[PATCH 0/2] Make SBOM naming more robust against downstream changes

[Felix Moessbauer]

This series goes on top of: merge_wic_sbom: fix merging of multiple SBOMs,
but is otherwise independent.

The related inconsistencies have been found on isar-cip-core tests
(kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
where the IMAGE_FULLNAME variable is changed and no longer equal to
ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.

PS: would it be possible to have an isar release candidate, to encourage
more downstream layers to start testing?

Best regards,
Felix

Felix Moessbauer (2):
sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
sbom: use ROOTFS_PACKAGE_SUFFIX on merging

meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
meta/classes/sbom.bbclass | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

--
2.53.0

[Felix Moessbauer]

Previously we open coded the name of the rootfs image, however this
breaks in case the name is changed in a downstream layer. We now
directly use the ROOTFS_PACKAGE_SUFFIX variable.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes/sbom.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index caab3f24..10a99f37 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -50,7 +50,7 @@ generate_sbom() {
--bind ${SBOM_CHROOT} / \
--bind ${ROOTFSDIR} /mnt/rootfs \
--bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
- -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+ -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${ROOTFS_PACKAGE_SUFFIX}' \
--distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
--distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
--base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \
--
2.53.0

[Felix Moessbauer]

Previously we used the IMAGE_FULLNAME, which is normally identical with
the ROOTFS_PACKAGE_SUFFIX. However some downstream layers like cip
append to the IMAGE_FULLNAME variable while keeping the
ROOTFS_PACKAGE_SUFFIX as is. This breaks the sbom merging, as rootfs
SBOM is created under the ROOTFS_PACKAGE_SUFFIX name.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---

meta/classes-recipe/imagetypes_wic.bbclass | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index f31ea61f..daa6f867 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -219,7 +219,7 @@ merge_wic_sbom() {
INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"

- cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+ cat ${DEPLOY_DIR_IMAGE}/${ROOTFS_PACKAGE_SUFFIX}.$BOMTYPE.json \
${@ '${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json' if d.getVar('IMAGE_INITRD') else '' } \
${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--
2.53.0

[Zhihang Wei]

On 3/26/26 09:20, 'Felix Moessbauer' via isar-users wrote:
> This series goes on top of: merge_wic_sbom: fix merging of multiple SBOMs,
> but is otherwise independent.
>
> The related inconsistencies have been found on isar-cip-core tests
> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
> where the IMAGE_FULLNAME variable is changed and no longer equal to
> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.
>
> PS: would it be possible to have an isar release candidate, to encourage
> more downstream layers to start testing?

I'll get back to you later on this.

> Best regards,
> Felix
>
> Felix Moessbauer (2):
> sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
> sbom: use ROOTFS_PACKAGE_SUFFIX on merging
>
> meta/classes-recipe/imagetypes_wic.bbclass | 2 +-
> meta/classes/sbom.bbclass | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>

Failed on fast CI "citest.py:SbomTest.test_sbom_rootfs_generate":

|[stdlog] 2026-03-27 11:46:36,083 avocado.test cibuilder L0345 INFO |
NOTE: Tasks Summary: Attempted 486 tasks of which 0 didn't need to be
rerun and all succeeded. [stdlog] 2026-03-27 11:46:37,373 BitBake main
L0465 INFO | Starting bitbake server... [stdlog] 2026-03-27 11:46:40,159
avocado.test cibase L0162 INFO | Check cdx SBOM in
/build/isar_wzh_devel_1z_others/15/build/tmp/deploy/images/qemuamd64/isar-rootfs-ci-debian-bookworm-qemuamd64.cdx.json
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0040 ERROR|
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0042 ERROR|
Reproduced traceback from:
/tmp/avocado_venv/lib/python3.11/site-packages/avocado/core/test.py:638
[stdlog] 2026-03-27 11:46:40,159 avocado.test stacktrace L0049 ERROR|
Traceback (most recent call last): [stdlog] 2026-03-27 11:46:40,159
avocado.test stacktrace L0049 ERROR| File
"/build/isar_wzh_devel_1z_others/15/testsuite/citest.py", line 1092, in
test_sbom_rootfs_generate [stdlog] 2026-03-27 11:46:40,159 avocado.test
stacktrace L0049 ERROR| self.perform_sbom_test(targets) [stdlog]
2026-03-27 11:46:40,159 avocado.test stacktrace L0049 ERROR| File
"/build/isar_wzh_devel_1z_others/15/testsuite/cibase.py", line 163, in
perform_sbom_test [stdlog] 2026-03-27 11:46:40,159 avocado.test
stacktrace L0049 ERROR| with open(sbom_path) as f: [stdlog] 2026-03-27
11:46:40,160 avocado.test stacktrace L0049 ERROR| ^^^^^^^^^^^^^^^
[stdlog] 2026-03-27 11:46:40,160 avocado.test stacktrace L0049 ERROR|
FileNotFoundError: [Errno 2] No such file or directory:
'/build/isar_wzh_devel_1z_others/15/build/tmp/deploy/images/qemuamd64/isar-rootfs-ci-debian-bookworm-qemuamd64.cdx.json'|

To redo the test on your machine using avocado:
1. Have a clean clone of isar, checkout to branch next and apply your
patches:
$ git clone -b next https://github.com/ilbers/isar.git
$ cd isar
$ git am /path-to/0001-my-contribution-to-isar.patch
2. Run kas shell, setup CI prerequisites (avocado, qemu) and cleanup:
$ ./kas/kas-container shell kas/isar.yaml --command \
    "rm -rf /work/build/conf && /work/scripts/ci_setup.sh"
3. Run the failed test:
$ cd /work/testsuite
$ avocado run citest.py:SbomTest.test_sbom_rootfs_generate

Zhihang

[Felix Moessbauer]

Previously we open coded the name of the rootfs image, however this
breaks in case the name is changed in a downstream layer. We now
directly use the ROOTFS_PACKAGE_SUFFIX variable.

By that, we also adjust the sbom test, as SBOMs generated for non image
rootfs have a different ROOTFS_PACKAGE_SUFFIX.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---

meta/classes/sbom.bbclass | 2 +-
testsuite/cibase.py | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass
index caab3f24..10a99f37 100644
--- a/meta/classes/sbom.bbclass
+++ b/meta/classes/sbom.bbclass
@@ -50,7 +50,7 @@ generate_sbom() {
--bind ${SBOM_CHROOT} / \
--bind ${ROOTFSDIR} /mnt/rootfs \
--bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
- -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
+ -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${ROOTFS_PACKAGE_SUFFIX}' \
--distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \
--distro-version '${SBOM_DISTRO_VERSION}' --distro-arch '${DISTRO_ARCH}' \
--base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \

diff --git a/testsuite/cibase.py b/testsuite/cibase.py
index fd6a3df9..3205b4be 100755
--- a/testsuite/cibase.py
+++ b/testsuite/cibase.py
@@ -154,11 +154,11 @@ class CIBaseTest(CIBuilder):
)

for t in targets:
- ds, pn, distro, machine = \
- CIUtils.getVars('DEPLOY_DIR_SBOM', 'PN', 'DISTRO', 'MACHINE',
+ ds, rootfs_name = \
+ CIUtils.getVars('DEPLOY_DIR_SBOM', 'ROOTFS_PACKAGE_SUFFIX',
target=t)
for t in ["cdx", "spdx"]:
- sbom_path = os.path.join(ds, f'{pn}-{distro}-{machine}.{t}.json')
+ sbom_path = os.path.join(ds, f'{rootfs_name}.{t}.json')
self.log.info(f"Check {t} SBOM in {sbom_path}")
with open(sbom_path) as f:
sbom = json.load(f)
--
2.53.0

[Felix Moessbauer]

The related inconsistencies have been found on isar-cip-core tests
(kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
where the IMAGE_FULLNAME variable is changed and no longer equal to
ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.

This patch should go into the v1.0 release, as it is critical for isar-cip-core
(rc-1 fails on CIP).

Changes since v1:

- rebased onto next
- adjusted test case to new (consistent) naming
- no code changes

Best regards,
Felix

Felix Moessbauer (2):
sbom: derive rootfs sbom name from ROOTFS_PACKAGE_SUFFIX
sbom: use ROOTFS_PACKAGE_SUFFIX on merging

meta/classes-recipe/imagetypes_wic.bbclass | 2 +-

meta/classes/sbom.bbclass | 2 +-
testsuite/cibase.py | 6 +++---

3 files changed, 5 insertions(+), 5 deletions(-)

--
2.53.0

[Felix Moessbauer]

Previously we used the IMAGE_FULLNAME, which is normally identical with
the ROOTFS_PACKAGE_SUFFIX. However some downstream layers like cip
append to the IMAGE_FULLNAME variable while keeping the
ROOTFS_PACKAGE_SUFFIX as is. This breaks the sbom merging, as rootfs
SBOM is created under the ROOTFS_PACKAGE_SUFFIX name.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---

[Zhihang Wei]

On 3/31/26 09:38, Felix Moessbauer wrote:
> The related inconsistencies have been found on isar-cip-core tests
> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
> where the IMAGE_FULLNAME variable is changed and no longer equal to
> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP variant cannot be built.
>
> This patch should go into the v1.0 release, as it is critical for isar-cip-core
> (rc-1 fails on CIP).

Noted. On CI now.

Zhihang

[Zhihang Wei]

On 3/31/26 09:40, Zhihang Wei wrote:
>
>
> On 3/31/26 09:38, Felix Moessbauer wrote:
>> The related inconsistencies have been found on isar-cip-core tests
>> (kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/rt.yml:kas/opt/test.yml:kas/opt/trixie.yml)
>>
>> where the IMAGE_FULLNAME variable is changed and no longer equal to
>> ROOTFS_PACKAGE_SUFFIX. Without the patches, the respective CIP
>> variant cannot be built.
>>
>> This patch should go into the v1.0 release, as it is critical for
>> isar-cip-core
>> (rc-1 fails on CIP).
> Noted. On CI now.
>
> Zhihang

Passed with CI, will be merged soon.

[Zhihang Wei]

Applied to next, thanks.

Zhihang

On 3/31/26 09:38, Felix Moessbauer wrote: