[v3,00/10] Add SBOM generation with debsbom

Message ID	20251022153921.2494749-1-felix.moessbauer@siemens.com
Headers	show Return-Path: <isar-users+bncBCYIZ4M3XAKRBO7V4PDQMGQEGJOOXBQ@googlegroups.com> Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; From: "'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com> To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer <felix.moessbauer@siemens.com> Subject: [PATCH v3 00/10] Add SBOM generation with debsbom Date: Wed, 22 Oct 2025 17:39:11 +0200 Message-ID: <20251022153921.2494749-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Reply-To: Felix Moessbauer <felix.moessbauer@siemens.com> Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
Series	Add SBOM generation with debsbom \| expand [v3,00/10] Add SBOM generation with debsbom [v3,01/10] refactor: move get_rootfs_distro from sdk into rootfs [v3,02/10] meta: package python libraries for SBOM generation [v3,03/10] meta: package python3-debsbom [v3,04/10] meta: add SBOM generation with debsbom [v3,05/10] override distro vendor in SBOM on Ubuntu [v3,06/10] add support to add imager dependencies to BOM [v3,07/10] wic: create uniform manifest describing all image components [v3,08/10] qemuamd64: add IMAGER_BOM entries [v3,09/10] imager: create SBOM of IMAGER_BOM packages [v3,10/10] wic: create uniform SBOM describing all image components

Message ID

20251022153921.2494749-1-felix.moessbauer@siemens.com

Headers

Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com
 designates 2a01:111:f403:c201::3 as permitted sender)
 client-ip=2a01:111:f403:c201::3;
From: "'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com,
        jan.kiszka@siemens.com,
        Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH v3 00/10] Add SBOM generation with debsbom
Date: Wed, 22 Oct 2025 17:39:11 +0200
Message-ID: <20251022153921.2494749-1-felix.moessbauer@siemens.com>
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 bfaoyuCYtgWpSlxPXbRZg+j7lTPcH080/RjbGysj94xtbdJLQwnP0rh+2ucKene0oNJwfnpE/brwDYMHnscFrHGA7+sBzTHHNWPD42PRRF/eUq06s5ZC4NSogYWJQux7rak3XcQM4q5hPXfa55riSSlnJsZIwvvsb0c1WCJZBb9nRg/L9nCUFl7Q+wygrvnYFLtSkVe2C94HrZo+bR5JY1hHyDu0c8SGvv/bnOf6PXlpopHHtL1JHPIgLTFYln9dtIYefZkCf0Z1//FrqzLvgmA7Xvj7hPB3ypQVzEUQ0cEu2LK1wG0CkTUtOI+e/EfUAZj4J1FsPcddtfwg0sGs/l2B4wXIUNdYkhnYvNEygJQzV53EJmBwtt02e+1ge2Qvv3LxmHmLP5lHZvcPjqB4XqTX5udulqzjdnWr2kg7GmHOW9a++Ie1G04qKTpw3uvPsEqsQnZdrPcM/6YCIg5EbvhesELtn4HgzK9o2ZZ8y2GXQWqxkEcuU+TmATxxqBiKfAG/qMmdBa4JBOjOeGP0AbeEDUxCZDF+GaxbPJhfBwuXVEeX+GxF05UZEvlI1Tff25B+WmWO7gLULrQDMH+CiNabjrj8vksO6bHqP545H+XZk/TS/gpKEqM0XrywXMxlLAQIOx6ZFcYj9VaCZi6RHxnq7alzN85+9CI6+h7O8r13G6vTMdP+7hx7UQ59D32UbsjIhuPomEx+WDnwXi2XtNh++rYqLNv2YoaloC0RQWQwhg2fwdWJoofGtuRV8SFq5k0vNT3QgUdOdtg3KFtNvTwvyZ1M2w1gpudRegEHnNG3/5E7VSxJYSRkRrCFzueq+6SloWaEXFfzRrxssTOZh4KxRfQfMEayXmnCQ0NfxO51IXQUNKlBi+iCFDT6Ow7B2alCJu8xHObG98u0engnnJNK+cMoPzmWFp7fw9xpOEApw17b6dbrbJ3+RlFIvai5zvRMkSyv3FAyL8MW/BVJuvNa8K/Qcl23pN2pv7JNIJToQDO57Kj88hdceyaaOF/iqrk9CtjMv5u73X2EOVw8wk/PjEQm42O2FpH2YJTSZOayzh5M8Un64xzTJWeRV0fjbNcYsSUwUyAY3R0X1CYGjH3Z5V8z4ATNrBGCSKKAZvdBGFYSMgm9zRwesQHdpgGQ2fLk+8PHBTCEVQ02guASxAGPf26G0vrtB994IKmbLb5GgpksTYkv9bE2NYusFkpJXifqWGhDp/1VIWj0V/862ZwufhBprQ+xt0b44G8kcBcCoD2yOfdT+DW5uqBXnD7QcifS7P3G8ZWyvbyX0DXp1FJRVlN07zO1lP2OVE4/nRWev6bdLsL2YAyAQZb7Ikpb+u2vuMch0nCuml2nOb8e41peG9H8YJ01/7+T8Ud07qLUj9CymIGh8Hp055RyKdF58nNWxH++MUWPB6FH/bkgNxjneY/ro0mDgr11nTNHR87YWGOR0kjwkVfB3cwgFd01Xj4LIHFQ1M/IMxq4JDeFz4/wAOD5IsVT//AwARFhbDqvJCa3H6w1jm9L4SHQLbguxXXLr5pUbJKX2uQEI39ZQ0r1sM9EAs+mYdYyo8EkfQliP9adwTZLppRW2F5gY+obN93dD6okLFCix1N/R8pi8Q==
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 50e2db65-01fd-4b92-9966-08de1181330f
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 15:39:34.1441
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 1pfFCeGtiamx6XkZHx41dJ4wfQRFS9Mzg9DxXmtdqDmR8PsCqPbdyzJ9xpflkF5osbTc4dYdbgNBXO3652jBmultMmRdXLfhIXdggJ/jEeI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5178
X-Original-Sender: felix.moessbauer@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=selector2 header.b="k/l21Fzo";       arc=pass
 (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass
 fromdomain=siemens.com);       spf=pass (google.com: domain of
 felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted
 sender) smtp.mailfrom=felix.moessbauer@siemens.com;       dmarc=pass
 (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Felix Moessbauer <felix.moessbauer@siemens.com>
Reply-To: Felix Moessbauer <felix.moessbauer@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
	RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

Series

Add SBOM generation with debsbom | expand

Message

MOESSBAUER, Felix Oct. 22, 2025, 3:39 p.m. UTC

This patchset adds proper SBOM generation in the two standard formats
SPDX and CycloneDX during the rootfs generation process.

The generation is itself is handled by a SBOM generator  `debsbom` [1]
which is developed as an open source project at Siemens. It is still
early in development, but it has enough features for what we require
in isar. The required dependencies which are not yet available as
Debian packages were minimally packaged directly in isar too.

This is a followup of the previous RFC [2]. Since then the series has
changed a lot. The SBOM generation was moved from a simple OE lib to
`debsbom`. This also meant the introduction of a separate chroot was
necessary. The SBOM generation process was also moved from the image
step to the rootfs step, along with a lot of minor changes and
improvements.

[1] https://github.com/siemens/debsbom
[2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ

Changes since v2:

- fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions
- update debsbom to v0.3.0, which fixes the Origin: bug reported in v2
- generate SBOM for imager as well and create merged sbom of .wic image
- resend imager manifest + wic manifest patches to reduce conflicts

Note, that the patches p1-p5 are most important as they add basic SBOM
support. The remaining patches address the imager + .wic bom part,
which also can be merged later on.

Changes since v1:

- remove tarball
- refactor packaging (auto-derive python dependencies)
- only build missing packages (varies on bookworm, trixie, noble)
- add ubuntu support
- only generate sboms for supported distributions (bookworm/jammy and
  onwards)
- update debsbom (includes bug fixes and more information for source
  packages)

Christoph Steiger (3):
  meta: package python libraries for SBOM generation
  meta: package python3-debsbom
  meta: add SBOM generation with debsbom

Felix Moessbauer (7):
  refactor: move get_rootfs_distro from sdk into rootfs
  override distro vendor in SBOM on Ubuntu
  add support to add imager dependencies to BOM
  wic: create uniform manifest describing all image components
  qemuamd64: add IMAGER_BOM entries
  imager: create SBOM of IMAGER_BOM packages
  wic: create uniform SBOM describing all image components

 doc/user_manual.md                            |  1 +
 meta-isar/conf/distro/ubuntu-common.inc       |  2 +
 meta-isar/conf/machine/qemuamd64.conf         |  1 +
 meta/classes/image-tools-extension.bbclass    | 29 +++++++++
 meta/classes/image.bbclass                    | 14 +++-
 meta/classes/imagetypes_wic.bbclass           | 30 +++++++++
 meta/classes/initramfs.bbclass                |  3 +-
 meta/classes/rootfs.bbclass                   | 16 ++++-
 meta/classes/sbom.bbclass                     | 64 +++++++++++++++++++
 meta/classes/sdk.bbclass                      | 10 +--
 .../sbom-chroot/sbom-chroot.bb                | 30 +++++++++
 .../python3-beartype/files/rules              |  8 +++
 .../python3-beartype_0.19.0.bb                | 29 +++++++++
 .../files/pybuild.testfiles                   |  1 +
 .../python3-cyclonedx-lib/files/rules         |  8 +++
 .../python3-cyclonedx-lib_9.1.0.bb            | 48 ++++++++++++++
 ...icense-description-in-pyproject.toml.patch | 28 ++++++++
 .../python3-debsbom/files/rules               |  8 +++
 .../python3-debsbom/python3-debsbom_0.3.0.bb  | 45 +++++++++++++
 .../python3-packageurl/files/rules            |  8 +++
 .../python3-packageurl_0.16.0.bb              | 33 ++++++++++
 .../python3-py-serializable/files/rules       |  8 +++
 .../python3-py-serializable_2.0.0.bb          | 38 +++++++++++
 .../python3-spdx-tools/files/rules            | 25 ++++++++
 .../python3-spdx-tools_0.8.3.bb               | 46 +++++++++++++
 25 files changed, 521 insertions(+), 12 deletions(-)
 create mode 100644 meta/classes/sbom.bbclass
 create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
 create mode 100644 meta/recipes-support/python3-beartype/files/rules
 create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules
 create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb
 create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch
 create mode 100644 meta/recipes-support/python3-debsbom/files/rules
 create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb
 create mode 100644 meta/recipes-support/python3-packageurl/files/rules
 create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb
 create mode 100644 meta/recipes-support/python3-py-serializable/files/rules
 create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb
 create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules
 create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb

Comments

Bouska, Zdenek Oct. 24, 2025, 8:33 a.m. UTC | #1

Felix Moessbauer wrote on Sent: Wednesday, October 22, 2025 5:39 PM
> This patchset adds proper SBOM generation in the two standard formats
> SPDX and CycloneDX during the rootfs generation process.

I have two warnings when downloading based on generated sbom by
debsbom --progress download --outdir downloads --sources isar-image-base-debian-trixie-qemuamd64.wic.cdx.json

"WARNING:debsbom.download.resolver:no sha256 digest for linux-mainline@6.17.2+r0. Lookup will be imprecise"
I guess mainline kernel and other packages built from source are not yet fully supported. 
But SHA256 for sources with my patches could be computed in the future if I am not missing something. Right?
I understand, that I can't then look them up in Debian, but at least the SBOM
would represent the sources with the patches in the SHA256 and it would be possible to verify if I have correct sources.

"WARNING:debsbom.download.resolver:no sha256 digest for openssl@3.5.1-1+deb13u1. Lookup will be imprecise"
Not sure why SHA256 is missing in sbom for openssl. I use it without any change from trixie.

Thank you, I like it!
Zdenek Bouska