From patchwork Wed Oct 22 15:39:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 301 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 22 Oct 2025 17:39:46 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f59.google.com (mail-qv1-f59.google.com [209.85.219.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 59MFdjpY021171 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 22 Oct 2025 17:39:46 +0200 Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-87c0e0d12ddsf236628126d6.3 for ; Wed, 22 Oct 2025 08:39:46 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1761147580; cv=pass; d=google.com; s=arc-20240605; b=AV+4Nzf/kqEwvvGlNzx6KxDVlcJFvTXhzRzDDh6KLMfxJyEY3FUlEIaRlCW/zP132U sNq7wNcowcvOwpCYSxlnw6ZlZTHD+p4Kr7bHHlFAGF2PRHYMoqix+JKtk2yC24ckyfea MJ4eDgrotLeyN8vVaj91x/jbc1cY3/rmtkf9yyHBxrkpz0EsoTHzq+5P7N0uKhR8gE8o EhsdrmLkeuQRiwO8qsbtvXR8qsrxD4AMCzcUttHNaht88+bXe3Goj4pAlQC7/D9W6RcK 6IDXtaMO9sHOw+1HpwwiaNaJpEe8e83LCRZN8HOgBd0ZgQdCMTvdqiO7o5BisxorJCM4 O2ww== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=hXLMGMleg1CtEx0FQgRzgD/9iF2Fkn/JnONZleSRhV4=; fh=fN4jIffkVo0J5Wxe/wGpTlH+QnNIHvLpft8QkPzOzvk=; b=gt0HwoxwdSOPlL+Nvup0wbrnr5Gl8cFRJ6z/gxvsW9ReuChPhExWCbDfvFCJ1Fe0eI vJ5fMxcyoWIkB6GssDFWA/s0aQxaX+YQA/lgcUmXaGy+h0D+FIHfU5zqmf9p89E9uHcK ZrWziNzPz7IZQ0AkPxLyYtGJgIOIw6QRxOiTvxXBVk2QRhNFpGV+h+SJO83TMnAJs31D LL6FDVpSwQOP2gG0E28L/if/8K8GQLmDT6DCwqPjKZmEZTapDmF7aZiNRDeAYHQWO7rb V+72VBJU/qwjYloWtRdm0qIA57wnWecuCL3ZDHNObYtxw2CSoc9SpFRBkXl1HIwT9nzf KaUg==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="k/l21Fzo"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1761147580; x=1761752380; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hXLMGMleg1CtEx0FQgRzgD/9iF2Fkn/JnONZleSRhV4=; b=LK9lXpCXpZ3W966NHcSAHGc8X7LLu4Vp9kP/kZxdHufF2mvjK22O9HjRytvc4N1TE4 x4SIZ/YJFVKmkrQ+kcLUgsGBJ/hF24Iit5x6XSZZAjm0gnbok5tUf8AAr4bUs0kFnTlt 7zyBJpPM4GOZc/SpxOOCdpNwqGxEA2+0GauEXusVVm68QUvQVe6JdmXpSDaYBMw+evr+ At4DZa+rXEOz8d2+bP+s7d/RKhMRfEhCbtU3dIYpL7NbN/aAqlbRnV/1yJYmNvU+17LR yskhm6tmJ6es/Z+htFpcupUrwsmElYwZyBZYJvq8fVbvjpdqcVBhEWMkMAX6jlW8lzIU eEbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761147580; x=1761752380; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=hXLMGMleg1CtEx0FQgRzgD/9iF2Fkn/JnONZleSRhV4=; b=gvoBfs38FK3QUmv3sZkkYu6eQm/2/kQPdsKFIGuuq5Dak+lmPGduJVeHmsuWV3WPnf IOvmbKKmqdIq0pcykIWOx+vx83S7Ski/PcKUJ9H2FbT8oZ1jZX38KoDckDcrIb+xM/n7 c03TyB9CxUhijmHx/pKre9YgBfQ7hxM2R2rQUyvFsjKSg/fQZwqMfZ0wUJ+TpnEiiGB+ FmwC8kHjfOFi62pyjicf7+7gXuteB4dydgNCNv3rZkAqe6SeucW+6jtVOZoYq5VZ/XdH 87FmPi3I/UdV+Iq25q6RjJhhKwTk/CZt3T0OKQlx6qmxbC6IvYJ7NcnSzq28sBA2bcor OvcQ== X-Forwarded-Encrypted: i=3; AJvYcCUpqdMvAirUzEXSFLpxjk64rl/xgsjYs2pp5v+TxqegOMj5qZrAlUVUSG32SGHhYhFA4/T0sR0=@isar-build.org X-Gm-Message-State: AOJu0Yzjz5pwhixOXP8cQa8NJQmKA5OewpdT2mZsGOdbWthnZDN+0wVC P8ZMwH4WoxJsrHux3+IFLXhiuombgiJeQMfaHp129VK6r3LUkUfZYPoh X-Google-Smtp-Source: AGHT+IGc2ENBMA8n+NtPHKbv7yEMu0sy7xBN94HOe3T5sXxnHw4UL6P3jliSZrWARt6v8zDqedE0Ig== X-Received: by 2002:a05:6214:248a:b0:87c:13b9:7b1f with SMTP id 6a1803df08f44-87c20578317mr286361256d6.23.1761147579537; Wed, 22 Oct 2025 08:39:39 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd7WV7+aUQxBS4qk2j0i9qpI84bxXPL01BRgJENlwy9jgw==" Received: by 2002:a05:6214:260e:b0:779:d180:7e3f with SMTP id 6a1803df08f44-87c15327cd2ls112643976d6.1.-pod-prod-01-us; Wed, 22 Oct 2025 08:39:37 -0700 (PDT) X-Received: by 2002:a05:6214:1c4b:b0:78f:62ef:5a50 with SMTP id 6a1803df08f44-87c2061005fmr259230826d6.42.1761147577336; Wed, 22 Oct 2025 08:39:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1761147577; cv=pass; d=google.com; s=arc-20240605; b=Z/9xsw+acOib6uZHxPdGOhkpC/tk8xaWXBlI65Z3i8v8jpt2cJOBBWcQ2opgdNbgd6 DA/Q+UbW3GrRdyngwnVAE4L2M2ZB1JTnVlXpu0ESo8UeSY4sgGSOr7D93HIJcgbK4dh1 oAGtcYPldQkopX4LuyyVAKY2UVtzLCE1jrMDBIk+pXH8TB+7ykeY/sOFGVs9QDZhaL+U BNGS5rOBi57ty0vDw1kFglAh74mlEWjmKfH5fzMKkdxYaYEI71H1l9nvGlPL3L4K7SRL FIF7CxHBvw4V/PKN6E1z8+TWvbuBaqVw3Od9fVFNr67IgxY4ZPCSfResNduwFsBje9Na vRsA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=Y4EyHf6wrkkNfpTUmilv1CzquBNRgtfhA+UchXa8D5I=; fh=U8bm4dTYQmv4LpgB7HlcKSsNa947JBNKOeDeOLKSao8=; b=TKeadYJje8SBDFjmcXUBv8O7fUKKsLUneMsDRRkAr2QrBvdbHa1kCWe6rqSAX6LhPE nJUhCvu6uV4auzyB/pgYqkskJ4O/K9nX/nP+awxrTf0NYQkr/41WssQPiVfG4FpWs3Mv uGLH1hB9nPo/Kk7nIPaSjBzE8beesnNuUF3H+MK6qHr6Th850qrlXjd9gnwbIv+6VWjV 9QUbE1C029+yFOaPsUBreqv46S4VIZv8K4juFCUKjABmFDZx0BqQ1OGM32sxgGG6XF1c 6KMYvz3zdOapPdxubfS/2qyDPqVwYTMfsbkaBsEzpmu7Uyn9mAmRjqzJNsqkZ30DDGg1 BC1g==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="k/l21Fzo"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c201::3]) by gmr-mx.google.com with ESMTPS id 6a1803df08f44-87d02896656si3813466d6.6.2025.10.22.08.39.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Oct 2025 08:39:37 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SZuzfg4v92CIxnO5pljQ7YiryEfoS+PjkzzDRL9rhJBZeWnnp/AgebDVr9jbdKrpDgdStkBvneYCMdTaU7B34SI9qHUWFGxfSlUglHryDSFCVXP7g0cOTscr/+sr+UdKlnH079IHqPEW4NgAKh283RuJPIbofmS5Zx5jF5DdCqd5of6QWVc0PwGR4Je5QFI1D9IQJUVgB8MKcTn6ouhqJQFohAeTof61nyqFyIXDcOyCMbOil+6hoe42ut4tHtArASuK7P2yYqEExfv0b3TwOESy4Q6REaJeS+hR0LecghfAzkxNM9rELT8i8edxa+gn4jYu037pFQim1bRxOVsgnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Y4EyHf6wrkkNfpTUmilv1CzquBNRgtfhA+UchXa8D5I=; b=m+u91aSIjhg2gyg1xDi7PVtiwvXLak1tLgmoSqMblD0LQUt+6Xn6799O+J+EKJqKuYlU7C7eIISXaSogOpwLA3945xOPCI0yeOcDGdMyFsNP0khsgcP5t5CVTH29nFMXM6MTBsgl6DpYsZ72TPkIHmV6wfVmxEyIDdYaNSrr170x5atgBEQNFK9mAhcftvgvZmcPu9XzNAgL9FJGv+8uHBZPluUBOf/5PZMivdzVUrk8crjuDjoJSPX/SZ5cRhnGig8vXZxUBlO8lFCy5Uhc48eikDUbL7917W6dMPcMxpBxdLkjcJpAHw95x8AgUTsyFl4OJlunfKbI6Y7mDp2enQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by PRAPR10MB5178.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:27b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 15:39:34 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9253.011; Wed, 22 Oct 2025 15:39:34 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer Subject: [PATCH v3 00/10] Add SBOM generation with debsbom Date: Wed, 22 Oct 2025 17:39:11 +0200 Message-ID: <20251022153921.2494749-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 X-ClientProxiedBy: CH0PR03CA0035.namprd03.prod.outlook.com (2603:10b6:610:b3::10) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|PRAPR10MB5178:EE_ X-MS-Office365-Filtering-Correlation-Id: 50e2db65-01fd-4b92-9966-08de1181330f X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: IewVpjH6ba9JHUkW8wKmts7eDS+IyaGoNm9cIPgWMFpZNgeFXDahu5BbmkcDVpgcQsO7v1ZKIWZlIANaAEoh8A3Uw4GpQxhOOswQdEh42s+HI78GA36Rk5bpOp/eb2N7KeInEQEPhDPWdsm4fUDNvehoNs3pqjxd4xs6b9wTup89xxekLVmdRwGnH4tY3XREU6v5ClouaQFqrv13+ZEqPudPsRYC+OvwfiaDv4v9FvH9B8EaPpf1katnRwuQDecFslZG+EalTEEnFVSWTAPNBysdLpM1JQFSq0xLwmklU+WO+z2oGbOaPjEphEUb8YhlrqDXOho4sO+uizbcRL19AEx/x9k4TXIeuIXzxt/lYZO0Ro54hlQ1P1KlFeTlZWitcdy/h6CucUVukBV4jNySm5eQL4I/KDPkWSCFgY1yEQxPx70JlWyI6kGHvisgUT39GyrEe/9sm8PJbTif+11cIM5/0m8Oqb5qQIoxwVaKf1Xkl2+DJlbIyQcR4X4cm6ct83kI0dOJD8tXwfFZ9kfD6dhuEeR4UtXh35N+fhK4oJHyugms8tJWCa98R9Ik9276YN8xYswjMymWq8pgKHC3x+H5FJsV2z8PNfROJ/dRrxxy7yC5ijWZ78SIY9ct5oZMdgJH+mA78xjdb9ZSs/sFqvc1WcTh7BfnUi+CVmkAy9c4LeSl6A7YE/qP+UKnnxUrdQO7ggeAyPYMTtOZfsiBeW5e90VmfLwYI4azNLp6Qd0zaveFv9Css0Xu4IQ9b2nACW6O6EUCSnzH1Pt9ECmepKx+uuon4WKQDxwVhg4xd0Ke4xX0zGzbRUpzAlRXbnzi+dOVQsVeJ4NXclm6WANEm/S5ebQlz4aoDUzYR6SJ59jkQpdOOdxjEQnEMjI1iXKGb0WooA/hUfn6Ku0MsJmFkuxNAs/kgq7aPHRuxu+Z/0CDUSRgc1bEPXfKsMdkdjCWMcAYj2wgcp4c8yvuXrFpsOgRi6pmPFHbHgqH7YhLjtfYC+noEnOxyo8KYz1LpZcUJZQmt35EzRrtxXtmhruIfG9tz1bpWR4Yd4DbQ4sxtLcIJSC69t4qZxltEahUt+9VXs1TQo0R7Ih7H+UsEhoIDTt8zRacKjPrXYLJhu8UQc2jBwEOi/8kforqOwYjnL/lNl3mcLv2UhQi1x5CZyV/92uPRQyyb8eKNkee53AkYE9KjnUpkcRD6MiYghBN3XEL0BxLFS3HBAGy7XP7GNVUMDCncLlkfUYfE0I/NHIsye2kQcqImiORr6prUhGxWSuS35VscJVZbngyGP+ZBkheZpqD6xsAX5/uxu+hKWgq5KjTKirptgEGYsgVyw539sAQEPaJcusoTLmVYg6pcHBUa0G0A+04gEmXe9kdYarvz6ivPfmOhROlF3N6uWvmPOEdSLtYjPKBHn5lXeKwcOk9zho2xr7jjhwM7Me4RH/cdKM//vn4tGKFdU0rdg/djaPS X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bfaoyuCYtgWpSlxPXbRZg+j7lTPcH080/RjbGysj94xtbdJLQwnP0rh+2ucKene0oNJwfnpE/brwDYMHnscFrHGA7+sBzTHHNWPD42PRRF/eUq06s5ZC4NSogYWJQux7rak3XcQM4q5hPXfa55riSSlnJsZIwvvsb0c1WCJZBb9nRg/L9nCUFl7Q+wygrvnYFLtSkVe2C94HrZo+bR5JY1hHyDu0c8SGvv/bnOf6PXlpopHHtL1JHPIgLTFYln9dtIYefZkCf0Z1//FrqzLvgmA7Xvj7hPB3ypQVzEUQ0cEu2LK1wG0CkTUtOI+e/EfUAZj4J1FsPcddtfwg0sGs/l2B4wXIUNdYkhnYvNEygJQzV53EJmBwtt02e+1ge2Qvv3LxmHmLP5lHZvcPjqB4XqTX5udulqzjdnWr2kg7GmHOW9a++Ie1G04qKTpw3uvPsEqsQnZdrPcM/6YCIg5EbvhesELtn4HgzK9o2ZZ8y2GXQWqxkEcuU+TmATxxqBiKfAG/qMmdBa4JBOjOeGP0AbeEDUxCZDF+GaxbPJhfBwuXVEeX+GxF05UZEvlI1Tff25B+WmWO7gLULrQDMH+CiNabjrj8vksO6bHqP545H+XZk/TS/gpKEqM0XrywXMxlLAQIOx6ZFcYj9VaCZi6RHxnq7alzN85+9CI6+h7O8r13G6vTMdP+7hx7UQ59D32UbsjIhuPomEx+WDnwXi2XtNh++rYqLNv2YoaloC0RQWQwhg2fwdWJoofGtuRV8SFq5k0vNT3QgUdOdtg3KFtNvTwvyZ1M2w1gpudRegEHnNG3/5E7VSxJYSRkRrCFzueq+6SloWaEXFfzRrxssTOZh4KxRfQfMEayXmnCQ0NfxO51IXQUNKlBi+iCFDT6Ow7B2alCJu8xHObG98u0engnnJNK+cMoPzmWFp7fw9xpOEApw17b6dbrbJ3+RlFIvai5zvRMkSyv3FAyL8MW/BVJuvNa8K/Qcl23pN2pv7JNIJToQDO57Kj88hdceyaaOF/iqrk9CtjMv5u73X2EOVw8wk/PjEQm42O2FpH2YJTSZOayzh5M8Un64xzTJWeRV0fjbNcYsSUwUyAY3R0X1CYGjH3Z5V8z4ATNrBGCSKKAZvdBGFYSMgm9zRwesQHdpgGQ2fLk+8PHBTCEVQ02guASxAGPf26G0vrtB994IKmbLb5GgpksTYkv9bE2NYusFkpJXifqWGhDp/1VIWj0V/862ZwufhBprQ+xt0b44G8kcBcCoD2yOfdT+DW5uqBXnD7QcifS7P3G8ZWyvbyX0DXp1FJRVlN07zO1lP2OVE4/nRWev6bdLsL2YAyAQZb7Ikpb+u2vuMch0nCuml2nOb8e41peG9H8YJ01/7+T8Ud07qLUj9CymIGh8Hp055RyKdF58nNWxH++MUWPB6FH/bkgNxjneY/ro0mDgr11nTNHR87YWGOR0kjwkVfB3cwgFd01Xj4LIHFQ1M/IMxq4JDeFz4/wAOD5IsVT//AwARFhbDqvJCa3H6w1jm9L4SHQLbguxXXLr5pUbJKX2uQEI39ZQ0r1sM9EAs+mYdYyo8EkfQliP9adwTZLppRW2F5gY+obN93dD6okLFCix1N/R8pi8Q== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 50e2db65-01fd-4b92-9966-08de1181330f X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 15:39:34.1441 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1pfFCeGtiamx6XkZHx41dJ4wfQRFS9Mzg9DxXmtdqDmR8PsCqPbdyzJ9xpflkF5osbTc4dYdbgNBXO3652jBmultMmRdXLfhIXdggJ/jEeI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5178 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="k/l21Fzo"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v2: - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 - generate SBOM for imager as well and create merged sbom of .wic image - resend imager manifest + wic manifest patches to reduce conflicts Note, that the patches p1-p5 are most important as they add basic SBOM support. The remaining patches address the imager + .wic bom part, which also can be merged later on. Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom Felix Moessbauer (7): refactor: move get_rootfs_distro from sdk into rootfs override distro vendor in SBOM on Ubuntu add support to add imager dependencies to BOM wic: create uniform manifest describing all image components qemuamd64: add IMAGER_BOM entries imager: create SBOM of IMAGER_BOM packages wic: create uniform SBOM describing all image components doc/user_manual.md | 1 + meta-isar/conf/distro/ubuntu-common.inc | 2 + meta-isar/conf/machine/qemuamd64.conf | 1 + meta/classes/image-tools-extension.bbclass | 29 +++++++++ meta/classes/image.bbclass | 14 +++- meta/classes/imagetypes_wic.bbclass | 30 +++++++++ meta/classes/initramfs.bbclass | 3 +- meta/classes/rootfs.bbclass | 16 ++++- meta/classes/sbom.bbclass | 64 +++++++++++++++++++ meta/classes/sdk.bbclass | 10 +-- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-lib/files/rules | 8 +++ .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 ++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.3.0.bb | 45 +++++++++++++ .../python3-packageurl/files/rules | 8 +++ .../python3-packageurl_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 38 +++++++++++ .../python3-spdx-tools/files/rules | 25 ++++++++ .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++ 25 files changed, 521 insertions(+), 12 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.3.0.bb create mode 100644 meta/recipes-support/python3-packageurl/files/rules create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb