{"id":2221316,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2221316/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260409081401.2060709-6-martin@strongswan.org>","date":"2026-04-09T08:14:00","name":"[v4,5/6] utils/generate-cyclonedx: add hashes from .hash files to externalReferences","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"2bd64a775e2f68f3fb5b8ada74c5d9cc31c92e64","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/1.0/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260409081401.2060709-6-martin@strongswan.org/mbox/","series":[{"id":499252,"url":"http://patchwork.ozlabs.org/api/1.0/series/499252/?format=json","date":"2026-04-09T08:13:57","name":"Extend CycloneDX metadata","version":4,"mbox":"http://patchwork.ozlabs.org/series/499252/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221316/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=OT3OEQOE;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frt5L6MGQz1yD3\n\tfor ;\n Thu, 09 Apr 2026 18:14:46 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id B3BF84107C;\n\tThu, 9 Apr 2026 08:14:35 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id fcsEz2hJsnHC; Thu, 9 Apr 2026 08:14:34 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 58E9A40E08;\n\tThu, 9 Apr 2026 08:14:34 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id B1572237\n for ; Thu, 9 Apr 2026 08:14:26 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 9788360D92\n for ; Thu, 9 Apr 2026 08:14:26 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id eTWPF6ik-Oup for ;\n Thu, 9 Apr 2026 08:14:25 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [IPv6:2a02:168:860f:1::35])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 8220B607E0\n for ; Thu, 9 Apr 2026 08:14:25 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id 5D4E75A0008;\n Thu, 09 Apr 2026 10:14:22 +0200 (CEST)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id g0F1zGI11IWM; Thu, 9 Apr 2026 10:14:21 +0200 (CEST)","from zbook.wlp.is (unknown [185.12.128.225])\n by mail.codelabs.ch (Postfix) with ESMTPSA id 1A3985A0009;\n Thu, 09 Apr 2026 10:14:18 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 58E9A40E08","OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8220B607E0"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775722474;\n\tbh=Ir5TINTSEQCrHvo+BbE8McJ0zhZWJ048foE9qw0ElAo=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=OT3OEQOEKVbpOVM32dOlT1o8JMtthBZPksgP08soK3kfDiZ0RG+AP17pjTInVUBvd\n\t wrhothTzYOMz3HzgD4ZR5hMwovo0pqXjwavnDTrZeIC4LWWek67jISPToCsrpzbEVz\n\t hSx6J9WdquQy0bmE6MZqqp6oeOB9wqivR4YEDlvC3RpQrI808kSmrBUbrVxBlSEsrh\n\t yvit+3VXXuPlSLrskcAQXyql+iPznXvsNzT9gJpoTSMPd4T5JOZ0js8muwyexLQUY6\n\t HtTGWM6/OL/crNfR3/Ml4HudR4aJKMHU691Lqe0ninfJ4G8NB2twshI56OhvRcSG7o\n\t WogEH1eYQvpGw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a02:168:860f:1::35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org 8220B607E0","From":"Martin Willi ","To":"buildroot@buildroot.org","Cc":"Thomas Perale ","Date":"Thu, 9 Apr 2026 10:14:00 +0200","Message-ID":"<20260409081401.2060709-6-martin@strongswan.org>","In-Reply-To":"<20260409081401.2060709-1-martin@strongswan.org>","References":"<20260409081401.2060709-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1775722458;\n bh=CAUEZkjXzNX5e0PljDNKXkrERY6Ohfn+toI7V1z9FhU=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=n6+ctetOeik1S0Za3qb0CJ4RqsOuV2WYbK4ozXkQixdVkCXCMp0wHA6LY6yGkHt8e\n Z0d9wavXnxxH1FsTLjqBfVlC/SUDHsd538Z3cbba69JsBpxsuMYvVIrglMVKJ08FtY\n 8tTBNX/lJsDg3eddbKwBJOalet8CKFqMr2Wqdf7vaJB3RhzixUvc4kMQ7OrXnfRezL\n 7HxmXRoSpzryxw/rtyYC4fk7qBInxbTFuDdPth6iP2VxR+3DLj9i96fBRocBVJpnns\n ygqqVckfg/086tv8QxoyMb8bwaAGXOFTmRg2rGGmIT5P43xTCDRGi++8bBOjyIcD2c\n gXpimJqej27lg==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=n6+ctetO"],"Subject":"[Buildroot] [PATCH v4 5/6] utils/generate-cyclonedx: add hashes\n from .hash files to externalReferences","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"BSI TR-03183-2 5.2.5 [1] lists the \"Hash value of the source code of the\ncomponent\" under \"Optional data fields for each component\", and as such\nCycloneDX \"MAY additionally include the [...] information, if it exists\".\n\nAs hash values are available in Buildroot, iterate over .hash file paths\nfrom show-info input and read hash values for the source distribution. Add\nall found hashes to externalReferences source-distribution entries.\n\n[1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n\nSigned-off-by: Martin Willi \nAcked-By: Thomas Perale \n---\n .../tests/utils/test_generate_cyclonedx.py | 44 +++++++++++++++++++\n utils/generate-cyclonedx | 34 ++++++++++++++\n 2 files changed, 78 insertions(+)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex a071ff867923..84f94f050760 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -166,3 +166,47 @@ class TestGenerateCycloneDX(unittest.TestCase):\n },\n ],\n )\n+\n+ def test_external_references_hashes(self):\n+ with tempfile.TemporaryDirectory() as tmpdir:\n+ hash_file = Path(tmpdir) / \"foo.hash\"\n+ hash_file.write_text(\n+ \"# source archive checksums\\n\"\n+ \"sha256 1111111111111111111111111111111111111111111111111111111111111111 foo-1.2.tar.gz\\n\"\n+ \"sha1 2222222222222222222222222222222222222222 foo-1.2.tar.gz\\n\"\n+ \"sha256 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa LICENSE\\n\"\n+ )\n+\n+ info = self._make_show_info()\n+ info[\"package-foo\"][\"hashes\"] = [str(hash_file)]\n+ info[\"package-foo\"][\"downloads\"] = [\n+ {\n+ \"source\": \"foo-1.2.tar.gz\",\n+ \"uris\": [\n+ \"http|https+https://mirror.example.org/foo\",\n+ ],\n+ },\n+ ]\n+\n+ result = self._run_script(show_info=info)\n+\n+ foo = self._find_component(result, \"package-foo\")\n+ self.assertEqual(\n+ foo[\"externalReferences\"],\n+ [\n+ {\n+ \"type\": \"source-distribution\",\n+ \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n+ \"hashes\": [\n+ {\n+ \"alg\": \"SHA-256\",\n+ \"content\": \"1111111111111111111111111111111111111111111111111111111111111111\",\n+ },\n+ {\n+ \"alg\": \"SHA-1\",\n+ \"content\": \"2222222222222222222222222222222222222222\",\n+ },\n+ ],\n+ }\n+ ],\n+ )\ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex a3b7293f9a5e..382d91ce55af 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -283,6 +283,39 @@ def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:\n yield scheme.split(\"|\"), stripped_uri\n \n \n+def cyclonedx_source_hashes(comp, source):\n+ \"\"\"Create CycloneDX hashes for a source distribution.\n+\n+ Args:\n+ comp (dict): The component information from the show-info output.\n+ source (str): The source distribution filename to look for in the hash file.\n+ Returns:\n+ dict: Hash information in CycloneDX format, or empty dict\n+ \"\"\"\n+ MAPPING = {\n+ \"sha1\": \"SHA-1\",\n+ \"sha256\": \"SHA-256\",\n+ \"sha512\": \"SHA-512\",\n+ \"md5\": \"MD5\",\n+ }\n+\n+ hashes = []\n+ for hash_file in comp.get(\"hashes\", []):\n+ with Path(hash_file).open() as f:\n+ for line in f:\n+ line = line.strip()\n+ if not line.startswith(\"#\") and line.endswith(f\" {source}\"):\n+ parts = line.split()\n+ if len(parts) >= 3 and parts[0] in MAPPING:\n+ hashes.append({\n+ \"alg\": MAPPING[parts[0]],\n+ \"content\": parts[1],\n+ })\n+ if hashes:\n+ return {\"hashes\": hashes}\n+ return {}\n+\n+\n def cyclonedx_external_refs(comp):\n \"\"\"Create CycloneDX external references for a component.\n \n@@ -301,6 +334,7 @@ def cyclonedx_external_refs(comp):\n refs.append({\n \"type\": \"source-distribution\",\n \"url\": f\"{uri}/{source}\",\n+ **cyclonedx_source_hashes(comp, source),\n })\n if refs:\n return {\"externalReferences\": refs}\n","prefixes":["v4","5/6"]}