From patchwork Wed Oct 22 15:39:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 4441 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 22 Oct 2025 17:40:05 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-pg1-f186.google.com (mail-pg1-f186.google.com [209.85.215.186]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 59MFe4Ut021703 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 22 Oct 2025 17:40:05 +0200 Received: by mail-pg1-f186.google.com with SMTP id 41be03b00d2f7-b630753cc38sf12335371a12.1 for ; Wed, 22 Oct 2025 08:40:04 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1761147598; cv=pass; d=google.com; s=arc-20240605; b=bqyFnO5fLwcSQffXhpEw9HbOcPKV9WW4u/q6A/WiQMuapJm1ULZZMZ+0mMAAo38Och TvHzxhJpb32KRRBCVH2832hmnEh1qFFy8or95wum9z350RkKtJTiU2aFS9iS0PvUWKkg qn5cgvLhKscXI8oS3+J9GHSn5eym/B7kjHB0Tw2WgLCzmNF6ifhKHw8w8M+i3XCtMU3p RsmDsPFCHDuOEufIKX0Bp0dAPC2kNmTd0yOFUlAUr3JtBqACDlh8J7jtlo04ZbNW4jvF y2fdUg3dVwvktQ4x07zIspG6cuZzkZj0d6KfuAX2VnTgp2oU97H9xv4lTd8z/s5GIzV8 s5Aw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=vA9dVDbl2bLzwlhEjA9ub0KckztuHRrkSseY3CxHQ8A=; fh=ScQKPjth1iW/nXHbP+ohG0Thhtgdtj0nVu7H0/zHUso=; b=hoq8TsBzb1xdZVJ8kdhMZvvsBjSGkCKXNot/xWHf1rWENZqZOP7NmLL9hGcQt1Rve1 1ikjSwgF83OervDDx+0ZNWQq6zeYOmHnMM5pQxkfPEXrOqfOK44OqfgHK62yYscqwZna 3ew8uS9oFpPHLdkgOyTr+u0Dd1A+0WBp7tMoGomiSE8o9qYO1jeN/SUp/4pmqREyRIAW 9MeBlo34nkWEs3/WNwdDDWpHGOJK4YuvluTVhJY3O8lMFZDNBzuy4BE6snpPLXfU3hyS Xrde8d6afTeJnf09XylJGNRgzczzn1hAf5+H8BWwX//WifvFGcS1dNx5h5q/yHBNd+/g WSWQ==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=xpxx1tGq; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1761147598; x=1761752398; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=vA9dVDbl2bLzwlhEjA9ub0KckztuHRrkSseY3CxHQ8A=; b=eCqlKAj9eMEsc/HjAc0QfNEvFEJhvTDbjXVqE83xIQroBzAzrM8+xC+PlpDz2Fe8tT BKMs16+X15CpTU3Y97B5VE69+9y4R+/lnJPiDshipM/Ad+lD8eG4GCNjNzg+LVvyeDeI +fW+LJCDTR48T2CloB2fn3hEMjyzScNVz289Niy55tbcxaWlAxYFWLWoiBeBE8hDljr4 PAEsg5SgVELvbNhvxZxTcMVjo8Se0p90fEpD7VrtakngZDMLsxf5iwwmfaWmz60jy1Gr ql+01PYKlx/n8p2VJatmDdlgyZhTCWUpPB8MCQJdtFL/s1NX0Yx9yC4RmDRSEJyDxpv8 ds8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761147598; x=1761752398; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vA9dVDbl2bLzwlhEjA9ub0KckztuHRrkSseY3CxHQ8A=; b=AsR1LXIdclevKNHVtmbiBYMS8uDAMF4miE5Q7aNQOwzsljTzaAzDUzRGlbEQEmp7mO fE5FSdJwjQ9MOTIeb40wY7x4OGE365ZLthcYKSenF+3eYCqHrI+1KFqsoD62eF2JAUvR w5leAqE8uri9xMoHBoA6lt3Yz0M68YCymWv5WeK9lEIeEYerecj56QUUChAzEo6x05qk CUinVC8+cXSoYtyUBFrmLHYfOBEALWwequjW10NocjIWSCs96T0g/q91R1BhkAYmEZmY s31aanvBsyE9p4jkLY41AUolTBAtBx+JXf/vW+Xroa/CwFss2K6YpNLHIPYdeKSu7fvZ QQ2g== X-Forwarded-Encrypted: i=3; AJvYcCWirZnDOCYx4CnbEfyr9vZ2kqaLcxk9/QFy66Y8NYPkBt0PM+iSPy2yMQEXLu2Z58bIPLjfcCo=@isar-build.org X-Gm-Message-State: AOJu0YyriR/fjEXvxb8eQM76EWH632lXe4fpjBIiElIthQr1Hq5YGii3 phyqJ3VSczo+u15GVKDB+lUxvJyAHuBPLSXjl50uC3dRZP4x0+0FwBKq X-Google-Smtp-Source: AGHT+IG8KHBWcCQXiLcnJ7/eZEcxy0nHL7WqinbGABmj0cvVd5IbkUYMchq5VtZdPaOUFpOP28jZ9A== X-Received: by 2002:a17:903:b4f:b0:25b:a5fc:8664 with SMTP id d9443c01a7336-290cbe2c382mr206138575ad.51.1761147598356; Wed, 22 Oct 2025 08:39:58 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="ARHlJd4f6Fw89U8A6aoizcZfWNeFhs6iJM5LfR49FU9l542Fjg==" Received: by 2002:a17:902:f7d6:b0:263:df8b:ff32 with SMTP id d9443c01a7336-290a8de3de6ls60943095ad.0.-pod-prod-03-us; Wed, 22 Oct 2025 08:39:56 -0700 (PDT) X-Received: by 2002:a17:903:1c3:b0:274:777b:ca6d with SMTP id d9443c01a7336-290cbb49f9cmr296019695ad.43.1761147596125; Wed, 22 Oct 2025 08:39:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1761147596; cv=pass; d=google.com; s=arc-20240605; b=KmA86EDH+eANyImISXOQ7ZbR5GJlJmFnYu9d9GfwBideT/EkDIwrosseeo+uZ+859d AUgg0lqAiBvv/nM8N+Em1X6wvHklc3tOEvxCRCgSlYY83bJ4meDgCoChPWfdAPcT8rLl pWeMXJHGhgzOz9pl10lGCwgZB1jnR757VVpqAV2BsjVc+YXJRnNzMDGX/Lc3nQuDMLkq 7jKI1ZS//w+BWDct8cJhQqovGieAg5Fgukrcy665T+vPDKCag0pl14SLmvUJQ0qW9TEL cSLc9rFlpMjlHLnOKhdQITkpxF+YVlhWlAJs1J0mWJA1a6NIeGnSbxtrjKPIZPvYMOcb XDTA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; fh=U8bm4dTYQmv4LpgB7HlcKSsNa947JBNKOeDeOLKSao8=; b=IlujmlN2jkfzH2qH6N3h83xUSONVsgo//L4H1TnHKz1r2M7xapMH9h1/OmDvAIa2IZ RfcyccZHDGMYvBExeLSSy7IuP8sqwYCzZmokpXY6EuRxSFx0JQRx3/ECU3NeFFW/OKkm k/yXi2AfcFn46N6zT5z4oz2DL5bVws/5Mwb+Ggj2nlo/XlFcXCxOCeYSRpaItZkawUbo RQj1OsutgN9F+yevtXRVO6QVsItgMTM1ysiiJyZEQG4FGXKBNNHYm868WkzHr32UkxHF odOWF66/Ou/OWxOflo7BDb+k+D4kFvYOLJ8yUkbStNNhcCPEQck53MBwl4Hlr90t8OJT 56Hg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=xpxx1tGq; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c207::3]) by gmr-mx.google.com with ESMTPS id 41be03b00d2f7-b6cb341a8c7si801522a12.1.2025.10.22.08.39.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Oct 2025 08:39:56 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) client-ip=2a01:111:f403:c207::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=n6MERXzow5zXdwWCzTE+tHrMxmOkRUlnECVRQQyYjiTW62AMwf04P4yPOuEjj5yFyeFUD22dngvQfq8HS5ey/1Aur6inCq1vQIMYWcD8O4ii8yuUCcc6TSvp6sMizn7HIiRre3vwyghVSXveZwRZkO/HOY63qyOJ88muz3Gt0fElBIC9nWDMz+AKd/tmFm65cgxg+9CQDRGE63gypHOU/Sw4JnOH5JNpqlnqlq8NIqFL8VglYOVS07us24JzL7m1ETB9XKxsNiz94TMvtkj7rzxLT7sjyDBR9HTEv/3MvSni5Grv5cMAhRwJY+2HTYLe4rBHiYd8HMXP89/mjn9DXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; b=vlhvr87YcUEXhrY2uR2p5ofajW0o3iRU1H6u9dvtQTIxNyOjb1uyJMthEwLPmtrtcYHZWkj1sucjYv/Ec8kTMWtFlCsEGrVQGBuzYI8fnTbetvaS8EV/3dQTb7rX1rr1EsEtVleaHeEtixwCxjQgNqOdxBGH8irVVFoECxh0/3dm6WNL0xnBN/AeUe+wXttlQHbp9qB85sVmDNs9VHfcUGpu0LzI66KdvD5+57gXUv0W5/ZAPV9oqSgwD10kJa10vByKM4UGBdG8nS/O68AXJsI+sCjk29Q+9B09OVz/XY/oYqX9Y9HJwuCF08BbgBBNssXq6YW4y7McCv+oZhNTww== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by DBAPR10MB4027.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:1b4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.12; Wed, 22 Oct 2025 15:39:53 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9253.011; Wed, 22 Oct 2025 15:39:53 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer Subject: [PATCH v3 10/10] wic: create uniform SBOM describing all image components Date: Wed, 22 Oct 2025 17:39:21 +0200 Message-ID: <20251022153921.2494749-11-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251022153921.2494749-1-felix.moessbauer@siemens.com> References: <20251022153921.2494749-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: CH0PR03CA0035.namprd03.prod.outlook.com (2603:10b6:610:b3::10) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|DBAPR10MB4027:EE_ X-MS-Office365-Filtering-Correlation-Id: a48ab687-7851-4187-acc5-08de11813eb5 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014; X-Microsoft-Antispam-Message-Info: 0qXWWOCLDemrTYDW7U8e0Dw5z1gJXh3bGEq/RimUxsehXHftDZv+gvOjT+LeKe9wzQAw6xYBoSsqTn5X7OE/cbnacJGUqxFWLewyJoOJmtO1p6EHbYTqXNtYagpWmYYVpFezv/r+by5wvI9Vfgdc3NBcX7zIAVa+m01FHFgCLetY4S4wXHxbJEHzniKuZeWp6UBnDxwfFtoRp3nAAV7AVvi3QaXoFqzgl9wJtK1PrC2MVO+b0SA+Mr3c+ikrgZtLZF4l6SuuDewHB5xN3Ng+40BwHZ7HpVVgENMyDGuJiXslKlbzOOVTqU8CRFubqyOZ6qcjroSILjMwwtmmS5FYvbICn+wj69CLGLgo7JrCBJSQEukbE+dK7SlMX8hYW24bm9ENUul02FZ6PqdhYJQ7rDcr5lFEMdTUsEK10g0GDlP3AU37DlOjAJEbSRJCAEEGWJ7qFGqHa8RvPxA1zVYlBw7fgKvAJZk8hH652W3pNbu71PhD4MpUA3WUeU5OUg1nq4t5Ualr4OwYk3rg7isWOi5wjkMWy3BWkm14KlM8wIyzJcOzMHdmVfaWgC1UxpSZi+tdUCkHoPB9KPFsoPYJeBc9TLuAKn1BxxMuW0CW1EKQMTtAv1pw4B/WclYAOtkB3CAPt5hyO63srU3W6lyWocz6cuz1FcIEmCZ+83oOhROXNy1UVIRub+xLZEzafoGESk4yBbvnNSd8ukeSVMTKYkLfhrAkLSkxASo9c7YyB/1eXW27OiG2uANFtjIQ1bBr39SpDP0VOsElpIZuXaHszY4SbzxzDtczC+ArzXh+uPtAQYLZncPs6mSDfbrXd8m79kvJsqJQWUQ9OOWx9drM8MdlQ33w3kJyXEQXauyLuZYQ8OXBrE/C7NieqW17lTzJ+846Il5xnVqjRmwlQ/6ZkzDAT1uALbfmTZn7OFBjJuFQ1ygcpYViWCKAtNUUU6PBHeXwa1xF7es6OhBQrH90XRD/IGOKWL1/npK/6kskauorPgBTHkGp46K3YVBkJWj4xsIPUK+IdTfPk3GkYwKvUYwKw5MEq7szI/qydNLrfY8lwilEVsnfdtgrp7kbv/C+bL+kJp9iLoztc7ry5vqQJtMti0h7otMHuY796tkBK6IHK5ibR0+2NUndy+XhhN2BpcLMeCUoBXzLXSyg0bBI6wk8k/En2w6ISC1FdJAXoUK1FoHHtlX5QiDHenDBcTf2BARJryHE686jZy1HvUE7unT1jWY58dpTUj/mDXwwXEF7r4X7QadvKj33ZJHkqHuw8mSv7sLJu7LOVkbKqnCbRlGFVPKfV+5yzdig+0fd9I6xHVKMk5r9OL2zrZMBswvQqhNn75lbM1v2Eeh1m2wVxeV2ySLQhip77QYSGWW0gukzmSqng8Aw4YIuBUAoBHE9y3FKskHQ/pHR+hUy0NdRZ23Iz1+JiUwzqgV9bBZBiZ4Yd6k3txawTiuEw46Znoo1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: s055bCCxoLpUdFhueD/pcpVAZWjB81pmdvTVE9T1ESJU+xIk+KxiIgDHLZ7r/0jPS4d3dOx4By/k7WVzZhsCU3j9prCmsIGrve7VPuE/SLgsk+nJ5oBfN0SGIOhmODrxoaRMex5i/QKGJg4li9BKnNEZlsJOc/cBHaenjGi3fj7kKCULGqaAJLBYZ3+Gnuvjn5XRqpuTC40c5DNm/Y7HZshdFd99zrx3f9R6aA3Y5tYe38kZV/DEpBBV24TgDMpneXCy2IWdzQ4pB8bLMKMyIMg+awbra5IUNS95RKgjKR4pipt53lbGimMYGlId69kBGlNBHDFseo6HlgOv5X68GjJscRU7+wzlVrveaauHqrHIkSjCtNWLpNfH1RnYqfUyDXBvzM7S42Uj21+YjO6TWdY6Vpx/JZktTLkpHdSw5q2QthTUbrEY+iPU5kmpoJlCnPY7eIsfgRsODbrlYMr54Q10vvg2UFuQWYM5j4Nez+r4HPnxYTzwnfC5h1Pl5QVVY2TyTFgPmDTOjR0gN9qhjH8hbB+eY+u3RV+1b8EvJVGC0l/Xs8s4WmFwch0rdAENvRQGuzRFVt/l7WjsTcnFy3FeXUo5dDxmeADWomsaC5In4GMu39vs09uDOdpvFyEw9eOqf9ezuviQsJqwHxaZZPN0bcHtkYMz764hnlDMjE86kZCOzFlMdsI0ZlJER61JnXqlNXOVn4OgPMOf7NpwHxpcfOhxaWt1vP6o5rSBvblkAH2wip69t61RQJqbYag+702RthJ6QQd5CA//6BoUi7yZ9KwQVNj7NeNr70LQA237OYOBSRYPL+2ho7KrQO1WNydQKLXD9YuxVM8Ys6DdK9dYeYGmimVTRarQv9L8rMyadHGStq3nhCiFSmR3mjM7FA/AgFDj7o7HFQAkgZ1Il9EwANW63tLaP6CcXl4y8GlmQ0u7mGHZ4tHWZ7OZ2dMMW7jD84SP/4aLdY2QZufum5mnhtCTvAOJiNQzf20DmeuibBNuJFuCxlVj98CcM2sVtZJg9uUp8zK5cI+qKZkkbUXT4xrcLWogqCpjLFveUdoWnwbGLcYpHrpCkprXWXpDsdPGSEaVqABHALgmstBzl/lHUE+wE0TufuWjwPmZ+FceWIaN5ZhkK9KLnhCwVlW/ihG7oJ1FnQKYJvOAZFFuCg+kjqdtmp07FR3yq7CZjT6vdA10qhWjfMu87l0w3ck/bB7CLb8cNFwaYcGTZKgibFq6wOkhBpn/+vHU962GBuLXVxl0DekPlck0zRAmfZH6kSOoJFfZB9OjHOm8TUvS/16eyCgFMSfSiziLOZmzELbtVbmmhOupS8OgeGAAFXiuWvYKQ6tb+mQbhKVykwhD714bJTDyn0d3pPXo9ytFdyad181vyyteQg+VnxuMJ1ADH4hVu3qt9V+Yn9MY7eaBgD9H/BLPpwhRsom1OUXDcS+7gnRiXa6O/dF+lIJDY3oSJesni1h8fpu9KrpIU+/k1xfh5bCZUQid6MJ2k5ceFIx9wQUIhZh0G2FsLjy9O3RT5b2JUzIDz9tJlEROqRFkjf5rn6Q/wUtgRTdSqW1U3FyKBPzMKbwEX/R4thy19aBsfCCarsjLfuWbV86DWvy0Nw== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: a48ab687-7851-4187-acc5-08de11813eb5 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2025 15:39:53.6268 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QvwqSup3vCs5yDPJyg43/Ax+lgYxdG/YYfSZLb903o1ZoU2qIv/huCYIfpid79tbjkdC3c/X4gRMWtfFa6rlzPwSnSS+85+Zw5RgH/lTBhE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR10MB4027 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=xpxx1tGq; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= A wic image consists of potentially many different components. All these should be covered by a single SBOM. After creating the wic image, we collect the individual sbom files (rootfs, initrd, imaging) and semantically merge it with the debsbom tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to the wic image. Signed-off-by: Felix Moessbauer --- meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass index c75d481d..fe31e4e6 100644 --- a/meta/classes/imagetypes_wic.bbclass +++ b/meta/classes/imagetypes_wic.bbclass @@ -201,4 +201,29 @@ EOIMAGER ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \ ${WORKDIR}/imager.manifest 2>/dev/null \ | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest" + + for bomtype in ${SBOM_TYPES}; do + merge_wic_sbom $bomtype + done +} + +merge_wic_sbom() { + BOMTYPE="$1" + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}" + + cat ${IMAGE_FULLNAME}.${bomtype}.json \ + ${INITRD_DEPLOY_FILE}.${bomtype}.json \ + ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \ + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + -- debsbom -v merge -t $BOMTYPE \ + --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber $sbom_document_uuid \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \ + --timestamp $TIMESTAMP - -o - \ + > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json }