From patchwork Wed Sep 17 06:33:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Steiger X-Patchwork-Id: 290 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 17 Sep 2025 08:33:55 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f56.google.com (mail-wm1-f56.google.com [209.85.128.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58H6Xstp022728 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 08:33:54 +0200 Received: by mail-wm1-f56.google.com with SMTP id 5b1f17b1804b1-45f2d7bf37csf1953675e9.1 for ; Tue, 16 Sep 2025 23:33:54 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758090829; cv=pass; d=google.com; s=arc-20240605; b=IUpkJN/MMuEkY7W5DCPxTMJhULvG6NlRcNcJzcsifrHa6nc7Vnqnz4pLcuzrxIZZjY ljxI+XKUPPlgdnbRDm/KrnoU9qUpFraDp6lQn2AFb9+Poet1Mlc/GKZqe71A/UTFiEjG Ek+OZnLVEakIqlF9H9rMqh1k81uGdsTZ987/ZSPGjiJTDvxlzVj4jYYU5gnV5Jp/rWSf 91QXTkd51Q/FSnKd7N2Sg90oc/FJTctw1XuzpIKVA2PaBo9MtF9ViyYJBHAydp4jOFCs wlhiOz0kYN083NNNgZI+qJOXU1UDkErBddD8SqoQCbEG1hUC856L9YcJH3Kuv0nsxyWn 7TlQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; fh=U0GpJXba85GlGD9qQYjnkazeb68K0VlSq5hvxNvfMkI=; b=i/ptLVRvgmml/obo/ILRwXEZs3KPixCx9A0R4J24T/jx7DrZLSeVHwZMlFyNKBAm7I Mt1R1hx9s5D35qI6THBPy2VkOXRQEuK0Z5fuYgXeatDHdviFFWv7jU3qo7QmGtaroY7v sPXl+3qlUY+sKjl4aXcHQXTt435xMNpxKuC4SLiSAUoCk8YYTskBpVWVs+L67hNt03nr 4HUfc4+HmdR47rWot6Q7om999IrL5+Q0A3gBIulUSUlt0mSMB5tDNycb6hmglAyxCuJz H4bdPqnCFw2kuyR9n7N7mWqkT5tTx1zjhSGIsEQfGht9hwZQwWfWimyey/Kqt4LYl1En YBOQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758090829; x=1758695629; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; b=WJwqfXBtwVmFM/i76fnu/qWltdZ7MvRJ4/Re0RxkJPdC40BoSz6IBqnsNeohQG8ysO vEwRjK4izh5/n7pai+gTr1oSklchber9NOrBuxWA1RkxXG/Rh+KJd1WnVNjL/W89eQ4T IaMXcl/rrn/gOjhfVgcfjyBSl6OFYlQlQkuzMGjoUN7VXGioIWzstQ2H/Dt4qeq82T2Y fedzFZNP3ubJHEn/5rD5A/NVV5I0yukKNpopFeVhX6jlxwqX9dt4ii1Ns3W9MvOC2TzL x2FZCwVQ6dbDAnpIm20BkN41jIbSAJyTv21wm70QNJgYvU0FGhMRb5ZwROl1sWq+R9ro TgfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758090829; x=1758695629; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Lt6vEYZNnOsVhXgk4xIhDt5Re0h+JHkRsFxoT7JSs2k=; b=tMY1eXm3387Ri8IcuJyr9dUK8EoJ+IyuLuMQDWnVFLfjSREmOQPIZFdITV72QbhijO vv2WTNeQ27DLtCB3epnfhuyz1RvSKdzSPlSInmX2EWWVO8pxMO3fnSrV8eEE75G+PSUw QBqCLmduXNQ939fAYvv28rXqvzeMQSYPnPuFOWi4zXK172mWw8V8Qm4ItW6Fi8zpqrb7 VmX7Zihs5IkSwmP+O/B+i6CbyNGbW9ysv8LmFTYC6XEyh1/b2wgs3Civ3ypdzw093p5M T0GMn9qfBCuyz70zq2E0DDkAfZq9kRtzdf+lnIN3aDM/574kksBDN0NUl4EeUDLMC2UI IKLg== X-Forwarded-Encrypted: i=2; AJvYcCXYjsnV1QUBCsqEdrJQRrl9jTCixCYtQUX+0ysIxmSQxkC/Y6io7QrcWWyrHZT0A44D9uxvyMs=@isar-build.org X-Gm-Message-State: AOJu0Yz8GTLzClyOiw8CPdgXaYbKk167mb6NZrAHtgiXOYVHJ/iffiLh 1GzxnSBThpNcw8ukRpWepaf+8J7vFPj0rMiQqOzoAvq8a1RtCTTql0Kd X-Google-Smtp-Source: AGHT+IEQucUcj6jAm6yvJboyIxIjl8y8TS0tAtdhxZnfA4d4QW4BII0rOT+Bl0vzFHxf6uk+K/UalA== X-Received: by 2002:a05:600c:3b84:b0:45d:ec41:e0d2 with SMTP id 5b1f17b1804b1-462058f2b32mr4191325e9.3.1758090828229; Tue, 16 Sep 2025 23:33:48 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=ARHlJd4QEhmtqUg2YIuq2Itp0iCKukOoXuNTELD0wXNi/xGQsA== Received: by 2002:a05:600c:64c6:b0:456:241d:50bd with SMTP id 5b1f17b1804b1-4603b053f7els9385525e9.2.-pod-prod-04-eu; Tue, 16 Sep 2025 23:33:45 -0700 (PDT) X-Received: by 2002:a05:600c:45d1:b0:45d:d9ab:b86d with SMTP id 5b1f17b1804b1-46207d636demr6789215e9.31.1758090825644; Tue, 16 Sep 2025 23:33:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758090825; cv=none; d=google.com; s=arc-20240605; b=hj5L5y60CEkZ8w6AWjjFyllOCRISvR7n3ar5wH4j8nWffPI/RPxS70tPEVHuvNy9yR 70HvZv9Q8tqezJmp9BV6LIkfQSCQtJ4SzlghSqp36eZJwBCStdWBY78YoOTQFidArkFx 15lFM0kQnrJ8cMACHSsghS89Dft7goHHOxX9tI8nRv++MSoEKVrSPWzE+trA1RsfI/yT LrEBaJJ0L16I3kr4DVVsS99TisObqZTIL6rBZfeG/mdRYswbWr+4Ck5VJHwbQr76bRHy oVzgjWIQghg4NmzHStrVVc7f4GJRx/4nq9rFAEnjhJubrsNGFb2wcDuUTyyiVwT5bk3n trEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=tUnbV40SrQU2GXXnITaeaXAJgy3ovKB9vOaKa1627ks=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=YHDy9nU8btnJxEUCxe+x6c7cgikaX3pf3vyIeGcYA9OCBnV6B3vfxtqAFQci+1iWFx I/NTjIXBeJKxOMiK2krAwKygrARVb4E9WvasRE2qtiZTk2U1tVVNpnG/b36FiCk937ud b+eNTA/U6QZShcmkMO1amM7ZFd5DADRDBcLslr9PWE1wmxsdisEvIIcBHAZNCPw+WJjl gpMfnful+R2FxLWGzctqkBfdnrfci2yNzc8kBZ3F8fInwUwY7phHBYXLpVtTT6YiAGlZ dOvykG0mtGwyweoWQqUX2UDCsiv3QhXgxfi3Hh2tTVhEp8+Wc1w4MsLDaFIV3mUQL/LB fTAw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4607aaf8226si469975e9.1.2025.09.16.23.33.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Sep 2025 23:33:45 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 2025091706334438955e5254000207a6 for ; Wed, 17 Sep 2025 08:33:44 +0200 X-Patchwork-Original-From: "'Christoph Steiger' via isar-users" From: Christoph Steiger To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH v2 0/4] Add SBOM generation with debsbom Date: Wed, 17 Sep 2025 08:33:11 +0200 Message-Id: <20250917063314.44769-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=MwqQhiz5; spf=pass (google.com: domain of fm-1328957-2025091706334438955e5254000207a6-rzpeox@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-2025091706334438955e5254000207a6-RZpeOx@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom Felix Moessbauer (1): override distro vendor in SBOM on Ubuntu meta-isar/conf/distro/ubuntu-common.inc | 2 + meta/classes/image.bbclass | 8 ++- meta/classes/rootfs.bbclass | 7 ++- meta/classes/sbom.bbclass | 62 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-lib/files/rules | 8 +++ .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 +++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.0.1.bb | 44 +++++++++++++ .../python3-packageurl/files/rules | 8 +++ .../python3-packageurl_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 38 ++++++++++++ .../python3-spdx-tools/files/rules | 25 ++++++++ .../python3-spdx-tools_0.8.3.bb | 46 ++++++++++++++ 20 files changed, 440 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.0.1.bb create mode 100644 meta/recipes-support/python3-packageurl/files/rules create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb