From patchwork Fri Feb 6 11:40:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 338 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 06 Feb 2026 12:41:16 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pj1-f62.google.com (mail-pj1-f62.google.com [209.85.216.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 616BfEHE023740 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 6 Feb 2026 12:41:15 +0100 Received: by mail-pj1-f62.google.com with SMTP id 98e67ed59e1d1-352f2dc26d5sf710510a91.3 for ; Fri, 06 Feb 2026 03:41:15 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1770378069; cv=pass; d=google.com; s=arc-20240605; b=MEaEYSuW6b/mEoUVGsTE9sEaUUZ+15UvHkMq5GReZhwOB+w7AKMKErwpy/p0hlhm9x Zxorg1D40G8sKSKL9biprcasSt6/D9oh2pEWccMmsgP4jWCAJvXZWovKte2cUyYpTrnf o5JGooPZhNkv/C6ofG5OjzbNcuznjf4S5/lPUwaVBIqwZEmgzh/R6eXhoPXBl6y12+Hi 9v03n9JTT3VwYJZNDQWa8eu8OpyXfsmh4ffAyRKEW8GxNaRw4vNIqPNbRH++UPmb4UVf 2o9OvKJTBLpFyokpNHuatHnkiMcHVCUyXsdeRmpCbHM3HiEkquojnqOnz6hP/x8kPw/j k9bg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=y8FbQGb9houSZ0Bh1E/Sy96uki+tyLMu17p19HoZbTg=; fh=BNzj+Agq6TLZYshtgSOM42geGEYT3PGmk5dK+kYdoao=; b=lIihS+Bm3pl6rydNeHSJVh02NROOrDRE7+zGHWVZT8ys101fl6J/LjQy43ccJkx/AK 28myg3J7gAOJMVja/pSMaqxba5KkUUEdoPTrAKI7Pgu/VjQwt38KYBbJi/gtogpdhQsn Qr2XJPMkns1zC2Ym0s9BS89Ce8g9yxbUXEknEecc8Asbsg6t905/crSpXAME5zifCKJa 87QCHPutFFPRmdUq9wRXkttsJ0LDzc9eCIljE9IYvm07c+LHPTCVn7fCkKaPA05HBiUq TqzuNmm5mLssOYYn7dqDy9CW49PF7E9QZmrhC8qPrIfw76Hbh+ZZpvSaR2HsG2hlrd46 47lg==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q4Sh8xmL; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770378069; x=1770982869; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y8FbQGb9houSZ0Bh1E/Sy96uki+tyLMu17p19HoZbTg=; b=HPUX+gRO0a5QxFr2Kr47ab1CNwp/dgUcjnb0NKU2OD1AyJUkUS2niwB/P5n97xZpHL KSBG74C3JhuG6LrGhglv4Gq8kFoURCxOm/eiJl0BUB9WoLoqPjMnYakLUbhb0VToNF8u l5+j1aT1TQrFVyI5USNCAuMl3sbxtFEYIOufSv2LKidvQpG1wW7IZ8LzOGF8QnDUNhKE XzyzniqQhhYZ9QZBvkinOXysxYdBGjiYBcopr0LskZs9zXikQMJtShSMw0Byiwuyh46T xozX6oo+LZ4Z6Pzz+YHvHTXdp/FXmUKAZLGTz/Egr6kCP2PmpPgC5R/3vq3l3DSJJnw8 eGsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770378069; x=1770982869; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=y8FbQGb9houSZ0Bh1E/Sy96uki+tyLMu17p19HoZbTg=; b=aUj09FT3Fx/gUmEfWtau7A4jFwVhQJW6nkPHSYfGGt605cUwK9ZMyXvcXUbU/jjzbt mEQBO7JXVECGd0BybBVU+/9kLWmtbPsGOxccCooKej9HgE2bnRL533JNl/Q1IY560CVA Knt404YdbINm8uVfNB9I2YKlBI5/1EjcSg3+D7mGfIdFxgMnuN6zijxThgKgG8B7MKqR CWHjD623wj9GdD1/p3FQCQl8TCbI25m3CThWSrB9XD8LzwyhHRxlTI9/sBipjLIMOiyX GaIqEVFctXEylAIO025TnvUh7lkCc5R9rcfBxsAhsJ09LN5ffEBlPgJayNgbAL7+c2ek xxdA== X-Forwarded-Encrypted: i=3; AJvYcCXpBA/b+XL6cFjIpAcEWOWE/tJPl7fhZxbTcskiSr3KMgRaT55b0G1QsIW5ZpuMASwGzpc2+hc=@isar-build.org X-Gm-Message-State: AOJu0Yx9HkYZ+VaC56TnOS7+u/RFq6eZPPzhaxV0MSjeuUqktmfPKfQA irgFjE8q8DqBWoUPVMbP3yB/7abJ9Ano50CZuxxAiJV7sYF7VYHc9F9i X-Received: by 2002:a17:90b:514e:b0:354:a57c:65ef with SMTP id 98e67ed59e1d1-354b3e935d2mr1661536a91.6.1770378068535; Fri, 06 Feb 2026 03:41:08 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+FVDDvR9qLHg6ZKG45fflfHtuyT711KZAaiTAQwTvXVJQ==" Received: by 2002:a17:90a:e98a:b0:352:c5b9:cbb4 with SMTP id 98e67ed59e1d1-3549ba91ed3ls1443945a91.0.-pod-prod-05-us; Fri, 06 Feb 2026 03:41:07 -0800 (PST) X-Received: by 2002:a05:6a21:3991:b0:38e:9973:43f0 with SMTP id adf61e73a8af0-393ad39dc31mr2509664637.72.1770378066700; Fri, 06 Feb 2026 03:41:06 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770378066; cv=pass; d=google.com; s=arc-20240605; b=E1ZAtv/74HBIHipp/628cLAgPOs3QRKCYLjglQVULK9cwS7Iw7+RyI/LVdQagHX3Mr Lk/wLoFHBwAplVNlo28tuMIzg9dzvDQD7Ie20jPfu2WdPkjL7r7uw4J4mVCLdxnHiJFA Lg5Mns0PPh+bPqcTudiIib+NlwPNGEbHHhGwZVfc39gsaruBoziZTCQSUFDNAotFpi1F FAGPryhnsVjn+xk/8GatlsjgYfxBD0B9x5fbvQQtvCwJoWysPskRb7lkDwAYA1ZvBbW9 rQDdsJPMPASlZLlzotXDqNv3tIkJpV1GvNaEHzGXtvK6XGQRT+dOdwyG5T12zAXRX7g0 uwdA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=5a8CNuAMwD3UolsphlpuyN6wZa9Y2uKVz1VBjJA+YYA=; fh=3TZ2kfKzTV0uAG2uKD8NJHxpu4kGHzyonq8tLR1Voro=; b=Gjic0sBPljQ/II9K093hywTz6MY0rSlRYs8fAXzqyopHa35/smNSYpRcBs3BfKGmO0 PBTQRdLqpoAjaTobcGlGNtlAgyDlk0yA/CMDiroLKD6P/jbmDG4jndnsM58TrOJKJK36 un4/sloTenxsWmsklnon3R+9fMeUjJxO+zHTu7JPlNCWdyFVVcEboi8DdK3foteHIIOv ylggvzpJ2p/FhTQtDRHpTX1iK9YRbbPfh+1SYtEiI77ZPM5hGqNb5dgk3R8Pp7Y+rL5y uTYJQGk+Px+5NyvvV9rfHTvlXuJ2HcpKbuvx0HRcm+IPXSUTbx7z9aCjJm3TdIqC0sXl 7RJA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q4Sh8xmL; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c20f::7]) by gmr-mx.google.com with ESMTPS id 41be03b00d2f7-c6dcb3a5ed9si96392a12.0.2026.02.06.03.41.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Feb 2026 03:41:06 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) client-ip=2a01:111:f403:c20f::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UzkD1+KDFiVpTjCvHnZHrPCCbOuF7GQ7kCyzVb9rV0mE8NG8k8su+VFMiiFrXp5sdZVRjsEzCRiYYgBWZ+VafbfjP3vZg4hjhq2Bw2tGHSCmUvM3L6MjtzqU8lV9MyaE6UqAGf5JOA3bg4uRT9Sw6+j6HuF6dOYbTERnl16LlVqCgmbu4SAOBcoDRGJbt7YxnZO4Lp/Hxwj6ZmOfmKFAo8msbO+pp2rKWmFlQ7VcfLqQIqmzUlmGGYM+JZDKIVAHy6sAzMypTVDRj/YKdk+psjHjTjmk65GkeDs/OW4jCjuT6p3Mhn+GFtz4+En99EYxfZoBdhmUCIASwP79v6uJGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5a8CNuAMwD3UolsphlpuyN6wZa9Y2uKVz1VBjJA+YYA=; b=iSX2H8A/dqzRcxzq55DeTvjDQ9NecCj/0xchK+vQEUksBfBt0gpDlTZTAXE3xZ382H3YTGhxOKrpIttqoN9gzCnzRO15TGrbXZ8iO2udf9mmwFI7YKA15kJY1YZGCIiphM+c8uKHTUXstjiKmKYcawBwx/ABCeazBJPcPRKmc7X97+ylViJwqkLB0uoGE5h6BK8cqTnZDnLK2Jm6m0eRBuMCORcgSqbd1UPjZN/GLpq7iDYH5srXDt+lkt8hW85APgIvN6WjvPWqnij3jXCmuIQbyevrkhfegXiwVrsKFng24QBeodge+iax/yanUAb/CIjB8pCAAkeFplXHPqtsIQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by DB4PR10MB7039.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3f1::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9587.14; Fri, 6 Feb 2026 11:41:04 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9587.010; Fri, 6 Feb 2026 11:41:04 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: Felix Moessbauer To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, stefan-koch@siemens.com, Felix Moessbauer Subject: [PATCH v8 0/7] Add SBOM generation with debsbom Date: Fri, 6 Feb 2026 12:40:47 +0100 Message-ID: <20260206114054.3010883-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 X-ClientProxiedBy: FR0P281CA0252.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:af::14) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|DB4PR10MB7039:EE_ X-MS-Office365-Filtering-Correlation-Id: efd43376-7d29-4209-158b-08de65749bc3 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|10070799003|376014; X-Microsoft-Antispam-Message-Info: gr5gnlXOK6Yi6MsXJ4AIH6GhPV/fVJBkMc7paCp5JX3+E0ZeGmtNKbV9tPb2VaHqacpLYc+btKqe2wt0oAedMC0GMCb6GaHuZuJ3cuyQAelxyetgXMnXj6HuJ+uHmRbq++smcbZD4WSYktGQCB9S2QuiIUHYS76XE3snN1iAYNTrKI4mZtpflcAixyoRIwY3zIvc8a1G/4JXufKBmbTQ31R2sNOOJw+4XcDu1bC3eUwqQIPBHH1SHEMSHjHzaLYWaOJII6dQViwlComjUhIdjAyAWNIOsQP9xTwp6+RZfG2zMRWH8KhuS0KrcSj735B+zSwGnshHEbRiqawNLUXxDWmIoOBeYEtkhO3O6uVkEhBrNAn33krdtKEnnyyhzYGZkBBkK1BQzB6W5gNFT/G1LF41IgiQYJ1OZCAJe3CnEFyMLS4DiiDPSCmKaJwqmRN6w82DO0KrEXc/Thb2c1IFEUVM01AzZYh16bnVOAHMQOatkwQj0uQiq9YLDtr6VrmLpUloMck4vHML93xlItc5sShavWkoxaChava22oCpdf+Yi/84415PQY0ph9CE9KCbKb9w2TrXeCYJnwaSEPv/RPFyrDpXY+UNS3iK/0Ug2vHOHMpSz4i7ZhAFLLFyjGZEZOnlr1/gDO5bOP8l6d8X+7jgRbdZ561eKVFZJxotVrhYfYgUlhCjHNl0vMkRYwMOHcG8jWkrMOVKVmrE7gaARbUkhgjRaA+LXkonLnsrHsmCpSGs8glwwm5Vz1YEOngZUVpjEyWWeJssNrh0qCpje2QvwqX7MNXs7I2EjU9xa8ETBCuZr3XqLludCJQBlKSoFgWmvxzVjpymEx7q3iqOyVQR8x/M87nkv+K9AX4vcjeJByATL8y9YeGT14ZDvoQalhyR4xH2c4rVZ7S8WOH8p2xlaHcuE5X4hKdwnkzEPQoo2tAjkmK3Uq43Bxbp9asavxKLOkd4QfopCNkOmX1W1jiL0jse7QS5GPrNU1zl2KAUG1acosaf5QeBdxNvR52iYBXj9ypHfvymOd1uicypQLFMFaaCLWCfs8Q13pys+hxGYtWKskPPfD0FXs2k7jznwBNhpxr2oVSL/tezoHQzgSDsfO34h8Tw4bL8HIjGMnkB8TiAW5VrGTAdnlLPd5nU2UQPriATb6ie0nTvuxU83hyHnV+4byRLdF+fPW4tbCL2G5ibBMJqyMb3eeE9UTN/6cdNBcZcSZqpsAJp6UaZehNpKuDBAeqYAfXRIDwToQuMf8QCBkROgMZ7tNNceRhzY4ZKPJT3YlH4fdS71oJR5dwEOHWeJlHBAXvo4fZFqoFSL11DOkWVcTGb802XQQvFxjPFwgx/ETN9NTAHjoO9ZbkIk5teT7D0leEhX7jAPBv0wCFyFWL2pA5X2XeErM0h2bgHTE/8fG4JzgWMX3on45tVAhFFjVL9Z1Z9SXQtdzYflyHpAxp0o1qXjxS3g5w6rG6Oz3VZOHSjQZ4EqnN2QVQdl6vgb71KOkNX7UFb+LwafV4MIkyiV2M/PRpbq76vbZ2/XiA2LUJbtkb4eCYylIU8Qqz9O6IR2HFPcqqa+PeMKrT4IlHBschcgpfiubEE X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(10070799003)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: iVnC3gQiJsIMvOyWAOWu/eNQmwDnvM7Tpq7jIpXH3iq8g+hlfWY5u8hSQW/K1y8i22LDLDtIlTjhKV1JwmP0/6ZAHvEAwht39dtwO2TUcr+dhUGJpaZWU5nji6i9UUFgVC7Eh7LeYUY0FI5f4YZlO0aUO1QPlyOjHZuOJr6KqsmdcQecyqSRlzm8PKV6pem5zkLvT0r/zTWXGBsDm2dfykhp7GYE9du4nO4kUlcmlKw20Xe9jcEII4n7e5AO8zM33B5kFsPmrXBNS+TGQ09Q/qy/4YxoTPzaZY90NsWpNpkqjA3AiYmdUX683eRYEa4h1UC0HWPGd7J53xbKdxvvEx9rkB5Kdl8GeQ6nbNnX+4OzwV9NltDpArNub7EfMoIbJ7yoSbyYGNJS8iYkbnfif+TiLrQUsTV5Cp43o5KRNfEEydjhtwkOExa3v70HtO4aGjl8qq2Lj78RU5Qi7Cf8jV5g04dgK5taR8etYGuDqKSrRW1Hr9oRptaGDNsppJrOfenhidL+egwhsPxcKCBP8UnVGOiEdjAvHSm+Fi1tLYYqdgLWZ5pmx8AwTvy1T7a5G31Fu7ZNJy+JPCtt2D3S/ra4qnXEtBlrspJa8nH43OFOkxilsk9wXeZfAn485qzPpP2+J87SwCKuDZGEeNqy0VO68XrDhw4/wTnCmO9N+0raOSgiGSepdzi6hRHHR/i8dtfzshEJgcxfbEbBoNFg9NnTQzxj/tMFezSwlcEWvEl9Nkwwc1Yiz0ihhzvnZ4UowoeRyhggu/md0DqzYefDASOcvXjxvcHonxn08/C/lUxGxk3aJYYANEqMI/QS2qcZRF/+phbqvEje/oGWAaWje6S9J15KW9QrxsW3S0NcgC5NO4VwJoPiqVOiK4YADo73GEsUnNw/1eyOWCOdwRl5oWVXJhX5SqrUTjHjcNEIdfLjbcqUK26qXJRhZpXfB/7Chyl0qGc1Rnd9L1X1IBOlICa3FpTr8RRALZsIM+KIUIuVVzsV9AXV1bcE9E5lnkCIl9v+i6RXg9asUBVZrj98iRQKWn6A+8X1ZweVe9jaSK2GZiC7TYkk4UijMceGA56UixhB0uTL8MVsLMOWvDkiKaWpS4YqQ97eZml2wutRTuD6I8++vUMmPQzTlWlxlkmaPkRPt5BPti11LBH3P+Kkkf1niRWr/eQiihQOrS5olbYHlpLKE0rMQ2JgzP/47641zrn+Epy6xmFBZgjFJfiiMdRKgRa+1Geyw6xGtzKYHldyh0rwqkC564IC71ubk46qlNpty/Nms8YTk6zGEQ4nIn/bzbWMuXQG6myDFX1/MxMYQ9LyvhURJpX4nVKjqfSFTOqNmCNSV38Zwr+QJwkMK6wH/SZYlidfuOHSx5ozSJy4+Eby0X9JjHVyGJq/b4OKWYoNAt3nARHEVZU06TfNl/QKzWJt8nNMUWq1f5VpvvX2fmMlJj32c6GGJoyqJTaNnXaerJOsjMyKzu4NE2gjQzkjfnlhNYCMcChPiiAjHmchcAv5lEnZKxBT98xFlWf2QThXLTeTC89ZKjLwRCmANR9KXmzZGZ5tslqWrd+i+4Nitm1gO34R0G8w2pdeA460dheKsWV/OnGNVqUUQQ6JFBbHTGIL4LpT+kiZfiUrKvERqFaeQrrSp2leMZIMf7iWXzcc6a+RqbSUuh4ukbT48YzrqOeQ0yfyraV2vsP22O+Thlvgpsa0uIqiOqz4bd3XTR6UBB2XOV/FVnO9ZEk9G0IHCYivUYGoyrQBPiuKxU91n2SIH0UzSzCTlsJ5x8MEYBDFmO5k X-MS-Exchange-AntiSpam-MessageData-1: QS+T7RebMdxV591U5XLEHgukpC/25Br8jb8= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: efd43376-7d29-4209-158b-08de65749bc3 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Feb 2026 11:41:04.0185 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CgQqZiAEOcxZBArIMYUATt+d1dnbwq4PiWy56B8ocUM/HHRNwWzSj4Df1EoF+zYUIJGfMjNCcVsprSZKvhM6J3g7eMTS5YifQppW8KGRDoY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR10MB7039 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=q4Sh8xmL; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v7: - update debsbom to 0.6.1 - fix various errors on merging rootfs + initrd + imager sboms (as I'm now able to execute the testsuite, I was able to test this on DevTest and CrossTest) - move testsuite adoption to p3 to make change atomic - only merge sboms if sbom generation is enabled for image rootfs Changes since v6: - fixed imager bom failure on transitive image types (detected in isar-cip, wic -> squashfs). - updated debsbom to 0.6.0+git - add support for license information - rebased onto next Note: I'm still not able to run the full testsuite. The related patches to cleanup the testsuite are pending on the list for quite some time. I did some extensive local testing with isar-cip core and product layers, but any additional testing is highly welcome. Changes since v5: - fix isar-image-ci on qemuamd64-bullseye (set IMAGER_BOM according to machine changes made in image file) - rebased onto next Changes since v4: - rebased onto next - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) Changes since v3: - fix issue on external bullseye initramfs (we now disable sbom generation on all unsupported distros rootfs instances) - update debsbom to v0.4.0 - rebased onto next Changes since v2: - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 - generate SBOM for imager as well and create merged sbom of .wic image - resend imager manifest + wic manifest patches to reduce conflicts Note, that the patches p1-p5 are most important as they add basic SBOM support. The remaining patches address the imager + .wic bom part, which also can be merged later on. Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Felix Moessbauer (7): debsbom: update to version 0.6.1 feat: add license information to SBOM as well add support to add imager dependencies to BOM wic: create uniform manifest describing all image components qemuamd64: add IMAGER_BOM entries imager: create SBOM of IMAGER_BOM packages wic: create uniform SBOM describing all image components doc/user_manual.md | 1 + meta-isar/conf/machine/qemuamd64.conf | 1 + .../recipes-core/images/isar-image-ci.bb | 1 + .../image-tools-extension.bbclass | 29 +++++++++++++++++ meta/classes-recipe/image.bbclass | 9 ++++++ meta/classes-recipe/imagetypes_wic.bbclass | 32 +++++++++++++++++++ meta/classes/sbom.bbclass | 3 +- ...sbom_0.5.1.bb => python3-debsbom_0.6.1.bb} | 3 +- 8 files changed, 77 insertions(+), 2 deletions(-) rename meta/recipes-support/python3-debsbom/{python3-debsbom_0.5.1.bb => python3-debsbom_0.6.1.bb} (91%)