.steiger@siemens.com
Headers	show Return-Path: <isar-users+bncBD5JFAGZXEJBBS5MVHDAMGQESKQZLXY@googlegroups.com> Received-SPF: pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com> To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger <christoph.steiger@siemens.com> Subject: [PATCH v2 0/4] Add SBOM generation with debsbom Date: Wed, 17 Sep 2025 08:33:11 +0200 Message-Id: <20250917063314.44769-1-christoph.steiger@siemens.com> MIME-Version: 1.0 Feedback-ID: 519:519-1328957:519-21489:flowmailer Reply-To: Christoph Steiger <christoph.steiger@siemens.com> Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
Series	Add SBOM generation with debsbom \| expand [v2,0/4] Add SBOM generation with debsbom [v2,1/4] meta: package python libraries for SBOM generation [v2,3/4] meta: add SBOM generation with debsbom [v2,4/4] override distro vendor in SBOM on Ubuntu [v2,2/4] meta: package python3-debsbom

Message ID

20250917063314.44769-1-christoph.steiger@siemens.com

Headers

Received-SPF: pass (google.com: domain of
 fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com
 designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225;
From: "'Christoph Steiger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com,
        gernot.hillier@siemens.com, cedric.hombourger@siemens.com,
        Christoph Steiger <christoph.steiger@siemens.com>
Subject: [PATCH v2 0/4] Add SBOM generation with debsbom
Date: Wed, 17 Sep 2025 08:33:11 +0200
Message-Id: <20250917063314.44769-1-christoph.steiger@siemens.com>
MIME-Version: 1.0
Feedback-ID: 519:519-1328957:519-21489:flowmailer
Reply-To: Christoph Steiger <christoph.steiger@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com

Series

Add SBOM generation with debsbom | expand

Message

Christoph Steiger Sept. 17, 2025, 6:33 a.m. UTC

This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.

The generation is itself is handled by a SBOM generator  `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.

This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.

[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ

Changes since v1:

- remove tarball
- refactor packaging (auto-derive python dependencies)
- only build missing packages (varies on bookworm, trixie, noble)
- add ubuntu support
- only generate sboms for supported distributions (bookworm/jammy and
  onwards)
- update debsbom (includes bug fixes and more information for source
  packages)

Christoph Steiger (3):
  meta: package python libraries for SBOM generation
  meta: package python3-debsbom
  meta: add SBOM generation with debsbom

Felix Moessbauer (1):
  override distro vendor in SBOM on Ubuntu

 meta-isar/conf/distro/ubuntu-common.inc       |  2 +
 meta/classes/image.bbclass                    |  8 ++-
 meta/classes/rootfs.bbclass                   |  7 ++-
 meta/classes/sbom.bbclass                     | 62 +++++++++++++++++++
 meta/classes/sdk.bbclass                      |  2 +-
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 .../python3-beartype/files/rules              |  8 +++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 +++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
 ...icense-description-in-pyproject.toml.patch | 28 +++++++++
 .../python3-debsbom/files/rules               |  8 +++
 .../python3-debsbom/python3-debsbom_0.0.1.bb  | 44 +++++++++++++
 .../python3-packageurl/files/rules            |  8 +++
 .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
 .../python3-py-serializable/files/rules       |  8 +++
 .../python3-py-serializable_2.0.0.bb          | 38 ++++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 ++++++++++++++
 20 files changed, 440 insertions(+), 3 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb