From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 03 Nov 2023 08:34:44 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qyohX-00GjRt-Vv for lore@lore.pengutronix.de; Fri, 03 Nov 2023 08:34:44 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qyohW-0008NL-5d; Fri, 03 Nov 2023 08:34:42 +0100 Received: from mail-zr0che01on2075.outbound.protection.outlook.com ([40.107.24.75] helo=CHE01-ZR0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qyohD-0008Mv-Ui for ptxdist@pengutronix.de; Fri, 03 Nov 2023 08:34:28 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Iu5K525mLKem8enquv0PG0P78dakVOA4JBSDk7BtKK598BTgoqyfhYbVo1d/zqzSGiUnCT+XLgjFYzgY21j2OkHttWyndl6+Sk5F7Ev7NrXQCXreLFnQ/IzPVUygUeq+8lsnyKC6+OJwRF8kMdlUOS7PYvjWlIdCLSXtbdKLBBgcL9Y9f1r4FbNxJ9YFrrIx1DrzGSsxicZ17dTkrnlABsYszQGXK9gi2MIEffrSE0KMDu/XlTR93SR5H+CUAXNU7QAq+E0pQX2q6Y8wgRJyVr19glrFlfXEQXVfWiPV1FJMYrkQSIR/Z/V4A+2q3QS3fslSg/a28paS2Rc0TCXtyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B23XiKVdS9FwZfl6bxK1+3bUmVby0XD8LnfI0k9gpoA=; b=lJCPSYqxABstxUjsvTRwWo/AVQvH2WJVV4pGkqjqyMOyom1p4xPTnfqL/qak8tyEEgHZvWKhGJJAP8krnlLVZhHFoVAHxqEpD9nThSucEou1lv4zpzHTFtUiLfh0HS9McEZwN2YpLgOkQqj6D6nNZm+PxGkJA5dSsmlHU/SaJ8FAsez04ztp2mSF/n5P6Hu+DPXEQOLsBDIFKOCM0aTTFsmMC+rvomxFK/VoXoR+xmowws9RLHrhZ6MEA8w8I4kw/4MmUPeUGCNt0GcDo0lLaS1ponxIzSu5oFEaQFtMcGGKjl+UYVI1nkaB6ThaFMjAi8Dx2nbJrvE1ZPLqb9avbg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B23XiKVdS9FwZfl6bxK1+3bUmVby0XD8LnfI0k9gpoA=; b=VGZkz+U+YGO7ojbcD6Tve+gI6eDrw2IhwyfuV/p37N+otchOsJmtPtrXS9E25r+vKZw4WCS9mOTrb4R+pmCoBTfoXqOyUw0nEDRp/KeTZ41UKpZOVmvt8Mv9Or73uz2ucJ/dRwRpRNmpfZPOA4nodWjhy/NuM0oDSO+SCKzOk3aBKhGfZqbH3eeN13CuhREPiOp7+9PZeVkeRfhxoiTB50rMC1tifyH8apT1oNzic18VMVk/HTnS1MzZXg5x0SN+YD4DcHuWyxGKxsZ3dLN1PFt7ayIk+Rk92/21b+HzP1N4dB2uV6FlzqfS69KZtXVGMKR9qL2i41qPe1u0ZwBuXQ== Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) by ZR2P278MB1051.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:61::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.21; Fri, 3 Nov 2023 07:34:20 +0000 Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::f477:f1e:cda2:16d8]) by GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::f477:f1e:cda2:16d8%7]) with mapi id 15.20.6954.021; Fri, 3 Nov 2023 07:34:20 +0000 From: Simon Falsig To: Bruno Thomsen , "ptxdist@pengutronix.de" Thread-Topic: [ptxdist] [PATCH] RFC: sbom_report: Add support Thread-Index: AQHZ6j0olKxjKmi4TEGx+32/VnAPXbBUdy+AgBQDX+A= Date: Fri, 3 Nov 2023 07:34:19 +0000 Message-ID: References: <20230913160546.71046-3-sfalsig@verity.net> <20230918143339.4126-1-sfalsig@verity.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0784:EE_|ZR2P278MB1051:EE_ x-ms-office365-filtering-correlation-id: ad346418-42c8-4413-76a5-08dbdc3f4ad5 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7UJwKXblX/TnziGbqyg7P8d8kMWfelWNzcsYGNEmDyCFPifhc9etxsyV/ZtPk1qAjSw7Nsm8tRH1ZpX9R/QLi/JYxfOoKZvW7ylMtrXgoKPGwJR21yRr87vnbb8tyCn5KTSjk9t2Lk6BCcndhvXPAWTsV3Gsy4N2+Ba1hZq9UTVfBoM3MHMMBrpEW7HRfZ6ACeXNRFMBWI1xHYn8WPhK7f+BIlUR8I6iuMDeq0MO//yzQjqyymC0XDogzDEL5oMrHxnZveXT2stF/BY/OomzETnQBRgGyGqsdB65ao4UIRCHXUJAybrK6tiIvWCMFIDdjyePwdS33fwS3iiRQH1MVw59tuUz/isG5ssa+K6Y2EO+j1YSzOZlSsHFl48aGzTgh0YzYupn+Exp6Xsgwdph1GHMZpoMtxHUt2Kg7zuBPBOqj227GzkxLv/8CJW6WfBcKmT9bCN7Mmpf+YR/1Y6Y1635OPZcqKAOw1eunnMr+QhBy0aLafWhyvbHjAKLEl29etdPRrAv7ODrnSlyrSC1dakEL+WZ1wR8MAFO2yYWfr90I3NdpEjE/LTy143O+SYTJN343Ga9wFY1P5mron9QEybTwaI+E797uqaC48tEDgYnCNoOeyzsCom2N0w+2X2/ x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(376002)(136003)(39840400004)(366004)(230922051799003)(451199024)(1800799009)(64100799003)(186009)(86362001)(122000001)(38070700009)(33656002)(53546011)(478600001)(55016003)(6506007)(2906002)(7696005)(71200400001)(5660300002)(26005)(41300700001)(9686003)(52536014)(8676002)(8936002)(76116006)(66946007)(64756008)(66446008)(66556008)(66476007)(110136005)(316002)(38100700002)(83380400001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?gyXsIBef7JHL6umXtYlnypbxxP7IfJon/SPvSlIqwuAowuKyn8br1A+X4yni?= =?us-ascii?Q?Q9QlzaFIatZyAjfs2i47aSelJzm71cvuklFYPI4y6qHuGKQSTirWCQBPtoiq?= =?us-ascii?Q?MKySexDA5g+7e7v36jPpDsmI4whRDjoqkogy9TswFQm0lEAPDYaTxkp6ZdC7?= =?us-ascii?Q?TOCwYp5CfRTSdoEbzzTLaOFEVWLJPkgmcRdEATsqBRmFovTAstEiS99q2cvL?= =?us-ascii?Q?si+df3inGdzX9XxEJtyhCXpz7TaT7FEa1jOwx0OCywEfF9QjgdcmZzu/lc01?= =?us-ascii?Q?RG4e3pBdBrIQ1NChc2PxKvZ04VYlacdPf5k79+aq0XTv6g7hi1wNqCoB1v4A?= =?us-ascii?Q?KvFPB54Vqji38aErTkLOR9c/RGo5m3hySngb5du+AE4hER/n2w6sey3se+8p?= =?us-ascii?Q?/6qZTXfo5S5e0ECgxllZu4toDCD5Mw/Tw4KY4MFISTW1LmlpdTmHhx7/CEY5?= =?us-ascii?Q?RAl8iS0AGn7VW9xplMY1EFkhH9gXn+Dqtgue7m29mIB/LjPNWv46u2F7Gfa7?= =?us-ascii?Q?4Uwr5CJsQ7HJvQT3lZZgCPIwA29gHBE6KuwQkzaQmYq073KOiFCYUrt2BV4r?= =?us-ascii?Q?yPVeLq0X1yu1GEMXih03brTQPub6jE2Y/ZRPdqPtMWjKTx588TsVvozlHBXt?= =?us-ascii?Q?lAhQ8b1+K+F+CgtNCBhtbWE67DDvdRuXwYe/y1r5l3A7L+QdsA/KFO86imw1?= =?us-ascii?Q?l6Aww7Ez2GhVTvPzDTtFndK5NJpfhkTeqaOEnVmIv09n9ka94SBSjYgUR4Gb?= =?us-ascii?Q?MpUyccWj4j+V57rfYVzIjNIHrgogyPAhr2pR1ChH06piwmt/LL5zGWO7LcBS?= =?us-ascii?Q?Z2I2eJPkV7z1XrTAf8iMz/cDH8Uk9Pd/K0NeodhXIWZWLCVnDVWcvGb0tjrS?= =?us-ascii?Q?OX6rDnVmz3nR4xqIG6abdlKbt7lh583dh8HpoKKDwj2jQO708l6xRZ5KY69e?= =?us-ascii?Q?XZ1KjseP0zGvBJ/FUnWOHMo9WS4fRin1i8YdMtSd0/BFsTReQswjMoAkOcfY?= =?us-ascii?Q?JcsrPgMcWB5JsNup7cf3ZSYCxyoId0QdlD+Ys9ZO49AkJQCHbuiDyE1vU8pw?= =?us-ascii?Q?geTP5krOSQPJScuhv/duSXehY+C0JW4YN/EHWJKXQaijAgwvJCSmSC1Bsovd?= =?us-ascii?Q?+j9vFe2sZVtsRoWhuG33zQ/DY9Lk9ZNNt59ADy2J93urR6qcZVE55+DJ+DVC?= =?us-ascii?Q?jxLVMXhW9XbesCJvOEnNcz0xcFt3k5lNIWiLcvC/GT4P6N4MRF8S6ccV2Xyq?= =?us-ascii?Q?QRahUGcMcjXUZmkgZSxk+ZmZDed7z3dIDDgEO45b/kUtSPMlyKI8wA0QQW+t?= =?us-ascii?Q?F0fNUQOABCVpajtvBGgUn/lZw8LyPVsQEnTr6YeUmgHjSneVIzR3aUjoSsgW?= =?us-ascii?Q?B4sNosYaD9q98x4+4F9Bp2hycXKn/ffBCbx81GLPy6UOjqqQZTHYolWz1kHo?= =?us-ascii?Q?2zqvBGkHh/JD+Vu/WdP5QTFC72qv7NC3lYtx3BohV1jNkY+DUsFME4q4jok6?= =?us-ascii?Q?IIC4vG3EewoLLmAG3Yftjz1JDUEa+92s+C/Up8UsRXlAM7mpexaI++fD44eQ?= =?us-ascii?Q?y7MKG4Vuw62lIdKAN0PMWt9J9mwQoVcHvc7kWtv/?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: ad346418-42c8-4413-76a5-08dbdc3f4ad5 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2023 07:34:19.9134 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: C5IE3cObobAFrakKieHNpSF2TXiD5gefUDnRx265yCkSiM7P2fLxr9UcW4Gm+zf9r1LiMivljkSKwV1/EnO1gw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR2P278MB1051 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [PATCH] RFC: sbom_report: Add support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false > -----Original Message----- > From: Bruno Thomsen > Sent: Saturday, October 21, 2023 15:52 > Subject: Re: [ptxdist] [PATCH] RFC: sbom_report: Add support >=20 > Den man. 18. sep. 2023 kl. 16.34 skrev Simon Falsig : > > > > From: Simon Falsig > > > > This provides support for building SBOMs in CycloneDX format. > > > > A target is added alongside the other reports, that (based on the > > fast-bsp-report) extracts name, version, cpe and license of each > > target package, and puts these into a final sbom-report in > > CycloneDX/JSON format. > > > > This requires a working Python3 setup with the cyclonedx-bom package > > installed. >=20 > Hi Simon, >=20 > I have tested this together with GitLab Dependency Scanning in Ultimate > SaaS, and it seems to be working well. >=20 > Tested-by: Bruno Thomsen >=20 > .gitlab-ci.yml example snippet: >=20 > -------------8<------------- >=20 > ptxdist sbom: > stage: build > script: > - cd ptxdist > - ./p sbom-report > artifacts: > reports: > dependency_scanning: /release/sbom-report.json >=20 > -------------8<------------- >=20 > Thanks for working on this. >=20 > /Bruno >=20 Thanks, Bruno! I've sadly not had time to work more on this lately, but am hoping to pick = it up again later in November. A bit stuck on how to properly provide / ensure that the needed Python cycl= onedx libraries are available on the system. If anyone has any suggestions,= I'd be happy to hear them :) Best regards, Simon