From patchwork Mon Dec 1 08:58:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 4689 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 01 Dec 2025 09:58:47 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-io1-f60.google.com (mail-io1-f60.google.com [209.85.166.60]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5B18wj27012625 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 1 Dec 2025 09:58:46 +0100 Received: by mail-io1-f60.google.com with SMTP id ca18e2360f4ac-948faee04b5sf213542139f.2 for ; Mon, 01 Dec 2025 00:58:46 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1764579519; cv=pass; d=google.com; s=arc-20240605; b=dxy8OcuYlJBNg0Ae2nsi2nZ293mpe3f9EYaAv+TAQCaCH/GhmwZHdFzN5fARnUCqqQ 9WxSch1y5K166II34SseKxIF9p/58PD6jGWVBky7NQbf3pxEPwi4EtuOZ0bjhot7c/px 4e/3OCUxJQcSw1IIYnXz8ToIuwUTKHFZg09J/dMRcJ0wXFfdVxzrO5HDsDtFV8c9yp/G x3o+3JRp+x8LS08eKgwuQbFPO97YikBzwcYl+Q2wnb4uVOqpFcRgQ8MFzIEcpMoc7/pz SvTkUupk0JwFfQ69gstJgHk7Z1OrJMy0SlMaXuQvr9BDlGzI1CE9AZMpWeZbUYl3MEz9 BFfg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=14kWFfLyUEVynWTUwZUOsqUXuPWdRSamH4K11ce8Jr8=; fh=zBTu+gKHIiCVbIeOyknk3zsDY2bSXF7ZnMGwHiRxWBk=; b=cef6jhQyOwT5iGN7PKPv5PJsAOM4IwlPqaiDn4bD9LqRk6KkQUuOuO9g/otKPC/xhu 92ij6Q7POOu3Pq4L+4eVZbMDVIMS0t8/BiSmbeWx/Cr07mVZIS7x7/+ZuxD4xJ/innqH CNFnO9EhHP0Wl6u0fKvfOLkV9KteN55fZ1qWwOCXCnLbYc4q9kCH2PS2akLMtX8paeJM nM0Frec/NeMdIWzBY0l5KJxyqLG/YxNhkSSaibevWfWD7AueU7SNUe3cGW7v9m0Viahv ksQCRP40taCEBeQ3gQ9JH/kcnNU0JzPLDQnUSTWxq9aaxEiO3T8ZyadeXEXCP5JOmdru Y2Pw==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=cTD3QyrV; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1764579519; x=1765184319; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=14kWFfLyUEVynWTUwZUOsqUXuPWdRSamH4K11ce8Jr8=; b=xXqOBSEFclYxthdDypYrgNXc7tirYc2EPYVqxOg5wIWgixN4FmpOwRPIeoi6BgHW5m dimtwWHpLbvyGhSferwhwIYQZF2Acp0LCTNbPCu5aQ3sXytIloOflqw/D3EC2+zTx+nJ r2SirM3a8fHce6KdaUUGBt8s3/aCl93QWsnM1GHLHhbiwbs30Y4nWWD6+iTn25BhNX53 PQ2ME6JX5rQZhPqnsIXZtE+E7fujMPlbYibeF8JR6RkF1F2zfsmgPRXtgLYQa8mS+4BB ltFwWEKaCKJoWKltxIdgQMzabvhKHPMqJeEQ/bSjlhSjhVcRcLBU1acfFLNCz9xanHMv 6FUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764579519; x=1765184319; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=14kWFfLyUEVynWTUwZUOsqUXuPWdRSamH4K11ce8Jr8=; b=UwrGQnbs/bBJTA6EAsiVO7/wRsN9OTWmhMAFDaIwpd1YauwkQxbKUM+lFdQRXUAvQL XiAIdsznM+eYdSsDbzHksloNTYe3hazoVY1bCHbnH4WDTfDdT3Yqa0fwimUpMbwlaEYM gUO81a6ENUStJy3eW6Ftu5Mmpt5isduyYwNeFu76BVD7YWVWJBj/+R8/wsGSmOhkSapj JiH5lNTMJZxeVeciIa8aLfZRCGJ7SB6igYd0gUs6ir2IRG/TdcHgHSKR813iVOQYKcGP MvRJandHHhBjVPug8ywrNO6cSoP0vdjnp8AzW3swwRDGpS4Q64epLnUckdibi9xZ2ZoX gwow== X-Forwarded-Encrypted: i=3; AJvYcCVcRB+xRSOtMS4bHwR1IZGRy+ONJDQiydSuPwp1AcO3VmKv27x/okeDX67lnuJH0fGHpRmFtuo=@isar-build.org X-Gm-Message-State: AOJu0YzG+Jtr9cuT5Zt6YPfzFmINZuSUtP3rrjn00YIhl5DQGDxRUwju SPhRmKb+V4cr7KNhRj/qR64P+DYGOcIE2BllZzxWSbpqTLbCle+4iw4Q X-Google-Smtp-Source: AGHT+IGp2IgNhKTNG0E/w77RebJId4M9MVD5ZY7NNTiCWgBEFnaLUYZ1X0iOUQsYdI3Cni6p3XAUyA== X-Received: by 2002:a05:6e02:1a23:b0:433:4ac7:13bb with SMTP id e9e14a558f8ab-435b8c324damr333249445ab.11.1764579519032; Mon, 01 Dec 2025 00:58:39 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+ap3IOcuZEgCXZGnd975dnWyGdP+2P9RRrd+nGefeI6sw==" Received: by 2002:a05:6e02:1fe8:b0:433:2d12:d82f with SMTP id e9e14a558f8ab-435ed40f203ls18832185ab.0.-pod-prod-01-us; Mon, 01 Dec 2025 00:58:38 -0800 (PST) X-Received: by 2002:a05:6602:4912:b0:93e:7d6d:e0d0 with SMTP id ca18e2360f4ac-9494744dd8cmr2220051439f.6.1764579517980; Mon, 01 Dec 2025 00:58:37 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1764579517; cv=pass; d=google.com; s=arc-20240605; b=V5sjUzyClUBr9tcLEcFYpIkWkwcAhEmqqHVMx/yMHUAV8OxQ3mCrXeeOA2B6OyZGze miBcbQjTIO8kkl8W+Ik79QurJx0gMh5ekTXn6YOOrPhVOzOZcOeL937hce7QFwfr0WOM huu8B7lM5vqyuufsvu9eFgJ6EUXCQ2p2B2bEYKvAxXDcksjHbMmDAeLZq4ya0ZY83/Jd Wnbizj4Zby0pgTJeOE6BUkBZuSUtAhGu/+o76+YqAQb5/1N9JF62MIQ/rEEW1ZIwFKfU K/0ztClC/LDfFvIioqZelmp5TlLPrT5QsptkR/0LOnNgtIy1cnmPkRU9diGkwZTjilKj /mMg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=MtcgUE3OeEBlWByh1CB5vTbujIhP6XiABlxkRVnuoTU=; fh=YgHcU2amhotomeH1Rv2VyUlgPjm8wpulXwrBvcHF4rI=; b=B9AjIjoAcHVGAQu0Ar1psJpVIZZgjTafsQYWdhNSLuzYBuWVga5tFXm/kTbix+Ie9J u2sBXRun7ytf7FvZyqDMC7OjOX752+EVtOm0uoeTipe+qU3jhSMIELToYdrlgybNrjAi fcMpevnXcjKf2v7OwU0uRQbOcXQ/+t0cxhl228kzAQa5EVCIlKjeI/TEKOmTdApHEaxS HtGb03Do4lUESsEDYzo3X0HVB6JII/2CU0T3dLmid6VozhWBvD1/vb6zWr1fsiqASPO9 oDGWx9srlBxogUs4X+dY7hxopTEUwYRaMMV/1+zDncuqRomVA1Y9ev3I6q0LrhJliO0p m4Og==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=cTD3QyrV; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c200::3]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-949900023a4si26823239f.3.2025.12.01.00.58.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 00:58:37 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) client-ip=2a01:111:f403:c200::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=B3ow6+zhbO6uxFnXA6HqqU23aX2YZ76gQq5UJTBeJkKfmvagE+UoVODu1W9IcH4NlUYUNDbXDW5m/nhGfIfptxfwIiyx6KzOsetAw7nGLd0P56zikXFbPxdbLamKXVAOiBAXC7qT4IM5LDqW09D+YTZDZsnBxdjcKJWI+cwnjdT3hAKcJzJZVZNomzYZJg3NiE7MW+fa1YndBBt7/0tnuBWvQq/sw1wtPuGsWI2Ydv5cWAvGsjZ1PgyoVmMmGqcveqXL8rpV7rb9kr7otA/wlgIDqRl8EAD6t/vWedJ6AZ371H8Lz/2BlH05hlU7n0i+5z8ot6GOAJjS2Z/wOLrS+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MtcgUE3OeEBlWByh1CB5vTbujIhP6XiABlxkRVnuoTU=; b=NJNMqShKXDTzf9Vxq8NZKzxm6lcccxEzdDglxwitA5KE+GJEaKcgxwRzA/jUKBRVbY5J2BBoq5OP5qjSi9car5ekz8PX1a83VmzeOWzFObi8RgdXjDXBKpIHulv16RvlrOu5dBeXpI3KTAMY18UzejTfy1tlpLug8gxhleDZODHpzZlSIDLKJhHuw7mWtntlWXTn4M9si9gzbLc+fvM/tlqxZWXkAO4f4+YKFVby/ppwIf44pO/QBu1UTLX9I+aWCfl5ZyXVX1b1HEtIyLmmUacrOPLJvAfKLQEDf5f30cL+t6gYtOxVdhflxpxX/yPfCrM5rixMv8j/pbFCLAVUkA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GVXPR10MB8489.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:1e1::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Mon, 1 Dec 2025 08:58:33 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9366.012; Mon, 1 Dec 2025 08:58:33 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v6 04/10] meta: add SBOM generation with debsbom Date: Mon, 1 Dec 2025 09:58:07 +0100 Message-ID: <20251201085813.1616095-5-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251201085813.1616095-1-felix.moessbauer@siemens.com> References: <20251201085813.1616095-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: FR5P281CA0016.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:f1::14) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GVXPR10MB8489:EE_ X-MS-Office365-Filtering-Correlation-Id: 8cdd84b5-b96e-4ba4-8457-08de30b7ce68 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: Jm1NiW1Kpj67jrKDW3fNr4LE7vSwZcr+vP3ZBA8Ecy2l59OPQfSPKZKfsyjiwUduTJk9tQ3mcXBB29luW6BeZgO8U/snwxEITRa+AnTn3y1wgqb3DfnHczwFP/MZIrXqwXYsZY/yipX8oZt43Mn6Tc2++tLtxDN0SqyYgUxWGibtuW7G9H+NPVcgFHCnioJJM1WHWEPn+xscKDYobwNdnTWhKgwTbCvS2VpFH2eqCLqiY4M1i0Hw777LjFJ3CDW4sBUeYLbjcDUQLH3t5U4CZ+Lrb1AwcgP10sE/k4AePluuNeWQ6kxeNgf+P2KJpWh6WM5/Dsc1Nv/y5u+w/li8CfZn5Xle7EfYt0sHUxf7/jUK5Gt/i6xLZixbxqlkroYBzWc6rdONOOUkQH/qNnt4Rs8LiWsXhSo5WgEoaZpTC8kWKBT6xyom1CJfjfxVc6g+heV6EGoD7Otl5hdsscdCOtiVYt2n5D7U9bwjEChdBH2c8TDFbpxqaBLf+ZO79dRv3+Z5f3seE7w6q5AJnYiETngStRPpgQQGXTV0mxdFSFNJQD4BuK0rAWG4pU4QPnCb3faAxPEAN3OQTt7n33U7f2ivaVPgRg2WSB6DjUVTeI5p65LdvJKcyWldPvLoEwJjdaxDo+qQ2334h7h9nsv+0xDchQ5PQ5jQhpiePtLWjmijgLwodZbe1gfbEzVos62muPWXwXolE6ijJZq4F0ffVZ/Uh+J9SXIwDLSbMmHpZqILmDRyPwhSSBtCVgVP87MX81aQ8B5VRwbgIVu1k9QWxox7tD7tSaKpgjzbQpc8un5XUeN2RcxsRRDwTKN5lObE1aXw92Hd6muBHhEIRkGZq6hUuy/9lwH53gjrKofplca9n7h79Q4HMgemLt6lpcOS8/ArmUDKMrpomvAIVd/Vg37Jg2jrCyTmvxdJUBiOecJ0efzpUMuPEzFUG1lihQq4gFUuVppMO5AvdOPnQazA6zf8xdZZTIVMnnzs28+gZErMKJP1io/9tyZeye9Jjjepfa2Vk4ar6KQh7AB9Gv5NW+xEbFqs7ypqv71viNmq31QUlu7nuvKtOFIdI3D+QPb2d5nm+U+2CIrvBnsW82//sfHSDC37KR7NwCjX9UVIuGFnDIS1e4u/6qtp5HhPino/6iCL2dOYgheXF9J0cqt/LAXJbxbPras9rq6865Gt4Z61ga9DVQwv44eMOoEB8o+g6LOPqcqUw+QnmQy+5RbgaTfjwEBbxBpYkDHkuunfWVOFBteGP4++QnBMXWn1Jsu4s79bEiRz4TJ2r6hRCZBw9iU3hqSAboWsN8OSIUpuR/rYnnZ8uSQITEkAsCuzrQmMtd/1QZ6tSEhCeILNPXQxfJZkR/AIMZy5Syto4zMpgsNSCwLBFv0z9LnjyT/2M/mplOA8NTV+z7Iu2FkVQPWcuoqrb1yFxgrEI+0+dPTXem/h8ehlkMV9m/p9zRNPzSIt X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: M0CiiLMypkjS5p9V1NVB/LuOZd+POi+fKBuuWFL7NqIS/NsillwUPYMGKYlGg8estKVl1cXTjzHVTsYOhmGF/r5ynWCZZf8nyP0js/AEPlaXKeBJATAQ9IB7nyIdZvwq3zC/dmiKWg6nkw4kx5cNi/YQRT541yYrusBfTHz5WijLHXppycikNNNqAOHG+uTpvDfYsLEF+GOT4FtgF1nydv3VulIHEokz/wcidmYYeB4WLVgyzZzjhltFLy2t6XHgL9w7ZeBM8icASn881fzdw5SrP6kIVxy9NVBL9VSug9uXtMf0hRRziJf63/DpGJSparEPLttCIaDTg5/KowLS25eIypu8gVMKVIqXnRyRO3QtE++Aby/n2qHZ3zoObY5jEGhj7Et8qPjeTwjw2kfOYt6yoXAhbhG9UgJzETGKW0NJdVovEPBk0rL8qm2VTya+ZhJ7RJm3mqClUK5wO9HFAolDxOb7Kr5T7RX2o1jQyFeWtgJwNp63n7qsnsWnnafOwG+XrPlVswRxcA/jnNNyO4ilDE9XqVOdH20kPrNATEbTJbjPlH0uLBmr6Xue/MC0lTEraFfRgf1YwqeCESpZ93kQdUiFOpGP3hZz0Q/LZ6GgQTc+4noSgDq7cAPaC4nNtaDwfg50yP0MIoARm3M8uZEEUxfuxFnGyTDPfOghoth7cPBzEolfhAmZjN1euVuT37XeRL/8IpG4qj4U7sRTxaxcYHW9UqUfRWXOBASHrhLF0MSdGqL5i/BXF40zszxC2AI7CKlqXGU8I2fbzKl52KWLiw6GhJ6TDnF7hEWHwcOuK52RGsVES9cRvNzGFPIE3DJzl9ct0Ebxe1EaZJcw8k2fUxASZ/zPSY74829w4ly6otXIS6neWe9MsDcPqbRnNAUOqlrqjlrwSguhmkBqjpPl8qzlfFit+/k+MkNXKmqqcfCChCF1uO/QLbnqqItnT2nh9e+6o7UlmP9xVupe8Jg/K1bgHkgL1o2Qlh5UlThM3v7A1bqHkbDT0WsMgJ/8JvRB/JcHqy7DGP+ImMy7VBCoFuw3M4/w3hofVeKoycM0YpMLbDynfYyLcOBt1ytH4C2aE/RyafqQuO2sG8/6Nr7nsImhG/hEk0dPauoa/7DWks+I12j2hR09f8EHdvp6BqKKrfE0yIuW83HvkE6dPxylaZXN9eXCKnv2Ci4k8aWkSEskLfBTlU14TRllZrTq19t7TQGTaag3bzTVn9kO5tZ6ZAKd9eq43Cvx6awbYVhV2xFd5Rgl6nlqG4B/3+5cGhea2VLjmVaDHzQyDuwp2j7G6w514iBrojiMMr++C1i+7sz4PTc5aPxLzKpGOCa58VtmWrt5ShVYATt3zIoC+t04SnkxmhvZFZaD6jLpAXZ5W3egyguVNplKjodcBDYA7t24kUy5XgFMC7uoSdwKTYZxihIma/SbADqmQUH7TQDLIDC2M79KicMkaU76S2MGHvFoBqWxkPpU2dzL9NZ3rmsHduymT2tQJbDaD/RqyMZct4gHSYWID9i53BFbYnDHFF1ymnAlBjQmAQJSSGv/p8G0erMn6KgQFwcZVqavhXNOw14Ab2cX6C+C/Mf3k6aswxQDS6ni5WnKAgvfVKS/7A== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8cdd84b5-b96e-4ba4-8457-08de30b7ce68 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Dec 2025 08:58:33.5629 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: cxSTXIZNcNrxbT1IlBcerHBkVY+XgQqMqMhO06aYAuvpKo5jxRW3U1zF3FDtB4Pat+PoL9zbBNX5gXFb/2i/x5bBGKIknuqxGo/P+3vNRZ8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB8489 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=cTD3QyrV; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c200::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= From: Christoph Steiger Generate SBOMs for every rootfs that is created. These SBOMs are placed in the image deploy directory. For the generation a small chroot with debsbom installed is created and from that the rootfs of the image is scanned. The sbom generation is bound to the rootfs feature `generate-sbom` which is activated per default now. Signed-off-by: Christoph Steiger Signed-off-by: Felix Moessbauer --- meta/classes/image.bbclass | 1 + meta/classes/initramfs.bbclass | 3 +- meta/classes/rootfs.bbclass | 14 +++- meta/classes/sbom.bbclass | 65 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ 6 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index b030024f..da7910b2 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -99,6 +99,7 @@ ROOTFS_FEATURES += "\ clean-log-files \ clean-debconf-cache \ populate-systemd-preset \ + generate-sbom \ " ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}" ROOTFS_VARDEPS += "IMAGE_INSTALL" diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass index 862bd873..570780e1 100644 --- a/meta/classes/initramfs.bbclass +++ b/meta/classes/initramfs.bbclass @@ -22,11 +22,12 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}" # Bill-of-material ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}" ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}" +SBOM_DISTRO_NAME:append = "-initramfs" DEPENDS += "${INITRAMFS_INSTALL}" ROOTFSDIR = "${INITRAMFS_ROOTFS}" -ROOTFS_FEATURES = "generate-manifest" +ROOTFS_FEATURES = "generate-manifest generate-sbom" ROOTFS_PACKAGES = "${INITRAMFS_GENERATOR_PKG} ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}" # validate if have incompatible packages in the installation list diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 3027c4dd..2c45a9c7 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -3,6 +3,8 @@ inherit deb-dl-dir +inherit sbom + ROOTFS_ARCH ?= "${DISTRO_ARCH}" ROOTFS_DISTRO ?= "${DISTRO}" @@ -29,11 +31,18 @@ INITRD_IMAGE ?= "" # available features are: # 'clean-package-cache' - delete package cache from rootfs # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR} +# 'generate-sbom' - generate a SBOM of the rootfs into ${DEPLOY_DIR_SBOM} # 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR} # 'clean-log-files' - delete log files that are not owned by packages # 'populate-systemd-preset' - enable systemd units according to systemd presets + # 'generate-initrd' - generate debian default initrd ROOTFS_FEATURES += "${@ 'generate-initrd' if d.getVar('INITRD_IMAGE') == '' else ''}" +# only supported from bookworm / jammy on +ROOTFS_FEATURES:remove:buster = "generate-sbom" +ROOTFS_FEATURES:remove:bullseye = "generate-sbom" +ROOTFS_FEATURES:remove:jammy = "generate-sbom" +ROOTFS_FEATURES:remove:focal = "generate-sbom" ROOTFS_APT_ARGS="install --yes -o Debug::pkgProblemResolver=yes" @@ -480,6 +489,9 @@ cache_dbg_pkgs() { fi } +# The sbom generator needs the apt-cache, hence run before cleaning it +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}" + ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}" rootfs_postprocess_clean_package_cache() { sudo -E chroot '${ROOTFSDIR}' \ @@ -649,7 +661,7 @@ python do_rootfs() { } addtask rootfs before do_build -do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}" SSTATETASKS += "do_rootfs_install" SSTATECREATEFUNCS += "rootfs_install_sstate_prepare" diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass new file mode 100644 index 00000000..3ed755d9 --- /dev/null +++ b/meta/classes/sbom.bbclass @@ -0,0 +1,65 @@ +# This software is a part of ISAR. +# Copyright (C) 2025 Siemens +# +# SPDX-License-Identifier: MIT + +# sbom type to generate, accepted are "cdx" or "spdx" +SBOM_TYPES ?= "spdx cdx" + +SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}" + +# general user variables +SBOM_DISTRO_SUPPLIER ?= "ISAR" +SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux" +SBOM_DISTRO_VERSION ?= "1" +SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR" +SBOM_BASE_DISTRO_VENDOR ??= "debian" +SBOM_DOCUMENT_UUID ?= "" + +# SPDX specific user variables +SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs" + +DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}" + +SBOM_DIR = "${DEPLOY_DIR}/sbom" +SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot" + +# adapted from the isar-cip-core image_uuid.bbclass +def generate_document_uuid(d, warn_not_repr=True): + import uuid + + base_hash = d.getVar("BB_TASKHASH") + if base_hash is None: + if warn_not_repr: + bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible") + return uuid.uuid4() + return str(uuid.UUID(base_hash[:32], version=4)) + +def sbom_doc_uuid(d): + if not d.getVar("SBOM_DOCUMENT_UUID"): + d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d)) + +generate_sbom() { + sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir + + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + --bind ${ROOTFSDIR} /mnt/rootfs \ + --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \ + -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \ + --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \ + --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \ + --timestamp $TIMESTAMP +} + +do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}" +python do_generate_sbom() { + sbom_doc_uuid(d) + bb.build.exec_func("generate_sbom", d) +} diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass index 81d3c65e..17b56bcf 100644 --- a/meta/classes/sdk.bbclass +++ b/meta/classes/sdk.bbclass @@ -48,7 +48,7 @@ ROOTFS_ARCH:class-sdk = "${HOST_ARCH}" ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}" ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}" ROOTFS_VARDEPS:class-sdk = "SDK_INSTALL SDK_INCLUDE_ISAR_APT" -ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status" +ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom" ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb new file mode 100644 index 00000000..58200382 --- /dev/null +++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb @@ -0,0 +1,30 @@ +# This software is a part of ISAR. +# +# Copyright (C) 2025 Siemens + +LICENSE = "gpl-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" + +PV = "1.0" + +inherit rootfs + +ROOTFS_ARCH = "${HOST_ARCH}" +ROOTFS_DISTRO = "${@get_rootfs_distro(d)}" +ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}" + +ROOTFS_FEATURES = "no-generate-initrd" +ROOTFS_INSTALL_COMMAND:remove = "rootfs_restore_initrd_tooling" + +# additional packages for the SBOM chroot +SBOM_IMAGE_INSTALL = "python3-debsbom" +DEPENDS += "python3-debsbom" + +ROOTFSDIR = "${WORKDIR}/rootfs" +ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}" + +do_sbomchroot_deploy[dirs] = "${SBOM_DIR}" +do_sbomchroot_deploy() { + ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}" +} +addtask do_sbomchroot_deploy before do_build after do_rootfs