From patchwork Mon Nov 24 11:46:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 4636 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 24 Nov 2025 12:47:41 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f56.google.com (mail-oa1-f56.google.com [209.85.160.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AOBleuw030982 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 24 Nov 2025 12:47:40 +0100 Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-3ec7afb4b7asf1191917fac.0 for ; Mon, 24 Nov 2025 03:47:40 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1763984854; cv=pass; d=google.com; s=arc-20240605; b=DTqEFAMVnILgEjLsdjoHwz6ROCmm41aVvrRA08h93g/ErMZGxpR5Yn4v3ipcdaLTGd JA2rF7hHrvirsEQZ3VCowKjltxbp1OhMGYojwxOzBLcupOREHY6JUJlfyyL6V8+WT6Ho heLEmaRK1ozdnlbYaIspl3grGBhvWBb/NKM5501jUkZfo4R3SC9OQQi0bJ0lSDtdbfJX SEHhWvLcGqwud3NXGg7kcbV8jp4xFETToRFVdAyvsfGP+VG7BoN/k9nSHfu7eZQ9njiJ Ye0RWAUvbwpQcIkt1MsXQjdJ8RHqg/eZLz30m1wytWJJDsABfGAxrlD+dDfyJxlYthuI wf3w== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=hMPe4E9CHKYQYBX4hSbwepGI7IinqNnl5UV6Kt7lb6Y=; fh=S0SLRzHSb/x1xj4MB5ESMrrpi0Q3gqQIdsw5QpDZqic=; b=f9Bc8HRKS9vby1H5kRHckZexpwgVtmTUlllgrDYwiIiGopV8cY0IzjTxsp33m97/pC 44xM3Atr4vDjEmzP8H7W1Rvss6qHd7u8AVYtObUKGiTbv6pcPF2Don7LsxUk14mkbusJ tD6iFclUNyNGj/1UTheDsket7pN5r7hDpwMi5br0bf9sG+eDQ3I5AheeXIdPCzzq6BKD 8tyVMeLCWVKqtdW9123TBd5Kiq6I3IjIkc01eAkgIS3m4XYuU9fS9HwA6ZW482rW1Lv3 irznrakS8zZW2YyBza3eq1GEH6lnLzePVDhyg97rLHa97PCS7nQmvrM0LRxxRvars73/ vcWQ==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=u5o6inc+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763984854; x=1764589654; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=hMPe4E9CHKYQYBX4hSbwepGI7IinqNnl5UV6Kt7lb6Y=; b=LRfGmp7Ymo+gLT1l6cMMeipPm5Z9lqn8TaHIzJXhkMCOxYYKSU3iPVJO5kLvHDU39r PyBc+5E0KJJdZf3kirzzHTaGoM5tCAdjsH7fhT0rKCuHYxFrlXegJ5ktNv7o4/bbVZ30 3SZiKtAcmEWVLSXGZf9UzB8VaQ4rBEBsS/l8ub5DaNnFqq9f6dZDVlJZpWsYbRHB4WeU wEgmlphU7VB0LFbwJr+vVrr82cNxgbaU0Dpl4bNyXTuVRDziepID59lO8HfdeGKipdtW SHyV2Ogo8y53JmxUKbd77goc7SmhVeE0X+P26Hj9GVbbPhAdngkosIF4c36wWSHN3pxT sN+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763984854; x=1764589654; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hMPe4E9CHKYQYBX4hSbwepGI7IinqNnl5UV6Kt7lb6Y=; b=iHXT0wSYoZPb+4oNJjZ4zek1hp1HZjHSKvOJH+2R8ZVsBDjUYXYrZsX6yOMTnTuw6J Y0ZXfngO0fZvzDsdH+YfpCwQC9zWl4HUkmX10usaVlWCygToToabzL3TfQ4mdwjXbgC3 vGQ1zZAX8hSE2B9S0p8mkFaZel3gx88zaESNSuS1fwTsfrrpH1Cez88yEULDNpTXujTB avuycTNOvoetmIuLSUXM1CoQzUAI1GaibbfaxmBc60PLm8O40RyM7Zl8vhcakWftpMYN cp43O1jJDtLe5d15zTeM8l3+Iq7Lji6EhBF5tCDedsnICvDVZ8UNDw8xmUHpNRpS17Cl y/Xw== X-Forwarded-Encrypted: i=3; AJvYcCU3Jrq+zyh7Vt6ingyJiDpMMJ9w7KGBCS6bS+NjmtPaWPUbb24nJ8AJ5XppPPkDQ3msOKH71HE=@isar-build.org X-Gm-Message-State: AOJu0Yxbs3HbAg+5av3RSiYMJkGpMHztJ8xPaOeavF99ZYbjY9Q0LMnT Xy8r5nFOk5lQ4JxaVxBQ66eiMG0Aizs9nwZgZkfRRgYOMABFsfxn37aL X-Google-Smtp-Source: AGHT+IE4G6Y6CmaXxfkBIgFzjLTpqWFpjw1GnX4zBi2PfMYIXz7mVSEMpT/c2RjcatNDpZ3oml/LJw== X-Received: by 2002:a05:6871:2306:b0:374:bdaa:47f9 with SMTP id 586e51a60fabf-3ecbe558132mr4627786fac.34.1763984854628; Mon, 24 Nov 2025 03:47:34 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+bsAIHp+zrq1Fegg5JWjerhOJuTEX4W1eAxoL2yuo3H+g==" Received: by 2002:a05:6871:4147:b0:3e2:d619:f0df with SMTP id 586e51a60fabf-3ec9afdf4b5ls1760713fac.0.-pod-prod-04-us; Mon, 24 Nov 2025 03:47:33 -0800 (PST) X-Received: by 2002:a05:6870:4596:b0:3ec:50d6:4461 with SMTP id 586e51a60fabf-3ecbe5c9d11mr4826815fac.39.1763984853756; Mon, 24 Nov 2025 03:47:33 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763984853; cv=pass; d=google.com; s=arc-20240605; b=bOCzy+SH2PgD+cKetPGTYQodZqqLiBbyM5eve5tgXU6KLc/KlL1FJl1wybEzpTHX2H cjjM9/iuWzuWCtd3q2OQSqDVVXTKVoV4gq59xGBtIWZGmXosf/saCm2Y3U9cHnNT9ubO nkv7IRABo/zEFK6X/OrilyZsaIPQeCJui95L6xME2jOeiZf4njrr+Bg9qWGe64WFtfid TeeJ/AbcienswCM71kiDHjkV2amFxIR9d/BU5C8M7vDxpZKbeQZkMXDNBsXqrBAKRSW9 JQG9HDjSrOVp4CtpirLWsGF/vumt0rx8XoQeJKwN6APhPucvJ01H2MPscNbnOjvm42Mt TPLw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; fh=YgHcU2amhotomeH1Rv2VyUlgPjm8wpulXwrBvcHF4rI=; b=ht+EjYw5Q9NNdsY7RAWkQpOgivTHmtUMm7Cjiw/Iy5qOhBTctGybxRxUoADt7U3dkv Ns4LwSgbHz8EEFavXbYGeYP44efcfYXfOT03fojLh8+E5BPlQQv/0x4hle+5Qwb0zGdb 6TZrM6MI22t0Y7zWAFH4SeyQrF2NBSqLxrrSB4DvlzBbIBa9pt/iJt/HjlcW4ujIwyPA fv/W19naK9riEHSGpE0Xt5RxpU/GDfp8WefGGR3eFmc7l8SP8gdoJ7rQOz8FM7C8h0I2 KxmMoluRzmsf+W8U9bWn1kp+HoJZIooHD26qFML2uDmj1XsknHTL7bpN960KZlFrhGIQ miYA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=u5o6inc+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c207::3]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-3ec9dc74ea5si392003fac.6.2025.11.24.03.47.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Nov 2025 03:47:33 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) client-ip=2a01:111:f403:c207::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=zXA3eb2aXgmX7YWw3JENkrYO8j/0QJ7UloDQmr65O/BxLnjefeMtlPqPQunA2wL+3DRfaiu63U1F0Y+87TI07g5xBLRAaW/67wy9HgvjqWNrFs22CGfbB0cKFZf/uE7Y48xZU8Z1wZlUYN1tqR8g6Ah4LmexQW6LS9AcvCgMpY80KRClx6vsXq5qlR6ipuMHWdcb8nKIxzN9qbdndN8e4S9VDt76ElZnZUHVoJFbk9zzDoZ8iWJDuX3Q4TTdcD1OscNKahVqMYPXbqN8TElmRB3ZsW0NAWvJsnCEz89RS2sU9Sc5oCqYsUauL+TSIHWUCq8c+kJ1rfo43isLL0wKaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SmU/8gC5EUv1uyFYD1v8Hu71ZaXjyH3m2mqru/SUfuI=; b=lW/UvBlFxNtnA6Hy6uKAuwpWnS6q13Or89IGa1fUH3/UnsLafxU52DKCQ/NojL/SrsSUQgzdQU2OUQs4f3iGWKHOTO7QBF8437vFJ3oSFuFYXSqvcW7EpHjfvFmb/h3iB62N8vjiPGg4fSp31QTZQpBghfkP9XBrD2vhdLtQBWgkQo3i7SIo2/1aOAnE/sRq7Y5elVT9/8DrCV7CaRT++ufjcKTOncx236z2Gf097khmubEvoFkR3Lfn2uChHllHjjcBXLx5OFiGk0CcsrkND3gAgmlPhg12ecxFmXYe57wwi1q9NtCeDjm/B8L2FF2yXbrWm00nSFvTBoHRktLTew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by PRAPR10MB5156.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:27a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Mon, 24 Nov 2025 11:47:30 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9343.016; Mon, 24 Nov 2025 11:47:30 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v5 10/10] wic: create uniform SBOM describing all image components Date: Mon, 24 Nov 2025 12:46:38 +0100 Message-ID: <20251124114638.2238090-11-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251124114638.2238090-1-felix.moessbauer@siemens.com> References: <20251124114638.2238090-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: SG2PR04CA0182.apcprd04.prod.outlook.com (2603:1096:4:14::20) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|PRAPR10MB5156:EE_ X-MS-Office365-Filtering-Correlation-Id: 38121036-9ee5-4988-265e-08de2b4f3f47 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016; X-Microsoft-Antispam-Message-Info: gJ0PCU73OY6sqMJdB5yrvVPjMxWlxdxZOJQIKLDo9afY+XXTnCA/JAZ9hA+204ShsbtEJ2tpweIu1O00QzJ36dIKEoxWaVkWR8UAhY8vBVMU2bcGbHZcU8xYCFPS+59CFqFoRPc74uIj50OKHdhB1pD3lzbKz2ymBkISpbFSuY1Zu1xgMBHPhC67di41Yfa5kAKDINpcscg3PV3y/N/eto1I7+RxWp9Hj7JaRO8Rm6wKxwOW4x51MDdK1OHj2P2XdVoNOnzmMzKItuHwA/etyVXV3VPUXrfIVfpe8v98ZsSyCV2H55ULGlqLo2PolcNOulHnploNEpd0Lrp7mfGv6L9k9NVOTyYv8XCzAZ8j1aQCa69qtgKRv0egOwvEf3e+BP3JeJg3OHvfBm5NbuG4gFjhzh9n5CEQFQe6palYTRdzmNnHrgYO/2P4BHibJLNdvw9Qwzy4XBZR6S9T8Djvc3tEMyXPa71sH358G5j5vek/duOYWKtFSqNEzDqLza+zHsKw0ZGwPij5Nt0oln2zy8zg1Nt4WbhJ7m82jvSCoYJzL8bNkr622JyZ6mmZi17mdLa2JUjSg+TBdhpKLh7DwLlo6ovP2KFi/umRLhhBTUO0+vZFoOYAMmigugl1OZ00bMSw+WcO8uU5gT9gNpxUAFXLWvF6Wh7GSAQ9LitxJlJDTstgv1SXCLHmdXgVy7OaNeYlqzArrOh0qzekxYPXWOwMyzygBihT8GMlDjTVuwyTdO3UjYqHrOe/vQdDxKejLSQbqwWVOjZ4lB9WRzTIItdVdrvH/bzF1kWn8h0KOXlOWv5gpugBF111aD7GwVORgsRnKxKWYAxR7ceah5e0geosB3IjV3GCX70zqx4Mx1wDuPpM7kNxuSLH56chkMbedjI0mF6ijoU1ML9Fj1Ar+advAjT1TxLf2j/5mFxIZwYAaqgzfPpsYRb5DGUSGM/iywgmKkbbxi47rcPcETBKADF6I+uMAYb4yeL07+sGjj8Sf1hC8l9nNbKSokL0KxhxghKkzLx6baTQ71doDcORPgYp7kldkgkL40dAWIhzxpvuOC9kGpRd2rj3Cmsmxe55VSrrFGTc9j4WFPAIBu7mblFGGuiRellvB2JWPG5BAjybxWItnfzX/2bwZf3U3dMTHV4QgiCDgZvWcujS3L5oS+MaideMNxxfbOzl+9tE/qcln/0OWKq3VIDXCwAX/I7pVl+VnEy3C5eLYsD2IknrZWxx3OSYxn5tCIrw5vEinkKRjc871CFim/ltOsAGZ4UpkDTgbR/VW0o8zMtuvbSrt59mMHhsM4N1rYHcehhQ63bu5g+gQum++spcRBUD2Ts/XtTwE50Rf4Vy3YZd1kTw8l0nMS65Q5GT9jOPWe+5Od7ObjaHhFCHTpi+rLffvbAEQuuHFngSqfIqog8uViB74BiiwslmFiKirh6fKw1DWSHLGX6zmgm6dAD0xbAXiTGW X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: hIZfnEF9288oJmGu2e2RSfKRgKNqMAI1HbBz7SjOCTuMAm9e3LmDJb33DEgBm0dHopLqrA1/FlUx8mTyY1lKw0aeOIUe0EPij5rVg887ecq2DldjLctQlGv674NFDqlk+8+OQQKpjF02KsFjFfpIMDFZ2RvcipgOtkjz6fuq5W95tZODrwBAAV1ft6jjglHKlziccA9xD7xCeWn2Ar6sKOtYTwqUKVLSfQIGnKEOR02ffpnFjNnNsPj+mv9vatFrxqoqAdHVl2X4L6MCl2gPAC0s7Eq5Nrz9nfjcLp6InmbATAZuLEnYpXIUonGgw81DTIy/Ba+BU2fWxduGVhVQcaaJXsG5faNhuMIDSZAQNRCmy4QuwsDMdVE4n+3T2iJY87RRvP72MlyhatEEbu/GAl+PxkqCPSNpJhxnbe1BFaGfQLxiWnerWifwRsex0rtIGTf72XPZbZ1NIm2uHKR/xwxDbuqtNwUOUoWxqE15/bfT5qKRmj+uVNf7qXOlH6qQtZuL+HjAfLiMznhQtKmUimpNwtGjXpxsITrJpAMozPaZu0fia/t15O+48fzgPzBm4a6cg077yYyezlmZQm3EFXj3nDyiV9byMhg2F8YAqdtJ+PCGR99u9ZDv2Gsthm06m8C7Vs0EksXOuft5hZNSfv0AxvwsSihDkOqJzWhwEWsUGsVMejwNFEPM0QVMoh1gWDwD0OfDyWAu6EE+Nip6FuiDwxsqlcnsG/oZ/P2YsUK6ylfShzYDt1uHHe3e3fzqnO3tVIMsjks07G7RnuQgM72np9tYtxDQdh/DCcYrkj3Lfc3TKqG5sfJXydItZaPade4kAxU5gAF909TOl2jrljvxPejq84Yf6+cKxQLErg2rfK8hBK65XiEz7U5SnQ1q6EgT8qIngDCKKZBNfAZa/B6XeHVL5pYuV7ulg2uas3YzHYSt4czrGiSUwEsCVKZdb9uSN0Si2vDj+aESdipu8tSs7rpAzRrpbj/feoWmCwDpLOx2LFL5CGP3Z2tbviqAcO146Y7HMahBrWm8Fpi/Mf3nUJpw/XJrA9z4EUldjVTUvSj7Y4jVUtl4Jsz4u/+BbSnoOwFcQqJJScDX62T41eo4dXZO1qMUpFWA/bhHWMxHSWHz9mPsMW4MlkbFJMheJzXwN4Uu6WzIlFphR0SZ2pgGv8/SCxvgV4/+xecoVf5KmI/gtpdeQhrNx7R22/e/Sb4jQHCntaLKoOlIpkgl3lgvAOg6pqL9APO5HW0QoBZnhsiCcOexp3exAct1RK6UiDdwxee3z+BP/FHL8KAxnHOP0P8K8A32bbI7M4/2N1+BTQYaWKI72FKcvYdsMOTLZOrcLPSlzy7Qf8Y4E2M0DjRIAGBx4vSr8YZGHHWyGR9rVBy++PTh07nwq/rR2XnaVisj9MoABmya4FsHTsT1+w0te3WZxO4fNWfeepZvACWp4011fIiHPlOm9KqXPQQXGVYB9rEfIAsOsdCKUidAjmNN1OPdqBbWOvIKRMLxWeBkVZvRPMh118VQZxJNqTzODT/c8Eo8yLG84Rdg91NGqfI4m2FowPYsqHUpzb7uFnwqY4Ww1jJcFWEjIx4wuGP05E9oGpcAIz8MC9D2b3oe8Q== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 38121036-9ee5-4988-265e-08de2b4f3f47 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2025 11:47:30.0586 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Gmilrf6mjuAYE4cBN/aYJemqHHFG90hhMZCXBOZgs1KnwV8/mSSfFpBG//zJu0/mmY1nGd9CKeDo4wFlSSbv6h04aPl9Y3ecg193DZAsutk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5156 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=u5o6inc+; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= A wic image consists of potentially many different components. All these should be covered by a single SBOM. After creating the wic image, we collect the individual sbom files (rootfs, initrd, imaging) and semantically merge it with the debsbom tool. The merge SBOM is then deployed as .wic.(spdx|cdx).json next to the wic image. Signed-off-by: Felix Moessbauer --- meta/classes/imagetypes_wic.bbclass | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass index c75d481d..fe31e4e6 100644 --- a/meta/classes/imagetypes_wic.bbclass +++ b/meta/classes/imagetypes_wic.bbclass @@ -201,4 +201,29 @@ EOIMAGER ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.manifest \ ${WORKDIR}/imager.manifest 2>/dev/null \ | sort | uniq > "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.manifest" + + for bomtype in ${SBOM_TYPES}; do + merge_wic_sbom $bomtype + done +} + +merge_wic_sbom() { + BOMTYPE="$1" + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}" + + cat ${IMAGE_FULLNAME}.${bomtype}.json \ + ${INITRD_DEPLOY_FILE}.${bomtype}.json \ + ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \ + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + -- debsbom -v merge -t $BOMTYPE \ + --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber $sbom_document_uuid \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \ + --timestamp $TIMESTAMP - -o - \ + > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json }