Skip to content

SBOM patch series v5#3

Open
augelu-tng wants to merge 15 commits into
masterfrom
sbom-patch-series-v5
Open

SBOM patch series v5#3
augelu-tng wants to merge 15 commits into
masterfrom
sbom-patch-series-v5

Conversation

@augelu-tng
Copy link
Copy Markdown
Owner

@augelu-tng augelu-tng commented Mar 29, 2026
edited
Loading

Changes:

  • simplify make integration and move from dedicated Makefile to top level Makefile.
  • add dynamic command parsers that match commands based on make variables, e.g., for CC, LD, AR, NM, OBJCOPY, STRIP
  • add parser for gen-hyprel command
  • remove created cli argument for CreationInfo object. This does not need to be a cli argument. We can just use the latest modified timestamp of the provided root artifacts
  • add --write-output-on-error cli argument to Makefile. This allows people to use the tool by default even if there are some commands that cannot be parsed. (This was for example a problem in https://birdcloud.org/bc/Linux_Kernel_Missing_SPDX_ID_lines_from_build_SBOMs)
  • remove originatedBy property from Package Elements. This was currently set to the KernelSbom agent who created the SBOM. This is likely a wrong usage of the property. If using the property in the future again it should be referencing the Agent who created the Package files.
  • Remove some spdx properties that were defined but not used in the current version.

maxhbr
maxhbr approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@maxhbr maxhbr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch 4 times, most recently from 64e86a5 to 4f704e3 Compare April 1, 2026 11:24
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch 2 times, most recently from e43ee30 to 2f66893 Compare April 8, 2026 07:10
@augelu-tng augelu-tng changed the base branch from sbom-patch-series-v4 to master April 8, 2026 07:15
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch 2 times, most recently from bd4b236 to daafd57 Compare April 8, 2026 07:26
@augelu-tng
scripts/sbom: add documentation
62178a5 
Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: integrate script in make process
586ef99 
integrate SBOM script into the kernel build process.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: setup sbom logging
03d105f 
Add logging infrastructure for warnings and errors.
Errors and warnings are accumulated and summarized in the end.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch from daafd57 to 17f2559 Compare April 8, 2026 07:41
@augelu-tng
scripts/sbom: add command parsers
697cd51 
Implement savedcmd_parser module for extracting input files
from kernel build commands.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add cmd graph generation
500f9ef 
Implement command graph generation by parsing .cmd files to build a
dependency graph.
Add CmdGraph, CmdGraphNode, and .cmd file parsing.
Supports generating a flat list of used source files via the
--generate-used-files cli argument.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add additional dependency sources for cmd graph
35df95f 
Add hardcoded dependencies and .incbin directive parsing to
discover dependencies not tracked by .cmd files.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX classes
89ff5b8 
Implement Python dataclasses to model the SPDX classes
required within an SPDX document. The class and property
names are consistent with the SPDX 3.0.1 specification.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add JSON-LD serialization
89d2933 
Add infrastructure to serialize an SPDX graph as a JSON-LD
document. NamespaceMaps in the SPDX document are converted
to custom prefixes in the @context field of the JSON-LD output.

The SBOM tool uses NamespaceMaps solely to shorten SPDX IDs,
avoiding repetition of full namespace URIs by using short prefixes.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add shared SPDX elements
ce63c20 
Implement shared SPDX elements used in all three documents.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch from 17f2559 to 8db8914 Compare April 8, 2026 09:40
@augelu-tng
scripts/sbom: collect file metadata
970533e 
Implement the kernel_file module that collects file metadata,
including license identifier for source files, SHA-256 hash,
Git blob object ID, an estimation of the file type, and
whether files belong to the source, build, or output SBOM.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX output graph
0ad7005 
Implement the SPDX output graph which contains the distributable
build outputs and high level metadata about the build.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX source graph
7a0a290 
Implement the SPDX source graph which contains all source files
involved during the build, along with the licensing information
for each file.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add SPDX build graph
23cb68b 
Implement the SPDX build graph to describe the relationships
between source files in the source SBOM and output files in
the output SBOM.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add unit tests for command parsers
79bca89 
Add unit tests to verify that command parsers correctly extract
input files from build commands.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng
scripts/sbom: add unit tests for SPDX-License-Identifier parsing
5f8c983 
Verify that SPDX-License-Identifier headers at the top of source files
are parsed correctly.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
@augelu-tng augelu-tng force-pushed the sbom-patch-series-v5 branch from 85154f5 to 5f8c983 Compare April 8, 2026 11:45
@augelu-tng augelu-tng mentioned this pull request May 6, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@maxhbr maxhbr maxhbr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@augelu-tng @maxhbr