Skip to content

SBOM patch series v4#2

Open
augelu-tng wants to merge 15 commits into
sbom-patch-seriesfrom
sbom-patch-series-v4
Open

SBOM patch series v4#2
augelu-tng wants to merge 15 commits into
sbom-patch-seriesfrom
sbom-patch-series-v4

Conversation

@augelu-tng
Copy link
Copy Markdown
Owner

@augelu-tng augelu-tng commented Feb 3, 2026
edited
Loading

Changes compared to v3:

  • Move KernelSbom to scripts/ directory.
  • use $(Q), $(PYTHON3) in scripts/sbom/Makefile
  • Create new first commit which includes only the documentation. Replace Readme with "A proper documentation file" as requested in 20260203004032.GA52989)

@augelu-tng augelu-tng force-pushed the sbom-patch-series-v4 branch 3 times, most recently from 50975db to c8ee4a0 Compare February 6, 2026 13:17
@augelu-tng
scripts/sbom: add documentation
dc91142 
Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: integrate script in make process
3d9c960 
integrate SBOM script into the kernel build process.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: setup sbom logging
e00358f 
Add logging infrastructure for warnings and errors.
Errors and warnings are accumulated and summarized in the end.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add command parsers
5219294 
Implement savedcmd_parser module for extracting input files
from kernel build commands.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add cmd graph generation
b651e77 
Implement command graph generation by parsing .cmd files to build a
dependency graph.
Add CmdGraph, CmdGraphNode, and .cmd file parsing.
Supports generating a flat list of used source files via the
--generate-used-files cli argument.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add additional dependency sources for cmd graph
9b11c18 
Add hardcoded dependencies and .incbin directive parsing to
discover dependencies not tracked by .cmd files.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX classes
2298093 
Implement Python dataclasses to model the SPDX classes
required within an SPDX document. The class and property
names are consistent with the SPDX 3.0.1 specification.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add JSON-LD serialization
ebd7fdf 
Add infrastructure to serialize an SPDX graph as a JSON-LD
document. NamespaceMaps in the SPDX document are converted
to custom prefixes in the @context field of the JSON-LD output.

The SBOM tool uses NamespaceMaps solely to shorten SPDX IDs,
avoiding repetition of full namespace URIs by using short prefixes.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add shared SPDX elements
7248012 
Implement shared SPDX elements used in all three documents.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: collect file metadata
e6894a6 
Implement the kernel_file module that collects file metadata,
including license identifier for source files, SHA-256 hash,
Git blob object ID, an estimation of the file type, and
whether files belong to the source, build, or output SBOM.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX output graph
cf59aaf 
Implement the SPDX output graph which contains the distributable
build outputs and high level metadata about the build.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX source graph
1130711 
Implement the SPDX source graph which contains all source files
involved during the build, along with the licensing information
for each file.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX build graph
c0810de 
Implement the SPDX build graph to describe the relationships
between source files in the source SBOM and output files in
the output SBOM.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add unit tests for command parsers
6b6d0fb 
Add unit tests to verify that command parsers correctly extract
input files from build commands.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add unit tests for SPDX-License-Identifier parsing
89f17c1 
Verify that SPDX-License-Identifier headers at the top of source files
are parsed correctly.

Assisted-by: Claude Sonnet 4.5
Assisted-by: GLM-4.7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v4 branch from c8ee4a0 to 89f17c1 Compare February 9, 2026 19:28
@augelu-tng augelu-tng mentioned this pull request Mar 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@augelu-tng