[PATCH v2 0/3] merge_wic_sbom: fix merging of multiple SBOMs
1 view
Skip to first unread message
Felix Moessbauer
Mar 23, 2026, 6:31:39 AM (5 days ago) Mar 23
to isar-...@googlegroups.com, christop...@siemens.com, Felix Moessbauer
Changes since v1:
- restore compatibility with default initrd (no external one)
- align external initramfs name in SBOM with distro name pattern
Best regards,
Felix
Felix Moessbauer (3):
merge_wic_sbom: use local variable instead of global one
merge_wic_sbom: fix name of initrd sbom file when merging
align spelling of sbom initramfs distro name with other components
meta/classes-recipe/imagetypes_wic.bbclass | 13 +++++++++----
meta/classes-recipe/initramfs.bbclass | 2 +-
2 files changed, 10 insertions(+), 5 deletions(-)
--
2.53.0
- restore compatibility with default initrd (no external one)
- align external initramfs name in SBOM with distro name pattern
Best regards,
Felix
Felix Moessbauer (3):
merge_wic_sbom: use local variable instead of global one
merge_wic_sbom: fix name of initrd sbom file when merging
align spelling of sbom initramfs distro name with other components
meta/classes-recipe/imagetypes_wic.bbclass | 13 +++++++++----
meta/classes-recipe/initramfs.bbclass | 2 +-
2 files changed, 10 insertions(+), 5 deletions(-)
--
2.53.0
Felix Moessbauer
Mar 23, 2026, 6:31:39 AM (5 days ago) Mar 23
to isar-...@googlegroups.com, christop...@siemens.com, Felix Moessbauer
The merge_wic_sbom function is called per SBOM type (spdx and cdx).
While the function takes the type as first parameter and assigns it to a
(local) variable, we previously used the parent variable to access the
value. We now clean up this inconsistency.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes-recipe/imagetypes_wic.bbclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 6b82add3..5adea149 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -214,9 +214,9 @@ merge_wic_sbom() {
TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
- cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${bomtype}.json \
- ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.${bomtype}.json \
- ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+ cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+ ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.$BOMTYPE.json \
+ ${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--unshare-user \
--unshare-pid \
@@ -227,5 +227,5 @@ merge_wic_sbom() {
--cdx-serialnumber $sbom_document_uuid \
--spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
--timestamp $TIMESTAMP - -o - \
- > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
+ > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$BOMTYPE.json
}
--
2.53.0
While the function takes the type as first parameter and assigns it to a
(local) variable, we previously used the parent variable to access the
value. We now clean up this inconsistency.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
meta/classes-recipe/imagetypes_wic.bbclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 6b82add3..5adea149 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -214,9 +214,9 @@ merge_wic_sbom() {
TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
- cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${bomtype}.json \
- ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.${bomtype}.json \
- ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
+ cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
+ ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.$BOMTYPE.json \
+ ${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--unshare-user \
--unshare-pid \
@@ -227,5 +227,5 @@ merge_wic_sbom() {
--cdx-serialnumber $sbom_document_uuid \
--spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-$sbom_document_uuid \
--timestamp $TIMESTAMP - -o - \
- > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$bomtype.json
+ > ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic.$BOMTYPE.json
}
--
2.53.0
Felix Moessbauer
Mar 23, 2026, 6:31:40 AM (5 days ago) Mar 23
to isar-...@googlegroups.com, christop...@siemens.com, Felix Moessbauer
In merge_wic_sbom the rootfs, initrd and imager SBOM ar merged. However,
the initrd one was never included, as it was accessed by an incorrect
name.
As there is no common ancestor of the initramfs and image recipe, the name
of the initrd that is generated is only coincidally coupled with the one
that is imaged. By that, we need to derive the INITRAMFS_FULLNAME variable
(set in initramfs.bbclass) from the INITRD_DEPLOY_FILE variable which
points to the initrd that is imaged.
Fixes: 174dd3e4 ("wic: create uniform SBOM describing all image ...")
meta/classes-recipe/imagetypes_wic.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 5adea149..f31ea61f 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -212,10 +212,15 @@ EOIMAGER
merge_wic_sbom() {
BOMTYPE="$1"
+ # initrd that is generated is only coincidally coupled with the one that is imaged.
+ # By that, we need to derive the INITRAMFS_FULLNAME variable (set in initramfs.bbclass)
+ # from the INITRD_DEPLOY_FILE variable which points to the initrd that is imaged.
+ INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
+ ${@ '${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json' if d.getVar('IMAGE_INITRD') else '' } \
the initrd one was never included, as it was accessed by an incorrect
name.
As there is no common ancestor of the initramfs and image recipe, the name
of the initrd that is generated is only coincidally coupled with the one
that is imaged. By that, we need to derive the INITRAMFS_FULLNAME variable
(set in initramfs.bbclass) from the INITRD_DEPLOY_FILE variable which
points to the initrd that is imaged.
Fixes: 174dd3e4 ("wic: create uniform SBOM describing all image ...")
meta/classes-recipe/imagetypes_wic.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass
index 5adea149..f31ea61f 100644
--- a/meta/classes-recipe/imagetypes_wic.bbclass
+++ b/meta/classes-recipe/imagetypes_wic.bbclass
@@ -212,10 +212,15 @@ EOIMAGER
merge_wic_sbom() {
BOMTYPE="$1"
TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
+ # As there is no common ancestor of the initramfs and image recipe, the name of the
+ # initrd that is generated is only coincidally coupled with the one that is imaged.
+ # By that, we need to derive the INITRAMFS_FULLNAME variable (set in initramfs.bbclass)
+ # from the INITRD_DEPLOY_FILE variable which points to the initrd that is imaged.
+ INITRAMFS_FULLNAME="${@ d.getVar('INITRD_DEPLOY_FILE').removesuffix('-initrd.img') }"
sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or generate_document_uuid(d, False)}"
cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.$BOMTYPE.json \
- ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.$BOMTYPE.json \
+ ${@ '${DEPLOY_DIR_IMAGE}/$INITRAMFS_FULLNAME.$BOMTYPE.json' if d.getVar('IMAGE_INITRD') else '' } \
${WORKDIR}/imager.$BOMTYPE.json 2>/dev/null | \
bwrap \
--unshare-user \
--
2.53.0
bwrap \
--unshare-user \
--
Felix Moessbauer
Mar 23, 2026, 6:31:41 AM (5 days ago) Mar 23
to isar-...@googlegroups.com, christop...@siemens.com, Felix Moessbauer
All distro-names are written in camel case. The initramfs distro name is
currently not following this pattern (-initramfs vs. -Initramfs), hence
we align it.
meta/classes-recipe/initramfs.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/initramfs.bbclass b/meta/classes-recipe/initramfs.bbclass
index 04a18d0c..0fd813b7 100644
--- a/meta/classes-recipe/initramfs.bbclass
+++ b/meta/classes-recipe/initramfs.bbclass
@@ -22,7 +22,7 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
# Bill-of-material
ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}"
ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}"
-SBOM_DISTRO_NAME:append = "-initramfs"
+SBOM_DISTRO_NAME:append = "-Initramfs"
DEPENDS += "${INITRAMFS_INSTALL}"
--
2.53.0
currently not following this pattern (-initramfs vs. -Initramfs), hence
we align it.
meta/classes-recipe/initramfs.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/initramfs.bbclass b/meta/classes-recipe/initramfs.bbclass
index 04a18d0c..0fd813b7 100644
--- a/meta/classes-recipe/initramfs.bbclass
+++ b/meta/classes-recipe/initramfs.bbclass
@@ -22,7 +22,7 @@ INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}"
# Bill-of-material
ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}"
ROOTFS_PACKAGE_SUFFIX = "${INITRAMFS_FULLNAME}"
-SBOM_DISTRO_NAME:append = "-initramfs"
+SBOM_DISTRO_NAME:append = "-Initramfs"
DEPENDS += "${INITRAMFS_INSTALL}"
--
2.53.0
Zhihang Wei
Mar 26, 2026, 9:07:25 AM (2 days ago) Mar 26
to Felix Moessbauer, isar-...@googlegroups.com, christop...@siemens.com
Applied to next, thanks.
Zhihang
Zhihang
Reply all
Reply to author
Forward
0 new messages