From patchwork Mon Dec 1 08:58:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 327 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 01 Dec 2025 09:58:43 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f190.google.com (mail-il1-f190.google.com [209.85.166.190]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5B18wfr1012585 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 1 Dec 2025 09:58:42 +0100 Received: by mail-il1-f190.google.com with SMTP id e9e14a558f8ab-435a4ea3e62sf34023275ab.1 for ; Mon, 01 Dec 2025 00:58:42 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1764579516; cv=pass; d=google.com; s=arc-20240605; b=YBLW4SDl+tb+ZGlug0dy2wb/Q0SvSBn6Jfpo+lvRxWkxEujpgmxx6KN0utm6KOHz2b EYdhfB44irlSkkOMuxgDj5VU+NbYjXwgkYKUjLf/kTWSFn/NCkh4LwIhcYROuffH1Ptw aDympmy/ZzWnTdAiUfQkAmqE8mMTSPjCUsH8ethoDlfX7eS/GKMFJX2YUwyCuNaINVdp DpuPwR5qzfkmwB2jFihR3UJMXF0WySaNQl04cdoqgfUgj5timcaY/1WdFk2Ih20AJlcY E+Hha6733mFOYCKvri5Jbj/hFdbvQNV72wzTu1YLsqrpjOGgFfFeSmU0b2xI/sH2j7Gh CLfQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=WrRZFLz2J85N16cAuYb6TjM4Ag4zW7cfUk+qQz19nAg=; fh=xc1Wrgmmq5VvVp4V0AAwfWb5avTEyz45aW3+DBcyzmA=; b=KxEtHBcWRH/RfAMFVpkfvC8VS1OIiclt4jDp4hyGH3qIAcp3lsmwjCUhxctA/x0OrY nr2lt/qQnY/iAtbORQI2ZjMHwnCJ6OOkgCrKRkVwgz/2GGMeDslcD7xmwwrNnzC6GZ9j O40Cc9YGQEEGW7HCLzAcRc/NFPnXDr9GnwfMYRZcQH2soLfrwc7YadVi2EmFkY4xqMvu zMI7K7Ca0D2SzA0kYedQ9GZhbDeGI+ySJ3r3M+Wz1pDOHEQ7Pv68dpV0rsC64yafhc8o d4vSVOE2+ZFz9GSmBVBdbr3uC86a9pJEQHg8aArcbplq+ZnK2ExzfMHT8L44wgYCt3yv /39g==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=uxHzkln+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1764579516; x=1765184316; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WrRZFLz2J85N16cAuYb6TjM4Ag4zW7cfUk+qQz19nAg=; b=KV3ehSxsKsQexEs5fkGb/N0Se2bXeJQlj61tMPv1hn3tmdzHyNa6dPkbMqWmzUHtET QKQFQ1owzL1oBbO1PVkGKGyMo5CiEIk3fycbD6278J4LUlZ0Yu2f599YoT+4nzHiVyqa gIDpLgm5aPTF/8ERBTLCiMmb6h4jqFOiM9pIPQAHxFnbghPW70a6G2K+bu++7U9H40Ji i4cGaRmLTfftd9oIpyX6nUfXWtuJwSRQ5AX82z1Uc5aPPPAO97S/rNVBBaKxvNPU/u87 v3LsJtstzhU4OZt8/AOBlsc2AppuQwJz90jhSDDUp3NJ6XnJuy7h45b2WIisLdbRbe+i GR9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764579516; x=1765184316; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=WrRZFLz2J85N16cAuYb6TjM4Ag4zW7cfUk+qQz19nAg=; b=USntWcccPAbj2lPu4Yo8NimE0poBSKZuAGXmTbEogJSUY7HinSctShA/0824haqyWE v+0wb+UnjdTj4FUM5q/38H1gsvcMghhXFRXMmu+NJ1LwdEmsWgRsPoa/SN9VfL75r8GO 6nXXgFyJW/WL3bpOfbV/ImSN/IH3rKL/j1XpnS7mceWKhKxEzGkc5TAIPd4dWmwAYnnB rUWUFreT0ETj3xN1IAGqxEwJVnkpSxff4TcKp2PB8B4kC39/UN9OA4bObyqZL6zP4QHS b8JAvWGx1J8GgvGrOp/s5FElY5Hc+mH/VK+wBW17ppOeaiBUDyYwDydOyEaBPZ4QNntK m8Lw== X-Forwarded-Encrypted: i=3; AJvYcCXjQGZQM2schsQ5aCGX+RXvDAhgejmz9Vmd36Pf2TiS8a4PrZHndYnIPXZe+FU1KsuByxWbfaU=@isar-build.org X-Gm-Message-State: AOJu0YyKd2hzaVIGcRYMK/vMRETtZ7D5SxQN1CVecy6SDTWC25tIXk+x TNree2hIlWrW7H+8z3qgHui8IMvOSPX2s2QNYaKRUKPYEM3n+3FYBorO X-Google-Smtp-Source: AGHT+IGYVM+k64ESyK9Vew7xo8H0gpHLzR+FdgNuAQ5j9GhvkhLEeTtvaQv4bDfsdTzfMXvSJ6o0Tg== X-Received: by 2002:a05:6e02:2385:b0:434:7a8a:3e0 with SMTP id e9e14a558f8ab-435dd043c3fmr201912325ab.1.1764579515866; Mon, 01 Dec 2025 00:58:35 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+b6k6ntm5acR0G8VAfySB/YCSZyaLXEh4sfTH4fxxOACQ==" Received: by 2002:a05:6e02:1fe8:b0:42f:8b38:c20d with SMTP id e9e14a558f8ab-435ed40d634ls18563985ab.0.-pod-prod-08-us; Mon, 01 Dec 2025 00:58:35 -0800 (PST) X-Received: by 2002:a05:6602:3fd2:b0:948:a37f:6eb6 with SMTP id ca18e2360f4ac-949777ad6a8mr2125510739f.4.1764579514812; Mon, 01 Dec 2025 00:58:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1764579514; cv=pass; d=google.com; s=arc-20240605; b=VKrQNWvuF0TXu92X0E2+zQTHNYvgCfgUoOPgJ9Q+eABH24uLF3mZKEgjlSWEE8CKDi mdMl8ucE54vDLLWBD6Twabzx7wG3GKR4nPxl/efNbQ3Rh09S7znwEXGJwJ3jC1ZFdZ7o g77p1rNQbGFzpHMhMtY6bDiyAmFVoy/Ifi59fMoAP285F6QoWGewAOcDyFV3z/MtopPy GkoRttN62ZRGdUIueuB41zbe4gm+MOKai6nq9WpoxihoFrvSnmyoxrlISOX0xiHiX1ki dImKK3QWlKpVsPELSOrt8PLVZHGKHzIlgdrslWswqG2iHahfOZNuI6UW5rEt6ni2vgLl jtAg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=CuFpg7Fy3O4inPy8MIR55mTB8MX0w4c4Ld6zv/UQx54=; fh=YgHcU2amhotomeH1Rv2VyUlgPjm8wpulXwrBvcHF4rI=; b=S4+D7vuCkKi/EbuhI0oZsjBuIr5T8kh2Qp2gtbeu3lTjGbPq8jxq8Wi/eZ86ndlBcc pheYmXja0Y3QfVy3NgLWIyKcKmlNGerlOfyafnwfDF8oANgK266kylAl/HHdkfG0+r97 LycCCoFmDqzhO75D+EmdxQQr8DwY7mHFPK4xNXZwpLIQog4I22tWgoM7ACHLtgRFTeoE AF/qDaBH9H4Zd5qfskGrFs48Lwotu/YyPcwW/h31iKtV1Yr+9E0V3Z143Txbo+Kloaxz gzEbT18Xj4YfFQ/01iSFTR6wccf7Y4XabY2x4vfTFSLwGA8mu5nPq5qauLkHdESeOaV8 O50A==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=uxHzkln+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c200::3]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-949900023a4si26823239f.3.2025.12.01.00.58.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 00:58:34 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) client-ip=2a01:111:f403:c200::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rBpZ7viRdP+ETGkb5yhhLa5OdGBkEAyB+QF9FEix2NE4JHh0LyQb6X0f+QHwnnnUZ1QeNbrmFYq0MZxnc6iJF35xaRULHpxLJnfHEHydp5Fa4Zt78C5aaH34U0mmiT4u2hDr70eg7ko0FP6OWBNzFhJ464/V4JvJ41e9sGyXNjnqB6SOQWlX1kjEcdcNYbsZbgsDfVBxiTl/FcT2h7s6G1ZJdSViuKsbgUhj1Jy1rrP7aY0r9uluLOJQf4VmFy1Q9ssBWIHBrx637z0s3hgsMfw8AJXulREwa+2BAI2v5B6D9LcMB/p7LG8N/3ylAHOl4bFs1sxKUFOwr7CCBu/LaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CuFpg7Fy3O4inPy8MIR55mTB8MX0w4c4Ld6zv/UQx54=; b=qjAKPuGKoHmCN54qotuQ4MEgVJ49skK2jeLQQvUNCv8yFS8B+peSDyXfszZEIL3G4u1mDu+StRcsBZplZQtLt836ycmichfdcdwFc/vEF10rGVnEi+IOY3ho9EXlkQ7ALsKropq3JcGjvfQ6yMd50o6m7ceJQsNPu0WOMIy6tNuc3l1VPHkLpSBLWMj4A7EB5ETPSiQ3oYZ/AWoVeQp1pNuamvuLLA/jJLHEm3CwvXPi0xmjZ71DZEtzTFfhBKN6vuOO7SLOXzB3jzOHJVhAvlQ5l+9JbG2P7WYuQhsCmQlv8W8jtWVrUnqbbb90y0cdrBs5OnULf/bq3tAFNREPxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GVXPR10MB8489.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:1e1::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Mon, 1 Dec 2025 08:58:30 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9366.012; Mon, 1 Dec 2025 08:58:30 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v6 00/10] Add SBOM generation with debsbom Date: Mon, 1 Dec 2025 09:58:03 +0100 Message-ID: <20251201085813.1616095-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 X-ClientProxiedBy: FR5P281CA0016.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:f1::14) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GVXPR10MB8489:EE_ X-MS-Office365-Filtering-Correlation-Id: 012c5b22-2a49-4df0-2d67-08de30b7ccb1 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: CKm83PrRmLrmwGGjRgW81g69XUc3WQ7mtq32PT7aoL2IGe+fnLWJktQvjpuCYonrV2vM2/hAWGKZUbLuFM/n4zlVialHQ2CxlSTg34RHSOK4C6wauFrswZjhoI4aQbhEm3+dPCZM6lt0pPZadjcebA5gDC10qNEJmxIJ3EzTfIBtW7JvSrXWe6qP0GWQ0XmFCdy1H/0LsvjsKgR8THSe52biqGfAwNadoQpXQqeyxk3GMuNaydO+XA7+XM1385MWYXBdY63sWNA10U+BEaGzE/DXROt8qkG57tYjUQKAdcN3Rn5GljjUCCCgJPnEXKBjiK14I+WxREnynJPAojZ0fzkwqRD7FHPxLg3vYcVLcVBgf8E0zv8AdTXEkU91HfjCrZxiINzdey3g4f8z0jq0pCb/d4xC019fRzcW5QuVQwzq3g/CsC7M7uHZqpGNoIK3W2MxsAtHlVqMgoK04N6EgvEc6m4GGnMflJ/dh2P1uPEJqpfy8Ic7zNR42RmHI7z2rE2fwnTYGd7toyTmbZhNmAOq19IHZmONVz2IBCcFOMrs6F1yTgVxTbZkVqK4Ngkq+bI2qHjLLkAjzcIUjORqAgnkPxtAj3Lm37faXhIWJyBEWNj+r144dFKRznTYytVrTDDlzNTzjx+h7j28vZFFpZ1US3QVRo9yfTk+WkHbvN13J73dCBR69pKBhfJsPngEewr3/NjUxVz8EC8t06V4tcAwMdM8m72wVM2rXTP2jSHrCpVk9BNTlOwyli6KwtjeuJz+TzT0yp9tpBKJfU1yRVIMvK3g/E7Iznd/x7bDL4px7KXS0Os43GlXqPKFaRHN9LbYgW1NPfTL23rb+9CKJ7OUQSObWQ+bFXVENk2JsArRthmZXe+xBdesbGKlAbbdU3RzjMM1MaZVTnREAZ9lyQqve1RlzOZYGveyAnzYTxalhnHsoFNu1Umxz6y4FSSag/cf9/32ZbI4XmO1qHPBnSIqQnfjXfEXOEU7aq8uoxWmaJjdOmum6WTEmECl6qjp9lbtgXFnAEo7WZiQUHPeR7JacqmKvLoaPbDYjMOMLuGcuBpiDdO8IvZe2l/5QoU+oZrU3tuJDYN7QpEgD4v8btdEqiOzNxJzSFkt0q3J/PuCMoAyJiXXxyQ6cKk0ssTVtI2PFN7vJ8hGmZ+YwUct4/rqwWsOpjQi6AOIe1hXiWagie/NO9A84EBTmhWYJ2RdtYzVbxQ61rsmr3X0sXMw5rAGtN6fSyF3xuxVFQbTNO+Hl6tyXaQ0A8MxW7N8kycPek7uOd3hVFVgy1smaXnVpSmAvFEHTRbr9QGNr2mpq8QqOWY0ibLNL/Enu7qC9y+5txWz/AQzSNcArJvEsnM5q0n2iz1ntvrVpnkgXZpbeu6ucW/61VnOSxDC7FFZseQ5DrSr64yRR9GYFKNFJVGKWDVIpHwiTwNKwBpGD/WOqf0PdDVpN6+4NYuKfIRwbskG X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: h9TS0yNN/ixY92pSQKHpfwzlAmwg9bLCJGYAyZnKxb3Ko11oAARb/yoOzWfBenOEs6T0sc6Cgjl/fjOTDc5Y63yjaiDQhzBNmZ/X+zTtjwerUf88qJd+olQE3hlG+UJeOIrjhBPCHieWbNYnORtoBrv8YeMfKYcG4u9PkHE6fgTS+eZDBZ1aw5mUJiDoE8+9WKGHMuKmfzGEAhdKCipNXXWdLxM3TfJ4nRL9+tIdKjHQJDmViffyXSXMcC1gjLtFVZaPfKIY5f/c9tdrJQvkW4PM3Df0SDp9K6TraA7SM7gyYYGCvy7zr7NkfIDkQNO5AINPKSAnbesl/krAFPUQCehUcKBWmw21AXRKRz5UghnNh9YMq5pxM4sOF/Nfjzj8LWWyB+Xsu+CEngDPgIDmSUpiziv286nKFcAE4/t2GuPZt2X+RVkY9hGq8kb3Th+SbIOzLuI/OqbUZB7OjIBeD8H3ZuthYTVRuQnEYMNSsZmCr5pIhy3IMMAxDIW8Yp3PqOCKc3aKN5MrbcqoKh0BrngXoQbmxdQiiIzSI7RWTwScFMBUTFsN9Kgvt9G6YBHRa6AsJXwv6XZBHaFpV9i+hLXekdPz6WSSsaUy8z56bo4HZSPp4H/6gPo8s8SICPJviHQrhNT/l5IrfyTKRGaicxCs0tzrvDBsKcgJVhuOlhygaW+1Nd0Jpj5Cv3Rlhw+xztPURVfmU1BFI9PkqhZwDfTpyDcITfL2B0ZZZgib5kh0GKvmocp15CqIOZ6aIpMCRGucMdj7eIgwnv1z76QU40eMP7KHNjoLb6UykPa4LEl2LhXr/FvDq+MA5+8jSdLPcKUQ9KSkeNl400WXEH/jTrnLhBJvLiWNp1gqmAeF9YC6ecMtxjxbWMPTvzH7unGKRFbjtKVmYybx9AilZXHI7p+IQhMhz7OFRKvIZpphp36D32Uy7Kf7CKMJH46gQaJUfzoO6z8K14XdBMjr8/BEB7evGp163IEjfwtQ8D8Kr94O7mNrs+waqqiTJtdTl4bL1kc7aJiiYZ4YYR/aTC6YfjG0ni66xcU11pt9orXNeVlZR5ZBDHplqgm4DxM7FsJZJRTSGkD8OJr48bKilF1zlgYLAexv3HVofI3EMeNcF87PnmIcD2oA5Q1JvQMe1v9jHaFcEishM8kkhKMRIF0tAnWUvf+cKODuZg3W6VUhFvrjB66KBqcUK/x7TY9uEHu9Fknxllj0zyVKBhrnzC+VI+qlvODAu24h4n2qXk8qzemFU+GL9RDjUnsV0KJ47Bnzxl2rBgt5nRbZ1hzDwWkMYSzyh9Gul9Gi0GZ67S9dtFftpZ4n75ElUacTCfhaDqsdHWGPVdcYEZQ4XAFjvE7oOyoePSB3DcFy5u/OXLPOKRZB2Lyy9QsVl12pS6wbUOrHBHXOazhMQa5ZfwWt2QujPEBdJs3o/+ykvJehbN85PpIa2v4yRB0azGYucLyuSlNN8Vd3pRY4iFld1MJNcrHU3QUzBKTOQU9SfAWNTUuWIWcRwEFpPE2ZzL+uYR+pHJd9SgbHJa+ZI5ETUtyryYfqniN7cgXP2HwolgXW+QvJCtr/pHYL/XnIYbyRez7CMq5qohlqrg05ctISzsKdkADB5w== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 012c5b22-2a49-4df0-2d67-08de30b7ccb1 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Dec 2025 08:58:30.6450 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oDIF0B5L+qBENUqjzNsqIslKeqRt8hMkUK4ePMQ+eSp6ykTkpDe9LSSI1fbNQ9HQYWx9Vk716RnyOwdeJia4v2gEfqDPiNT4akc1qO1PwS0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB8489 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=uxHzkln+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v5: - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to machine changes made in image file) - rebased onto next Changes since v4: - rebased onto next - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) Changes since v3: - fix issue on external bullseye initramfs (we now disable sbom generation on all unsupported distros rootfs instances) - update debsbom to v0.4.0 - rebased onto next Changes since v2: - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 - generate SBOM for imager as well and create merged sbom of .wic image - resend imager manifest + wic manifest patches to reduce conflicts Note, that the patches p1-p5 are most important as they add basic SBOM support. The remaining patches address the imager + .wic bom part, which also can be merged later on. Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom Felix Moessbauer (7): refactor: move get_rootfs_distro from sdk into rootfs override distro vendor in SBOM on Ubuntu add support to add imager dependencies to BOM wic: create uniform manifest describing all image components qemuamd64: add IMAGER_BOM entries imager: create SBOM of IMAGER_BOM packages wic: create uniform SBOM describing all image components doc/user_manual.md | 1 + meta-isar/conf/distro/ubuntu-common.inc | 2 + meta-isar/conf/machine/qemuamd64.conf | 1 + .../recipes-core/images/isar-image-ci.bb | 1 + meta/classes/image-tools-extension.bbclass | 29 +++++++++ meta/classes/image.bbclass | 7 ++ meta/classes/imagetypes_wic.bbclass | 30 +++++++++ meta/classes/initramfs.bbclass | 3 +- meta/classes/rootfs.bbclass | 23 ++++++- meta/classes/sbom.bbclass | 65 +++++++++++++++++++ meta/classes/sdk.bbclass | 10 +-- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-lib/files/rules | 8 +++ .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 ++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++ .../python3-packageurl/files/rules | 8 +++ .../python3-packageurl_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 38 +++++++++++ .../python3-spdx-tools/files/rules | 25 +++++++ .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++ 26 files changed, 524 insertions(+), 11 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb create mode 100644 meta/recipes-support/python3-packageurl/files/rules create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb