From patchwork Mon Nov 24 11:46:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 4630 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 24 Nov 2025 12:47:22 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pf1-f185.google.com (mail-pf1-f185.google.com [209.85.210.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AOBlKYp030603 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 24 Nov 2025 12:47:21 +0100 Received: by mail-pf1-f185.google.com with SMTP id d2e1a72fcca58-7b6b194cf71sf8627842b3a.3 for ; Mon, 24 Nov 2025 03:47:21 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1763984835; cv=pass; d=google.com; s=arc-20240605; b=WAiz5csnyl3l4ImyOmocL/WH/wwslOu+oaExjpJdmY94Lk4IfZgCEXgknlc6VnTVeZ oaSvZySy0tKZAcUPJrmg4lHw92rXccu3cWlIsRWjBMtbcPS/YoYhfeBHRoXbI0GwU4+B Fe/vRR5TABEX3cG4DEZuBf4uoxLSQ4XMK5RiMjOzUoxJRW2l49NtSiju99QhC4ThMUfA wT1OptpqMAqSJU4o+T1yFR6HvTSvq88d7BMaMlsfTX76m7XoY6SoSeqe+Uu0A0f4zZdD 7ttbzrFCFJ+9Bn5X7vFkwb2AtZELRHDZYxgFvvDRcqUY1LqgKxB4Z4Bq4Ggs85g3LKFq w1HQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=niRjHfayhHDElnhi5tHCOdUJfNMy2iTknP2XLihrTSs=; fh=pBsnTLgnKybwmIuZNoMXTJ98ThPW0lH1UxAZyQDgWaY=; b=V/AXofHT+7JxdPUDRf5S4A5h7Pa199gLKAJUaLl48DIq0769X82fGsOkD1s4JlZetZ TkvsCeYZox3IqXBXcjRjGC35UX9Xhfjuxmv1Hf5cYHOSQZDwrHtmfMo0CsLD7FxPDV6+ i2j9Y7nS+7Evt8Pg/IAXj6P4uLZBiTFdt7teL+aVH2w4cVGeAeberxRMXBl7mBBmOF7q 1Pzq5O7T6FXEIwYGnwNp1ZITxt/SCdav5U2bJWnNflGiJq5Pk3iw/FcSP+YqYBSL0oSm 24fRDD/RmcDTR5aiYE/B+xKE6rbHK/Lx6D45KQwEHUV4sxvFKSIAU1qLI9StrMtG+tuK K2cg==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="z/3FWvuk"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763984835; x=1764589635; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=niRjHfayhHDElnhi5tHCOdUJfNMy2iTknP2XLihrTSs=; b=ko7Dp+3bQPyZuoKVnocSDKi9G65a7zWje19sY6WjzcF1fDyz4mkE2qImICmli8IQug v15VAmPrHBEJi99iac1lbuC2hPHcH4v204ApRjgL1Xk5VcWKzsgR6BfdKEUZDWplKoU5 zUi5n+jbw9N2XDBLwUycOul8mxyVc9rk6kA13bWoj4O88KAD+L5EhjLAyr6iPh5+nUrJ CvgGtlbe/FA1YZAcLwiurESiAob/CzaK+dRsvlaY5DScfCSId8A2/PiFu/n3LVyHnxCR Upp2Fv/W531ZfzxkodQ4Iz67w3FbSC9B80iGlNugbDQgrTH8p+Hn7RBrueagf4yfsmPo BNEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763984835; x=1764589635; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=niRjHfayhHDElnhi5tHCOdUJfNMy2iTknP2XLihrTSs=; b=gljMZemy+kSp9a9OBso/ncuhFdIfHcKWIHdLcD0QsK1LnYDzTXvaV5MVL6Lzo3Tn2A jsvyvSHni6HtlCzZ3vSbS0LKUiiZoK2Dbl8GJ5InrWmwsDZdBTg4OPlSyoAkC1vzdY62 pUh6Ia7bft2I4EZNa2L37SMAQ3YZQj1/6E1RItE9/fJH/F4x3qBl9WBSm3Vgfm4976RR aINNdRA3ixb8dfyD4VzvxB7Tb88es6WfP5BDcKBu82cU13TUyChXBYjHJKJZxlCmItSD Q8NuJfAIOB97kryjTSZfeUWp+lF4KWW+ut/pNIbHML4RZyDC8Oh4q/S7cOucNYqnNWm8 LdOw== X-Forwarded-Encrypted: i=3; AJvYcCUHJ/QNvIcPQmLhbsMnoZDxOhEG6N3wPgDM6toJLDjLtl9SEFUw2gYxtzQwM9tHoZYYlWCzmDU=@isar-build.org X-Gm-Message-State: AOJu0YyKrj0fivEczdKSsXrEeNea2Yhw2GZ79n504SJQyA3hkOSK7Yw9 IafrJKPxlpEAlRXacotJLVCuRCvWS2+/kZqfm2dTbxRbZd8CgUI3cRMh X-Google-Smtp-Source: AGHT+IF8GG+2af7LqfPHCLcBZpUgfNO/RPxL1n1UlpJLuXqCLGQM+9knqPsxbhx4VBaoVn6E5FQwHQ== X-Received: by 2002:a05:6a00:1812:b0:7b8:8d43:fcd2 with SMTP id d2e1a72fcca58-7c58c7a883emr13030831b3a.14.1763984834620; Mon, 24 Nov 2025 03:47:14 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+btL2TndihUiOW85SAFKKQMK7vuQ+/hGHdQSHIKJoymaQ==" Received: by 2002:a62:e41a:0:b0:7b3:789a:4c08 with SMTP id d2e1a72fcca58-7c3f0443ee9ls3257572b3a.2.-pod-prod-05-us; Mon, 24 Nov 2025 03:47:13 -0800 (PST) X-Received: by 2002:a05:6a00:88f:b0:7aa:81fc:a83a with SMTP id d2e1a72fcca58-7c58c2a7c54mr13494199b3a.6.1763984832860; Mon, 24 Nov 2025 03:47:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763984832; cv=pass; d=google.com; s=arc-20240605; b=ZIWCzKZW6c7CrJ78YiZQjEmPfqv2kDHnLuuSXmpjXaIF8KwI2C6Lw6GobD9RZPb/U9 y/IvRqWXniHQ8lNY4rJnqnphOhvgOqWEYvDkCoCUlDveKO1tk7RKJn6/x97BRe1pBwN8 4c59pCJEbvIbbs4mO8dcfrQMp9cduJBxqqaojWcf316OAluH3t+kjGydnfDwSxCMyeGQ vIcsYvQnUg/jv3oj4eS7dKFfGVGwPUFa7fGE9npkUCm6L7nMQqVFT+aiL4uLq+8G12Nc 1kbCr3X26lR4zLMYmqwZ3irxqkY9apfe7YFrbFq5v5M4th6N+aKA6CoOuhOp5HbLsfHH FoGQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=vXPEr4LkXT4SrDu3jVxNBFUGiiS6QlBM+MWG9HGT6nY=; fh=YgHcU2amhotomeH1Rv2VyUlgPjm8wpulXwrBvcHF4rI=; b=UOwIQtAvB6I2oiK4U1cyRvcpiJQq/lFGDfUQE1MTQj9CiGqB1CaUTKkejZOsreJ3lo /eMSkt1Oq25YkT7Zs4zsQxTWjkzavGTDVWPryCg2lt8X/5GMhz8ltRD4SjwSPtj2BUUH yWcHBdjoOecvyC1skGi3n0wOEVGxFsoCwQkHIbxp7bh+HWhcCVVUMdoG59ixUCjm0Pc8 s9frSfs9ZhOPFUnJ2LokQi0t0SBvnbUvUTQ9cZJTWXLtNA4HxgXxPOc04Mh8tiXMArV7 NUG1K5KXa8LY5ImeeAHCqFUjtdQXQrwb88j8Etpkq+pvJIadvKBo/3P1mjpcS0/F5ZfU xT4Q==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="z/3FWvuk"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c201::3]) by gmr-mx.google.com with ESMTPS id d2e1a72fcca58-7c3eff42301si269439b3a.8.2025.11.24.03.47.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Nov 2025 03:47:12 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qqKUa1LglI48+OHNlN+hFVXiHwwpPhYQE4Y9FPbQvj9o2wQzI09nMdiJpVPNHKiN9F0KIk9mpBQTZ+f4mJ1176KCVy6ICCaUq4uCDv0Wrjj596dqMmqyBlTaPKnU19af6qvgPzEcI3ciQivjIAm69DG9Mnb3hbCirPR0EPli2Wc4VPAjHDhH/H10xJxyQh2Ir69LZQSSBUy1CQIQV6f1JX4JhMwijpMi+2i+jRfUFz9CzYtJQAE9SGOjHAspYeF46kk/B1dwK89PPLsCxkhrwd7qqO/E+7HOs2M3hM0tMvmlH5Y9c5rRzf1Zb4HoTWZORkRH3aloGq2LKVNZp5+i/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vXPEr4LkXT4SrDu3jVxNBFUGiiS6QlBM+MWG9HGT6nY=; b=H7okfXlbNdZgYZKvtqW2AxevZs8EGl2gQ2RXYQPp9cn2CmQVp3qjNGBc8r83GkwgSws0Qv0fGepX6bkEcHBTaEMGUN1AdgXPWEnMXP7GkwsG1l1WhWdCm6dv2USCnC4mM/jdAQ/fkwEhDroes/ZET99wECxiRpvZaR0NXC4r5QlzLmgFgvC5pzmTESd1toi3jPhDUq4UzgzCb/nbFHJAGq0fSYmXqBNDjQViTWpHSm+Xwtu1zrz9LAPgtTPtXMqE7QUSf8ce1qzeDtES2W3L3/0ks/YzNmtpzqXJ/klhOnG+So/zs5G1U/RlrEd44qjOPumCxCcDGOT9Z1bfADg5sA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by PRAPR10MB5156.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:27a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Mon, 24 Nov 2025 11:47:08 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9343.016; Mon, 24 Nov 2025 11:47:08 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v5 04/10] meta: add SBOM generation with debsbom Date: Mon, 24 Nov 2025 12:46:32 +0100 Message-ID: <20251124114638.2238090-5-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251124114638.2238090-1-felix.moessbauer@siemens.com> References: <20251124114638.2238090-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: SG2PR04CA0182.apcprd04.prod.outlook.com (2603:1096:4:14::20) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|PRAPR10MB5156:EE_ X-MS-Office365-Filtering-Correlation-Id: 80d8e518-e16e-476c-fd56-08de2b4f326b X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016; X-Microsoft-Antispam-Message-Info: LzN78cA+2ZP7V6PNdj9/nRYrPW9gM1mk1Sj034fXemAhc7hDjMWp/Ju7DJn+42h+6UjC5z0EOMiKncQneiUdclpf/BcF+XJDlkcSGtsCftBKpj85UQYm0TAI/aQbbEuhvx9+9EKunROd6/AIh/d/0sa0588uAoa35oOXfwOhLoYnWYgXsT5cyQ8hexhB7xC8GDKkvPvmsilOAWD8uF/LDrx29JiqEKyqr0PQwaXhGYdR5U5PYZM6ddvvnBCaS3JqP08ASsuWt5tYdNCSevG3hMaV3wiD3PBuNMvkU1LMaTsgE6PsJejtu7cF3Mq5ebovMxu6auRolN+DdkH0mdLyp36t4CmiOLao04DHx4dJ4Xr7T2S7INIG8DBtlcxl+MALFhF/gWNLcPzVndrTOwzbxyDfzyQ4sNFkNXmqEMftOgx1JMvAdcscdcFNIBy4qNQFV/3nlXoKw0tY6p8FUmHI3l9GF0T/UqLCZNv2hBwXEF+bRXe4GEQT3CGLdyNJUGiD3N8cOkUe/+yvtokWhVAyTS8BEPqMEBbMMspP4lDtSc8n4mrB2BNp6akhVvmAXF+cVW/QPh4cv64NjyEJhWPC1Xwb21pK6lAEdEKwGFKIgd2VkmKz4cGdHtFASKhsihu8xKB07VQnRdNEpLnEEGv+nsdwx0Y9CFBsw8F2NbtR+oSagNkOx7C0vqKaA7uYNCA16p/lz99T3Y9bj3E/bsUj1aoShcE5B926dxaNvBR8MO3ir1CE6j6ZbrLH66u01WRMmscIT3U3t74psSNm+AvfK0BPd8qwAQSu1J8TZpxXmGRubiBLLvoneKQDcimmsF1MoPPQG3aUpjGu0b+uTP4dM7y2kQHqzbDQDRZ8BmQnwVmsT705vTCfACkn+Zez74JXCHYwTftp1FoSgceWMWVdjDldaSUYbk9JdHlpleOta4XIqDOuiE4Bp/aFzht6EzXJTn6tn+39yJN9iY271Y9xxHutSo8F43shqNs3xUiStbr27/03vArYS8BlLJBt/hwIzxz74xSo9aWunwvAwyLN6qeNYVzwf5i4glZjE4y22mP0b4qW6yQNv0YKOwAe0A9mLey9r7v3RUK2epSYSSTE7fKiuvgy7r/33icdO8Eqck8/mMwqoUz5KgH/kr8COST21N7a+kMnRdYAMx+efVvhak/KSc6EWECVq/jJgb8WIO061O5gIiH5ESGd93+Yhmxg1WnUdCl7q7DEedBOuZDV0uNsaRcfLrSd1G87eSxrCe+5qr2ZVsIuCC+HfsOACpzhUAlhDy2R76Ovdy8sL469usqplO89GZA/3hRsiz2gCl+zLRh9QeOABptWpPOXOBpsaDhd4uNV9baKdTVF9lxqKbQJpKX4O8a4f4clKuUXupeGgdI9ZFetAO2zxzQtyRZppQA6IPjBof0jfhmMZAISgHnGu4oj2+azqW1VE66XfJJvHBMJAOEooHW+gfqQu8I0 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Kiwm83o4L7U6/DOc6wIStCC8/gPPhbeKsfNgncP3DDd5JKQK6Wt3wldG1Nk9H2+GRB2I24hKnMJ0lPsr8qO5Zt2oH5XkQZZDFmFy9LBDwbzHnCy52RPTS8al8zp1rJ2+4/08pfVKYIziupFNFdK1Q3JK/hIubJS5pZ+zn2Hw6cYNeJSRA3cm96NLH4NWod2d8sxLpu/SE2NeoXsMVbeUb3d1+jw+dpCSXVaAZBDvecKYZv+p7SZpYSVJPbvUSrhrAjRcuHexmFnsPup5h2uhQlOcOy3Qp6D0nig0bNO2HWyNhMHX835u8l5dY3YGHSQbuexqkJFNt9lBXLVC3Sn1ZzNDLcD0lBNDqU7gkRcSfsYY9QRwO81S6Q17OI4of4TJi4k24Pup5bnNDV1qMazsGxUDpP5RGHniLX1MHsulC8TQC4iBHogI31OPl2tWvgswDaMsG9gBEoHs8P9UgROtjOGaQeKMxe7OvdWLwqjL4/7kS6y/9V/BuQvU4/ZSOPkkrS6Ue6pW2mBNkvn18f+dOFebe5Yc4ETDlNyIKfQJsoaP51vPi+rsmPybzAkEDoctjha5SlD5GUP5QHf9MxsIxV0CO/LQfWs5x0n3OZZO3aNnJmIXJFUqWQKXyZXQJZqt18HjnqVQTGGHeDJ+MziDeEb1VTeoy+330tYdZyEryzR+TY71tx6VIbnT0B8ETzYwoSqoVnWreZ2+g6sNJZq0ajht7/hna1P0hNnyCJVzuVZD5qPS8T8bFfkd8uy7+Xa/6QjwhAGkKjd6FesSba6e9ZfG9HKZHxT6U7w2covkrDCGueJwcmz7W9OMO8S/m3nSyPcm92+zi002qLW94cAZP9Rjwjq4fVLop7TKIGG/GhzQpQIRu+FNq2Y2yKuL5UWuLI9+3Hsn72l3HnbLz/n8FJ0g43YDNEszMLhC79vIubQCus2rWJ9isUs9xlZBVR8D2RkZ3AUJ6e1ctB/jY2fEuX4Xyxan/f+0volCxuExAQf2Jee7AbRKVlcOjyEp9y4aN8YhZoPJl/po2WDyOpij4s0A8PDlVgezE5WkL6DDlPNTtBkF/zzHJkJ7tu2N6qzRufZvTQVsEYXxYJdxp1Fj3Euc3g87Bm/DgzoIMfQEkxKKnZnrPSpwIcj0g0zRMqsLZaYVFaQ2Aq2tRHPbGmgEYP9EkGIcGlJvPnh61scWhEQ5/TaIST3psxqbu1SY/UMh1mjLneddWLXIKb27gApzp8BztIYnA5U2zfygaNNa+l14dqCt5tu8IdNOsm3rcEInd3TErlGUxQjcZfVV5z7NeeCgLBQL/ZdnuQ5umVHY6NraSJVySIMj94IqbOmbqdQbauMP9aAp2wse24Io8UD78OoJ98VisNkiH3IIJPOABQ90ReHrlmVY4SDLgnmYr8qMsKFWswY5y7QTQ5Lofg7y2G7rtWvirpSe8tsm/DnAaaKNhv1Em9CX7PIIfvDcK2+k/Fx5EB2awyscoSaOhca1RdiPUwxT/D0XfkWCcc/jpBvYpUUNAI5QvcIp77LTqkWSpIZA+L3x8TRx5/Mf74u3sgKMiRS2SZ/dXJl77JDdw30Inz5k6nrZ2e7Aa0OTRt4vbB+nm146cVCMIA5EpsodCg== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 80d8e518-e16e-476c-fd56-08de2b4f326b X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2025 11:47:08.5199 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ww7HSKOQ+cgkEnTiVqCPqiKIzoy9masFpc3XBW11QOk/veJ0n+u3d008h7XQYvYWTaaQXR1stXO9cpONoXogZ3aG3eZDmQg5WwO+w+5g2Ss= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAPR10MB5156 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="z/3FWvuk"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= From: Christoph Steiger Generate SBOMs for every rootfs that is created. These SBOMs are placed in the image deploy directory. For the generation a small chroot with debsbom installed is created and from that the rootfs of the image is scanned. The sbom generation is bound to the rootfs feature `generate-sbom` which is activated per default now. Signed-off-by: Christoph Steiger Signed-off-by: Felix Moessbauer --- meta/classes/image.bbclass | 1 + meta/classes/initramfs.bbclass | 3 +- meta/classes/rootfs.bbclass | 14 +++- meta/classes/sbom.bbclass | 65 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ 6 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index 1fa71c17..29324920 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -99,6 +99,7 @@ ROOTFS_FEATURES += "\ clean-log-files \ clean-debconf-cache \ populate-systemd-preset \ + generate-sbom \ " ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}" ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}" diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass index 862bd873..570780e1 100644 --- a/meta/classes/initramfs.bbclass +++ b/meta/classes/initramfs.bbclass @@ -22,11 +22,12 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}" # Bill-of-material ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}" ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}" +SBOM_DISTRO_NAME:append = "-initramfs" DEPENDS += "${INITRAMFS_INSTALL}" ROOTFSDIR = "${INITRAMFS_ROOTFS}" -ROOTFS_FEATURES = "generate-manifest" +ROOTFS_FEATURES = "generate-manifest generate-sbom" ROOTFS_PACKAGES = "${INITRAMFS_GENERATOR_PKG} ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}" # validate if have incompatible packages in the installation list diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index c045bfc0..b3ca9e16 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -3,6 +3,8 @@ inherit deb-dl-dir +inherit sbom + ROOTFS_ARCH ?= "${DISTRO_ARCH}" ROOTFS_DISTRO ?= "${DISTRO}" @@ -28,11 +30,18 @@ INITRD_IMAGE ?= "" # available features are: # 'clean-package-cache' - delete package cache from rootfs # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR} +# 'generate-sbom' - generate a SBOM of the rootfs into ${DEPLOY_DIR_SBOM} # 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR} # 'clean-log-files' - delete log files that are not owned by packages # 'populate-systemd-preset' - enable systemd units according to systemd presets + # 'generate-initrd' - generate debian default initrd ROOTFS_FEATURES += "${@ 'generate-initrd' if d.getVar('INITRD_IMAGE') == '' else ''}" +# only supported from bookworm / jammy on +ROOTFS_FEATURES:remove:buster = "generate-sbom" +ROOTFS_FEATURES:remove:bullseye = "generate-sbom" +ROOTFS_FEATURES:remove:jammy = "generate-sbom" +ROOTFS_FEATURES:remove:focal = "generate-sbom" ROOTFS_APT_ARGS="install --yes -o Debug::pkgProblemResolver=yes" @@ -478,6 +487,9 @@ cache_dbg_pkgs() { fi } +# The sbom generator needs the apt-cache, hence run before cleaning it +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}" + ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}" rootfs_postprocess_clean_package_cache() { sudo -E chroot '${ROOTFSDIR}' \ @@ -647,7 +659,7 @@ python do_rootfs() { } addtask rootfs before do_build -do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}" SSTATETASKS += "do_rootfs_install" SSTATECREATEFUNCS += "rootfs_install_sstate_prepare" diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass new file mode 100644 index 00000000..3ed755d9 --- /dev/null +++ b/meta/classes/sbom.bbclass @@ -0,0 +1,65 @@ +# This software is a part of ISAR. +# Copyright (C) 2025 Siemens +# +# SPDX-License-Identifier: MIT + +# sbom type to generate, accepted are "cdx" or "spdx" +SBOM_TYPES ?= "spdx cdx" + +SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}" + +# general user variables +SBOM_DISTRO_SUPPLIER ?= "ISAR" +SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux" +SBOM_DISTRO_VERSION ?= "1" +SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR" +SBOM_BASE_DISTRO_VENDOR ??= "debian" +SBOM_DOCUMENT_UUID ?= "" + +# SPDX specific user variables +SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs" + +DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}" + +SBOM_DIR = "${DEPLOY_DIR}/sbom" +SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot" + +# adapted from the isar-cip-core image_uuid.bbclass +def generate_document_uuid(d, warn_not_repr=True): + import uuid + + base_hash = d.getVar("BB_TASKHASH") + if base_hash is None: + if warn_not_repr: + bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible") + return uuid.uuid4() + return str(uuid.UUID(base_hash[:32], version=4)) + +def sbom_doc_uuid(d): + if not d.getVar("SBOM_DOCUMENT_UUID"): + d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d)) + +generate_sbom() { + sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir + + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + --bind ${ROOTFSDIR} /mnt/rootfs \ + --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \ + -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \ + --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \ + --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \ + --timestamp $TIMESTAMP +} + +do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}" +python do_generate_sbom() { + sbom_doc_uuid(d) + bb.build.exec_func("generate_sbom", d) +} diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass index 00cae0da..d57269e5 100644 --- a/meta/classes/sdk.bbclass +++ b/meta/classes/sdk.bbclass @@ -47,7 +47,7 @@ SDK_PREINSTALL += " \ ROOTFS_ARCH:class-sdk = "${HOST_ARCH}" ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}" ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}" -ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status" +ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom" ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb new file mode 100644 index 00000000..58200382 --- /dev/null +++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb @@ -0,0 +1,30 @@ +# This software is a part of ISAR. +# +# Copyright (C) 2025 Siemens + +LICENSE = "gpl-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" + +PV = "1.0" + +inherit rootfs + +ROOTFS_ARCH = "${HOST_ARCH}" +ROOTFS_DISTRO = "${@get_rootfs_distro(d)}" +ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}" + +ROOTFS_FEATURES = "no-generate-initrd" +ROOTFS_INSTALL_COMMAND:remove = "rootfs_restore_initrd_tooling" + +# additional packages for the SBOM chroot +SBOM_IMAGE_INSTALL = "python3-debsbom" +DEPENDS += "python3-debsbom" + +ROOTFSDIR = "${WORKDIR}/rootfs" +ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}" + +do_sbomchroot_deploy[dirs] = "${SBOM_DIR}" +do_sbomchroot_deploy() { + ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}" +} +addtask do_sbomchroot_deploy before do_build after do_rootfs