diff mbox series

[v4,10/10] wic: create uniform SBOM describing all image components

Message ID 20251117132436.511686-11-felix.moessbauer@siemens.com
State Under Review
Headers show
Series [v4,01/10] refactor: move get_rootfs_distro from sdk into rootfs | expand

Commit Message

Felix Moessbauer Nov. 17, 2025, 1:24 p.m. UTC 
A wic image consists of potentially many different components. All these
should be covered by a single SBOM.

After creating the wic image, we collect the individual sbom files
(rootfs, initrd, imaging) and semantically merge it with the debsbom
tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to
the wic image.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
diff mbox series

Patch

diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index c75d481d..fe31e4e6 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -201,4 +201,29 @@  EOIMAGER
         ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \
         ${WORKDIR}/imager.manifest 2>/dev/null \
         | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest"
+
+    for bomtype in ${SBOM_TYPES}; do
+        merge_wic_sbom $bomtype
+    done
+}
+
+merge_wic_sbom() {
+    BOMTYPE="$1"
+    TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+    sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
+
+    cat ${IMAGE_FULLNAME}.${bomtype}.json \
+        ${INITRD_DEPLOY_FILE}.${bomtype}.json \
+        ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+    bwrap \
+        --unshare-user \
+        --unshare-pid \
+        --bind ${SBOM_CHROOT} / \
+        -- debsbom -v merge -t $BOMTYPE \
+            --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
+            --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
+            --cdx-serialnumber $sbom_document_uuid \
+            --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
+            --timestamp $TIMESTAMP - -o - \
+     > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
 }