From patchwork Mon Nov 17 13:24:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 4606 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 17 Nov 2025 14:25:08 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f190.google.com (mail-qt1-f190.google.com [209.85.160.190]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AHDP7xa025295 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 17 Nov 2025 14:25:07 +0100 Received: by mail-qt1-f190.google.com with SMTP id d75a77b69052e-4ed7591799esf128581621cf.0 for ; Mon, 17 Nov 2025 05:25:07 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1763385901; cv=pass; d=google.com; s=arc-20240605; b=b8e6aMfFNDgFEb54F/rIAkkkuM7vWb8vkorajXwSfMwtR8AS2QUh8CRqTgRnuca6ML 3ZZmnhWXnciiljRqRiAykx3McyOzEh/HcVAhuOHgPEEcPoojJ2UogWl1YjIYKm6hoNMR +OMV+7x9Q5/Ekj78uPmWA2o1tE+2/ng2NjpBqVPN53aSoyjcPufMW1/g2kGiZtvabjr9 RPJ0/Cd8Uu6XB863M7tApr1LPu9QKFxXjEmnYL44rL8jzxCm+tmta3wtdHTEPqfuSHG4 cHHoBelhPMu/I1T3MAyA+nrAcEF1dNO24jOym822L/8xaiOVJHdPsIIxY3RrxWBnL71u K/cg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=vg5tJQEdPKlcueSUnhwicIYcKP1KeM1MjmN0EAjNx/M=; fh=YTBJnIRj40IQJqfEV6f3J+EGEyJ6USs2sIMu2YQJrak=; b=FBHR6oBfwLu3W7T9HEXUx3RjF1/GhLzNufv6RFwFFjDCktE2BRDO79oPEKkyShcYux 7eobG/5yQCxaWXssWetCclbYtr7BSeewBV0LiT1czz8vNl3uCGY2ULjStLZ25oTlUSus wIp2tbKH98npVkWEF0shEYaTjNTPOmJ/DbRewm36q0Dm3nkJbHc3wY+VC1RiLImTl5Pg o31djgYnXg4d4DQmScktIu87hWZETqrItLaCPWtB9ykzNO61BOEB3JtyTXjSTdyPgIl3 TviCB0fENgvzOKnTa/lZS2KG40B3WASqkbUPc4QPBoNejRNqmDcbNe449vuBcw8NMz4h Xcug==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=kMq98VuR; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763385901; x=1763990701; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=vg5tJQEdPKlcueSUnhwicIYcKP1KeM1MjmN0EAjNx/M=; b=X1QKYHa4RIM+q9/J1GpdoEPsqN7J85oVYFoUXpRnRdbFHXc192WEQQEClC3kcZWnC8 gApyKAORMzcc7/m1L1c8OEpapVp90FMy86POflxAkisKgufvrFmMZcrPIghWLmu1swQT KjWMPLLeOg1vFg4/X9UzOIJ6SE1ymkKnA2s8xtjUckeRZtyr5QvxtFmfiokqs/MJ9Yod gW058v8uzKh9cKei+J4kpdpjRGRJRrQCBUYi94yE03Qmz0JY14yEDs0W13rh1RfrdGUA YBN/TBYPGr4sYxEwMwj00Rz1Wc9UxR6QgirXUt0ieXDi5hpdOCUQ0BYnqkglEPdUfFWE D5Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763385901; x=1763990701; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vg5tJQEdPKlcueSUnhwicIYcKP1KeM1MjmN0EAjNx/M=; b=pnsoM95J+4I7j4MdyB2zLsHMrZm3lHnBFgY3mKjbFNCzBnA7bzEDzaEBU1PYBO1bDF AX65bYB0uAvyO0zd4QMXcCbkAj2TopF0KV9EoFoqC0t+OGzmo0XWv7H4ank+pVA6ClB2 ZMEEOeLVSNRxCrG4f/c3F65/amAvZHrkE2HdE8AhsM8jma9dpqAxrBdFEii7/p+Oi538 xymEobpq7JTGT6ImIGB1Wk08kGjhMQu12UeVXGkJTZjJuWye7A5tH3MUYhbuLSyAsA76 CcbGAUo+At80kAc+P1xuBotg+hJosD5oCswN1+11NWZBC5sRj4ba97QDA2e32MH0WlS7 MOdQ== X-Forwarded-Encrypted: i=3; AJvYcCXOt/s2rlfqr7f3dryqvaQH56SLKvRQF+p0CJGZTJgexSxddLVl7RkAchb+PkdYsKCJ2OyZtSY=@isar-build.org X-Gm-Message-State: AOJu0Yw5KSp5iLonYl77ZCXLKfbsCf7YLOcls2OXcRjqchDn4e6QQQcO 3GE5ppQkTbdOi4jSZTfO7aedYbzU3USbE8WAiHC8vjnb0rdUq8xh+n8b X-Google-Smtp-Source: AGHT+IFFbNbst1s6ApoeXnz1fm/tfjsOf97hPtZJw9rfyBrB8enxX2Ed3FNDsSncjT+pBbScem4jcw== X-Received: by 2002:a05:622a:9013:b0:4ee:739:142 with SMTP id d75a77b69052e-4ee0739160cmr91241601cf.51.1763385901518; Mon, 17 Nov 2025 05:25:01 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+ag3kzxqHYZWR9OaJbu0oYe/QIaay4Hbl9OjUhIhdXqaQ==" Received: by 2002:a05:6214:403:b0:779:d180:7e3f with SMTP id 6a1803df08f44-88281ad3224ls79886156d6.1.-pod-prod-01-us; Mon, 17 Nov 2025 05:25:00 -0800 (PST) X-Received: by 2002:a05:6102:cd0:b0:5db:d60a:6b24 with SMTP id ada2fe7eead31-5dfc5b6fe54mr3575282137.22.1763385900252; Mon, 17 Nov 2025 05:25:00 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763385900; cv=pass; d=google.com; s=arc-20240605; b=NXpwriPkEw8z3DNe6dapdL6yGuDoFqYvJG36Jn4MKANvkdE9hxxox1/BcbQP1YG9Rc RUCXOWraTbixdtgG4FneBo4td6qxeCHKBWryI09ns0D6nIBEIYcAXSODz0k5fOm+u0e4 4hdVBg2pyxO5u5tVbQuOigxpDXDYPkOp3kK1RI3Zg8GKJAHmhbgHzPH0MVrWgDQm4a5W +DkyiXMsh24foTSkX508UBRhlAytACczJFd5AcNCA8NACvRTd7NpsctobQapX4VR9zbk jPdPras+QgtWzsBGzuUmCbWEVO4WB+/QdtckbQY+GOKJUg90lo6e9/lekg4ildMFoW13 FfCw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; fh=U8bm4dTYQmv4LpgB7HlcKSsNa947JBNKOeDeOLKSao8=; b=B3QSr/6iraBfGBnhr8s4wQGWpyEjvX87ctRK7/k+h0c2nePEy1SnVWObtPFU/E1IAo CKnuzQgGGPGzZe+AQ5xNHdsGQDq/cWGhDTLuBOlTnVmArZAl2Z7dJIOZTBQmejsgI1B+ QTU4PoD8/GCfcOeLlkoJjveiYlVkSXYq0FELnIf4lJgLTF4oP8qEjzRC6C7fs2nrGOVq hMZX+ipWGuyIP22EW1SObTZoGolqEfTNliuQ6xgEoWCkmippMwtwKev4wK/pihzm2GZW 4JqzXRdoeQb/jNtmoA9eHHeMRiwAtVwUAKbEqLfErgLh4L5F86Wxm4v6UgZs1FnwKexJ 95vw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=kMq98VuR; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from GVXPR05CU001.outbound.protection.outlook.com (mail-swedencentralazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c202::7]) by gmr-mx.google.com with ESMTPS id ada2fe7eead31-5dfb71a44bdsi220418137.2.2025.11.17.05.24.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Nov 2025 05:25:00 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) client-ip=2a01:111:f403:c202::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cRQYb/JbRTcYuJmKsUrLDHwyQJ4/49LZUUlFIktRvL1FfB4mULedD6e7ovWI8MKrnBClift0+AwaJV9hUJMu0/BkoBzMLb3vHpTUthQUXoJWCbH8bmCykmD4WGp2RXsSP59orZyzKmeH6//ls07j37ZkBtjtwlav1Ynbz+DQ3cYQm6jo3tpFIb2VdA/IhlzWsyln1J5gCdkgmLG2L3asL+swRWxmZIpIQoA+23AWtakEFOJ6fA6r8UDnTKnsazmbeHHuxbIBcmwOmgOCcVuhQI8K+2LEBLjcP4CcEBGrSM6Xu/8/ojEw0mek94k8jyJXWYYXoTY7slcrbMsLQazvdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; b=eCd6RzcWNX4HBWZEIKKl7dLGW75m/GQI24J9hBdh1Ka194HJ784q7X03npCa2Hmv0IGM45th+ZDvsM0I31Dm0xNCfNxJR9tp1VwftzAtr2qQ1NGeAmupWRtXEAo9WLPRni940Pg1+NL4bHRmLv1sIL4Ksn08GQJV6PR+oa0K08NujtYt78ZO6ZHso04F6ZcPY1CwV6sx/P3Pk5FrBHtuemQ1KMRj7sm6L4l5iWPtrH1Ibs/UlqZibTffYkDlAdMAz+4wgpdWhw8zf2syzz2ahE/Z29IMxE8kZ0gnPJutgw+k3Yg8bqbNXw9/zo1EeN6wTBruxXZLWtWQoC2C6lcWjw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by DU4PR10MB8513.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:561::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9320.17; Mon, 17 Nov 2025 13:24:54 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9320.021; Mon, 17 Nov 2025 13:24:54 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: Felix Moessbauer To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, Felix Moessbauer Subject: [PATCH v4 10/10] wic: create uniform SBOM describing all image components Date: Mon, 17 Nov 2025 14:24:36 +0100 Message-ID: <20251117132436.511686-11-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251117132436.511686-1-felix.moessbauer@siemens.com> References: <20251117132436.511686-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: FR5P281CA0026.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:f1::11) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|DU4PR10MB8513:EE_ X-MS-Office365-Filtering-Correlation-Id: 27c67b4f-d67e-469d-3f97-08de25dcb0fa X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: wO3lTnYgwalzyQ1D5cZn5WnS2blrJ8BjPmFjMc/MbcMN9XSsZyuCAjWbnVcuE1w9HJqppGqh0fRvLRnTTqawR0bZQ+E7cJsYhi52ca9Fkk4YHd7hQeMN9AY7xtq6W633PTm76lOPz6NwT1DHe8dDpYfkCJZ1N/KD19RLBUlGoYktnCwBMey+AnBVQN4oMzztvUGZoB+38mbq76qQoT5YpHMGIh4xNV4K9r36+mKPv0PZx0Y9Nk8cxuT26qCscGPxyz6RPkouIbwSvnivQLGtCCTCbEn5HACSnF41p7G0nEU75QG8Y75kf235x3cF8v2qjT8hu8O8HFp5AWSj1G1uZJEkb02xO522bY+xAJSKLB/Ua1zvMT/8kQvNTQ3JqcRhTeUO8Dgr1gXhshT/vSQrSiOn//Re8I0u/iH0Z8w/+Nu/iG+h8qnXFgYjd6ZAs8220B4TSHqheqV7KAMNKCl9bryxC6qWmeMRfIBaIazvJy+OEWFDr6ucWNwekZIUlqoIwQ3uhxGnxqRpAWmqOUESK1wZleGFrbZlEk77CTJ0J53CjYvFfwZuk7rUm3I60n9YOFD95VSOt/sWp7x5M5fGxlXaW47bfcrX44vNUDHMiYSBxduOWAZDxYX0xFe2wPB3Qll9GCEczbKvwOJgZQa8JhiRIGmj3AwhpBBVo5kQAe+ybMVhT3ucKCmMxaGTeNCl6tVJAjK4U9YQ88E2O1ggYc1mIu5XtCR3n8it0NYzaaYZCwsrPUDZFWaJZwdra6s2+InWsyh8n2r3YAmCZ+FYryOv1LmNx7MBycjeFCB83VkRF476vBdsB+6KhUgV/mHEqZpEwXPVYQbpkDUSe+bKqVsvkbguz3Yfx30stNTUzrDakZznd6Y41E/NCedEqWo5WX5oDtXuzOhbyoX3Nza586v8PY8/0qa91m0McmvgOThpZ2CG6SXHRcqlGrIOzdv7NwpMgkAI0+idrvyt3R1Jq7mSZLfXDgCz04xaHoo5pKFfNK/5tHTauMPATK+X+D5I988PjqW+ZKmkEO+1sR5cuOXVFE2PRqQw+WbBenISvOm+WQXqolNijU0FYOXjfvtzHKQzWF7a31Z/rAw/kc+EeeZtTotoQeog+FYY79wLktbzvx4SapgG8cUyGo9wtHfoq6B0kMwYbzoU6nD0W1YKTNDmJOIMwRr3J2i7wqWP5usGuRvZyNzWydYczxHnfJosgd9Wau5o0KtyL5KvevHWosK3tNLrfZ5XiPEZ+CUBrF5A7WTj3xHMDAxRudc4QeJh/t/ozAMbR8uYTwJl5SwR4FS6HmOeKrxzlvoqu3RpVj3517tfTkfWh7XEhJE1WPZizZeSq0KwWIT4xTS6NGWjVPrTtlzYyYG+g8lahSUqTx8rfjUgVeFAdsiBvj6Tp5vFZTzfwGxWEtd2690aI8nWKbGEQ5WlSD9BEtTU6HJZY2o1Sxzj8gKWZfbY20CprLAj X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: H/zSiIEivekoEUhSU0Qk+mTp6pREyuGG7nmqLBzfrEFyrQz3we+Ua2g7i6VT7nK7nDsFftupiNZFP/1B53k2lKn6aA9QSQROwAHbaBzAKy7nmruDrAMr0SDvVU2wsACzc3u6+OiYoCy2IUdA5m5upDVaNQxly0tbQbbtRyVcSuMfLoHlJ5Ly2PxqYGCpCERznRIYfMd6OH+4bPDJOIoO2wMQ8EeShcRtcQakO0MZMEmJaT+EpqBUI8n8fyqbafCxGXmI2lUZ0ah1CVgBPjkNG+S/jMtOHUWyDK+5z50X0D1J3c2+h1tpuJJkvr0EQDKEAUnv5OUU5J69W8Y4T3MrCz+UADqt9LHZiV+k7jCZ4Ee1xGz5CPkHsRzbDTAXBh+oJOCE4c6EaY6BxLFdrrElm5304hHYuJ7T/djhXi+QaM7EFtCbM3JKvU2HzJjPW6NToEg4lNUxlXb7cWppw+7qukZ2/vVR/+pwvNVcAiHNCd2OgbIeZ6Jhn/6Jla1xRYhKLibw+X0Ih04LIjYgiZQQssbHheeqQ56hfo4Ek448dECpm8CP7Y4AKCy0ba3oLHcopK2D8JyA54fO7DVFjl6x/nG7m07YXrM7f8QXnBDLAzrwVitSU6PJpOshQ9R1mSiyt68B2A++JiQKWt6pRpXtr5sAel19q80kkiMTMn1s2Q0ZcBcpQMLnzXVei45k89nU7b3EX7BkbfSBBb/0vTggfEm1kow1Fh2cD2RVDjiSZM5tNr6OHJb8Lzt3Nmhy4Vw1p2Uw67F5vnoQ5ZQAWYlksCHQh184zdqzwoa9vHFvkZX6MXLbdZlYKKgrZPc2Vng1/aYHQ5KubS86lozAHD5Xeuehn7nKPMaIXb4y1/nhTDEIrqK0cbMl/gfWTxg/PX/BqjsH1KhfKhaLzt33y3JVjLPuQd29KDr4fprqBqyBlE0X7z2toU4oLIe5nG5EubIrblDDuQ/ByOWzF1Olbgz829BVnXQUd5ffuf3iquvjkdWKiLMbZHLCUmT5Gx36i8FpB6Bq6PWBBghzefXlR1eR76JF1BEKO6WRpqfNgzrfTmwmnAqMI5qNY9CCf+5h5WhZNG2ebp2+aqV6QGb+iakgtZh1aMQKcxOjbPUOc/uIA0/YrTooC3rDQry/K1WtfiZvVkhSpBL0EKfsSu3iWw8sermFrew4zDMyRXL9T71BbxouP2cUooiQkPhtLM8yf/0YLMfJ0rqqXKtZr/f7603+QtotIakBGQClZc3TdzItPD/YqAOkjMZkeiLRsNJySJP7lxZPloR2P4xRoQ/c9oCNBmNUYIQ0DGKo/nn3XkHHyQI62VhuWeqREVa3GH+LbbVE/T9nH8/LMcN3AjuGQg3rQKH+hD1VwI8raVcUhpDnrkVFO1pJdihmTv2XlFUiE7i6QeREXZkzo/J/RiKUqJ7kO5UOplv2V4EHCbiZOHe3lIAVjMuPxTj0GaOIrewjqfjF9taRA2z+UuNicn2Pr3UrqEkyTsQ8cP9eQAVphEWiqwyrx3ZnBV4LoPs9nUCyHvv1ibYne3KoQFkK1zRyygpQY7JIIRSDXnWdvLNNtUmoyeMJGUIBHqVgyMw5rqlK4T7aC96WMupNd7DRBrW36880Yg== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 27c67b4f-d67e-469d-3f97-08de25dcb0fa X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Nov 2025 13:24:52.6899 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MpsQ0F0n19wuv4gOOAVeXZ7YnNhHBatuPi/QRHVClB133jcEjn5yhOMNVONXPFpgUIEF11smrF6w01w2xVMaoN2CPwjVDt5gFDKtpwr0CBw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4PR10MB8513 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=kMq98VuR; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= A wic image consists of potentially many different components. All these should be covered by a single SBOM. After creating the wic image, we collect the individual sbom files (rootfs, initrd, imaging) and semantically merge it with the debsbom tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to the wic image. Signed-off-by: Felix Moessbauer --- meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass index c75d481d..fe31e4e6 100644 --- a/meta/classes/imagetypes_wic.bbclass +++ b/meta/classes/imagetypes_wic.bbclass @@ -201,4 +201,29 @@ EOIMAGER ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \ ${WORKDIR}/imager.manifest 2>/dev/null \ | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest" + + for bomtype in ${SBOM_TYPES}; do + merge_wic_sbom $bomtype + done +} + +merge_wic_sbom() { + BOMTYPE="$1" + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}" + + cat ${IMAGE_FULLNAME}.${bomtype}.json \ + ${INITRD_DEPLOY_FILE}.${bomtype}.json \ + ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \ + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + -- debsbom -v merge -t $BOMTYPE \ + --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber $sbom_document_uuid \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \ + --timestamp $TIMESTAMP - -o - \ + > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json }