[{"id":3669139,"web_url":"http://patchwork.ozlabs.org/comment/3669139/","msgid":"<20260325150226.389096-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-03-25T15:02:26","subject":"Re: [Buildroot] [PATCH v3 5/5] utils/generate-cyclonedx: add hashes\n from .hash files to externalReferences","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"Acked-By: Thomas Perale \n\nIn reply of:\n> BSI TR-03183-2 5.2.5 [1] lists the \"Hash value of the source code of the\n> component\" under \"Optional data fields for each component\", and as such\n> CycloneDX \"MAY additionally include the [...] information, if it exists\".\n> \n> As hash values are available in Buildroot, iterate over .hash file paths\n> from show-info input and read hash values for the source distribution. Add\n> all found hashes to externalReferences source-distribution entries.\n> \n> [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n> \n> Signed-off-by: Martin Willi \n\n> ---\n> .../tests/utils/test_generate_cyclonedx.py | 42 +++++++++++++++++++\n> utils/generate-cyclonedx | 34 +++++++++++++++\n> 2 files changed, 76 insertions(+)\n> \n> diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\n> index 9c2bd2bc9180..29f492803e10 100644\n> --- a/support/testing/tests/utils/test_generate_cyclonedx.py\n> +++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n> @@ -164,3 +164,45 @@ class TestGenerateCycloneDX(unittest.TestCase):\n> }\n> ],\n> )\n> +\n> + def test_external_references_hashes(self):\n> + with tempfile.TemporaryDirectory() as tmpdir:\n> + hash_file = Path(tmpdir) / \"foo.hash\"\n> + hash_file.write_text(\n> + \"# source archive checksums\\n\"\n> + \"sha256 1111111111111111111111111111111111111111111111111111111111111111 foo-1.2.tar.gz\\n\"\n> + \"sha1 2222222222222222222222222222222222222222 foo-1.2.tar.gz\\n\"\n> + \"sha256 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa LICENSE\\n\"\n> + )\n> +\n> + info = self._make_show_info()\n> + info[\"package-foo\"][\"hashes\"] = [str(hash_file)]\n> + info[\"package-foo\"][\"downloads\"] = [\n> + {\n> + \"source\": \"foo-1.2.tar.gz\",\n> + \"uris\": [\"http|https+https://mirror.example.org/foo\"],\n> + },\n> + ]\n> +\n> + result = self._run_script(show_info=info)\n> +\n> + foo = self._find_component(result, \"package-foo\")\n> + self.assertEqual(\n> + foo[\"externalReferences\"],\n> + [\n> + {\n> + \"type\": \"source-distribution\",\n> + \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n> + \"hashes\": [\n> + {\n> + \"alg\": \"SHA-256\",\n> + \"content\": \"1111111111111111111111111111111111111111111111111111111111111111\",\n> + },\n> + {\n> + \"alg\": \"SHA-1\",\n> + \"content\": \"2222222222222222222222222222222222222222\",\n> + },\n> + ],\n> + }\n> + ],\n> + )\n> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\n> index 3946380ae3ef..4ef0548bae51 100755\n> --- a/utils/generate-cyclonedx\n> +++ b/utils/generate-cyclonedx\n> @@ -278,6 +278,39 @@ def usable_download_uris(uris: list[str]) -> Iterator[str]:\n> yield parts[1]\n> \n> \n> +def cyclonedx_source_hashes(comp, source):\n> + \"\"\"Create CycloneDX hashes for a source distribution.\n> +\n> + Args:\n> + comp (dict): The component information from the show-info output.\n> + source (str): The source distribution filename to look for in the hash file.\n> + Returns:\n> + dict: Hash information in CycloneDX format, or empty dict\n> + \"\"\"\n> + mapping = {\n> + \"sha1\": \"SHA-1\",\n> + \"sha256\": \"SHA-256\",\n> + \"sha512\": \"SHA-512\",\n> + \"md5\": \"MD5\",\n> + }\n\nNIT: Use `MAPPING` to show it's a constant ?\n\n> +\n> + hashes = []\n> + for hash_file in comp.get(\"hashes\", []):\n> + with Path(hash_file).open() as f:\n> + for line in f:\n> + line = line.strip()\n> + if not line.startswith(\"#\") and line.endswith(f\" {source}\"):\n> + parts = line.split()\n> + if len(parts) >= 3 and parts[0] in mapping:\n> + hashes.append({\n> + \"alg\": mapping[parts[0]],\n> + \"content\": parts[1],\n> + })\n> + if hashes:\n> + return {\"hashes\": hashes}\n> + return {}\n> +\n> +\n> def cyclonedx_external_refs(comp):\n> \"\"\"Create CycloneDX external references for a component.\n> \n> @@ -294,6 +327,7 @@ def cyclonedx_external_refs(comp):\n> {\n> \"type\": \"source-distribution\",\n> \"url\": f\"{uri}/{source}\",\n> + **cyclonedx_source_hashes(comp, source),\n> }\n> ]\n> }\n> -- \n> 2.43.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=Gkul5WC9;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgqrq2Gd8z1xy3\n\tfor ;\n Thu, 26 Mar 2026 02:02:35 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id E37B381F11;\n\tWed, 25 Mar 2026 15:02:33 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4wlgsaRWBMWu; Wed, 25 Mar 2026 15:02:33 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id DECDF81F44;\n\tWed, 25 Mar 2026 15:02:32 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n by lists1.osuosl.org (Postfix) with ESMTP id D95C81D3\n for ; Wed, 25 Mar 2026 15:02:31 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id BF67F40767\n for ; Wed, 25 Mar 2026 15:02:31 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 0sdCeLPfyOys for ;\n Wed, 25 Mar 2026 15:02:30 +0000 (UTC)","from mail-wm1-x336.google.com (mail-wm1-x336.google.com\n [IPv6:2a00:1450:4864:20::336])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 214C1405FF\n for ; Wed, 25 Mar 2026 15:02:29 +0000 (UTC)","by mail-wm1-x336.google.com with SMTP id\n 5b1f17b1804b1-4853c1ca73aso25321215e9.2\n for ; Wed, 25 Mar 2026 08:02:29 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-487172f909asm32602745e9.6.2026.03.25.08.02.27\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 25 Mar 2026 08:02:27 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org DECDF81F44","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 214C1405FF"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1774450953;\n\tbh=E5TGeXlilMpn9+ZXRgzpvZz+2OBFHNQ6uwiPnRnV5Jw=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=Gkul5WC95ho7u/+eAG7o338zJErdTM30nJb7Sjshl/Tf+3+zPxHC78zzhSS87zj0F\n\t dpBolO0DMcOhNyWa4Z2UKuBc30+aE1eK/K3WfPRV5H8c121xn4+vHTDXv9q6PBTjUR\n\t V2S+l/aT884EVGco5SCYz6gcfmYXwQfihmsLQMhyJjNzB8/TGinDtheIQ63n2rK12Z\n\t 4jeSUPfkjvLkzq48PAyDL/haH2oEA1NL+sIBehAG/pqHOJcdg9YTa6d1w/kdu2kxze\n\t oxsInaDT+K5KiXWWoH2x3ouJPcSyWeWLQo3rw/iz8ZRHlygKDtSVkLBrBdhYyYADaG\n\t bF4AaKCDBLwsA==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::336; helo=mail-wm1-x336.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 214C1405FF","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774450948; x=1775055748;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=m5Nb4pPC9w1OTdN+I0GrsjadiI6lZv2atH3a70dxArs=;\n b=qLQ+1El4lxNv1z395gsPJ3e5r2XwTrsUE1UhTwTsp+VTvSs3X71wF+2KuUJhTHYDsP\n 5cmkjNINsmD3lQu814uWwsZNirnvqGKEhiEgGrOEKvkz7SbFVtq4VXDMofyM3u37+H9x\n /GSrYN9JlXNjXlJr3EKl/hnsDXxxPgpCKbuBRlb42+w7Om0hNw3nGLSJaEBgAQB1Is4H\n OU2anmfRG+TdgMbu9mMg62Zz4lXYHqTwZ+fAgOyLmcga/wQLH2pTDg+svSx3NmeCIltj\n adRB/+2cvABh9r7T69sUCN3m2Wgh3qR7XPrBqDP+LlehzNxOw6ooLLFGGMPZiurDPmPo\n xbgA==","X-Forwarded-Encrypted":"i=1;\n AJvYcCWrqghPYYklVAdqdi7bl29I6yXu8sf6ZhN/y5fx60LKlJePRJEz9Rr1h6GOmU6DBR5OihLIjm01wp0=@buildroot.org","X-Gm-Message-State":"AOJu0YybBAj08+DGM4Gr/0L9PJN0+oicNkjOvqNZHM++yT3op5AMmq94\n 331DxIefpiwk8K20q5JgXdhqRPzP4oi5y6BmAaXwymVgrag2xH3yaM4TupOXGYbt0rk=","X-Gm-Gg":"ATEYQzxbBnnRI08PUT/+AcsAuq4zGGVXFARF023d+zVS7CbsWaOMynEtsV07PXANCbd\n Nw7IEhXQovTMdWPBLBA9WF4/40vaGEej/gf7Sn6ruE1Yzvqziq8198v+r2jxHD3SUfaFQdq6XrU\n E+7h2kcJbj4jywICvDJvhD1/AYUv/FmVu1na97PmRUcc9xVFMCnEvMetShXWaXSL404kD6V55BT\n pmeGtgyV2lem3fDwwYNV5KnkIvMqRYboUc3GoKjG01DIBGfNAEHMtImO+/kzDZY5tG5Oti2ZvWC\n KGPSmPVOAUQdgqXYo9H3jipwnSyQZquJRBKsuVoz7UZYzuV5pSm2UfE0PEYgiQP1ucL/kXl4axX\n MuaiDv9WHb+SB9LX9nY5zF+I/KHttHo8q7PQ6/7bI/8k9hQkntaUBs/Ei23XkvCJqGmTI962AzS\n pbSlP1F7OW8MOdTaxG","X-Received":"by 2002:a05:600c:3491:b0:47e:e076:c7a5 with SMTP id\n 5b1f17b1804b1-48715ff3363mr55678945e9.11.1774450947799;\n Wed, 25 Mar 2026 08:02:27 -0700 (PDT)","To":"Martin Willi ","Cc":"Thomas Perale ,\n\tbuildroot@buildroot.org","Date":"Wed, 25 Mar 2026 16:02:26 +0100","Message-ID":"<20260325150226.389096-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260325133343.1008245-6-martin@strongswan.org>","References":"<20260325133343.1008245-6-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1774450948; x=1775055748; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=m5Nb4pPC9w1OTdN+I0GrsjadiI6lZv2atH3a70dxArs=;\n b=QnRy31AxlRNPmDGpQz2fJfTs1qZytRDn6WAAfoWAu67VWr/SovRmSDqiTKW8ZaSn1f\n j8DgOS/JPFZ6F1PMJPHinUaWKFxJCWBm5z70rnrYdKtnQXjUqfmxA8rArA0DswSRzC/3\n 8EwSYHjANC3R/+NeOo3ZJNCK4CdcEwMO27t1hyfeKmve0aChB7leFM7ORob0j4vbNU6R\n pDJTAdG5MQAgEay0FqQkYO6mmKQuJwiM4qQ5AUGmgcJUJDjY6mvo9TckIE4cyNuhJn9u\n x0mWUkY9Dt4WlvtqGsG7JvyusAac+fkOpSjypsjRtrAHTluFI5lCGU98ekkKa50FeFLe\n qBDg==","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=QnRy31Ax"],"Subject":"Re: [Buildroot] [PATCH v3 5/5] utils/generate-cyclonedx: add hashes\n from .hash files to externalReferences","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]