{"id":2220626,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2220626/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/cover/20260407-generate-cyclonedx-br-v1-0-03c45ccba2ed@cherry.de/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.1/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260407-generate-cyclonedx-br-v1-0-03c45ccba2ed@cherry.de>","date":"2026-04-07T17:37:06","name":"[0/4] make utils/generate-cyclonedx runnable with Buildroot host packages","submitter":{"id":83602,"url":"http://patchwork.ozlabs.org/api/1.1/people/83602/?format=json","name":"Quentin Schulz","email":"foss+buildroot@0leil.net"},"mbox":"http://patchwork.ozlabs.org/project/buildroot/cover/20260407-generate-cyclonedx-br-v1-0-03c45ccba2ed@cherry.de/mbox/","series":[{"id":499014,"url":"http://patchwork.ozlabs.org/api/1.1/series/499014/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=499014","date":"2026-04-07T17:37:07","name":"make utils/generate-cyclonedx runnable with Buildroot host packages","version":1,"mbox":"http://patchwork.ozlabs.org/series/499014/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2220626/comments/","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=bB2e+ftF;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqtgR2hSXz1xtJ\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 08 Apr 2026 03:37:23 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 1617660642;\n\tTue,  7 Apr 2026 17:37:21 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pCKfjobIAEN2; Tue,  7 Apr 2026 17:37:20 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 29A7060DC6;\n\tTue,  7 Apr 2026 17:37:20 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 6AF6E237\n for <buildroot@buildroot.org>; Tue,  7 Apr 2026 17:37:18 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 502FE60DC7\n for <buildroot@buildroot.org>; Tue,  7 Apr 2026 17:37:18 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id j12pwdavk4Fd for <buildroot@buildroot.org>;\n Tue,  7 Apr 2026 17:37:17 +0000 (UTC)","from smtp-bc0a.mail.infomaniak.ch (smtp-bc0a.mail.infomaniak.ch\n [IPv6:2001:1600:4:17::bc0a])\n by smtp3.osuosl.org (Postfix) with ESMTPS id EAA4860642\n for <buildroot@buildroot.org>; Tue,  7 Apr 2026 17:37:16 +0000 (UTC)","from smtp-3-0001.mail.infomaniak.ch (unknown\n [IPv6:2001:1600:4:17::246c])\n by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fqtgG2VB8zBYm;\n Tue,  7 Apr 2026 19:37:14 +0200 (CEST)","from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA\n id 4fqtgF4bRtzyCC; Tue,  7 Apr 2026 19:37:13 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 29A7060DC6","OpenDKIM Filter v2.11.0 smtp3.osuosl.org EAA4860642"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775583440;\n\tbh=cv/gjHzEvKhu22ukIGu5+MSxJ/uC0KOBXe8RrX6eVbg=;\n\th=Date:To:Cc:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=bB2e+ftFYyKvutHfq4hKA1sVxweOe9kEVzmy7mQZfCZg/PQ3GmPHOfyyINkf2/yd7\n\t UnvsGqk7pFV5DinIOt3M6enc4nIpUWxi0ktlRdTTFWyuRmaMetVeKCHxeo1kN8jn9O\n\t T/CJUKKd8lDBLTXo2e7SezXfbWddm38IG6kLD8s7x9tfUGcK220zzVNiEFtUcQMq+Q\n\t XYWS/IoAcWkWOwpPCm3pK8a4YqXDTZxgQxPOHES8bkA9CEMhRhsQmHyrigqE7G6Ahp\n\t KfvjCKtRFXoxLkLojocbvojWoM24cZNrMcGtlptEa1K2aL3ccTw3+/tHgs8NH327sD\n\t pZy42wcKV8RPg==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2001:1600:4:17::bc0a;\n helo=smtp-bc0a.mail.infomaniak.ch; envelope-from=foss+buildroot@0leil.net;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org EAA4860642","Date":"Tue, 07 Apr 2026 19:37:06 +0200","Message-Id":"<20260407-generate-cyclonedx-br-v1-0-03c45ccba2ed@cherry.de>","MIME-Version":"1.0","X-B4-Tracking":"v=1; b=H4sIAAAAAAAC/yXMQQrCQAxG4auUrA1Mg7bgVcRFJ/NbIzKVTJVK6\n d0ddfkt3lupwA2Fjs1KjpcVm3JFu2tIr0MewZaqSYJ0YR96HpHhwwzWt96njLRwdJYoSQ5dG3p\n Rqu3DcbHl9z2d/y7PeIPO3xlt2wfHQQWYeQAAAA==","X-Change-ID":"20260407-generate-cyclonedx-br-2b2d2561072c","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>, Martin Bark <martin@barkynet.com>,\n Thomas Petazzoni <thomas.petazzoni@bootlin.com>,\n Quentin Schulz <quentin.schulz@cherry.de>","X-Mailer":"b4 0.15-dev-47773","X-Infomaniak-Routing":"alpha","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=0leil.net; s=20231125; t=1775583434;\n bh=WyieeFrIbOPdk6bZwmPVtQOKaM8TEqH31WKsYgl/6x8=;\n h=From:Subject:Date:To:Cc:From;\n b=ksE6pY/iPiz8uRYzkh4c4iw8PuhLEh4k39olobBExQoHTD5tYlpVEP7YtqJWhcovu\n vte8tgO6YFjq3CzKsnfKNel6UnjqhaXdEzDmT+KO9aqiSHBLakNFqRdvKS7ZP0w4wQ\n jNFAbRbdsIxKXfc/Pz8Ch/if0NFQqMih5yfmBni9IDgrzwqhBYj9A4d2Lc12y3ne7i\n jVOgIaa71jsxWSHmoU3XjfmunRF6U+1Tq+jFLFSjfbKlmhzPqRcu0SoIDUNg+iJEgU\n yYEmn3DQpLhQTt6HFty2WQUBnKDb0FVnUI4S2Bl50otPflp/nNT50yF/bTAhRD2ab/\n qYPAHo8f1IYwA==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=0leil.net","smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=0leil.net header.i=@0leil.net header.a=rsa-sha256\n header.s=20231125 header.b=ksE6pY/i"],"Subject":"[Buildroot] [PATCH 0/4] make utils/generate-cyclonedx runnable with\n Buildroot host packages","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Quentin Schulz via buildroot <buildroot@buildroot.org>","Reply-To":"Quentin Schulz <foss+buildroot@0leil.net>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"It may be beneficial to be able to run the script from Buildroot host\npackages to avoid external dependencies. I for example build Buildroot\nwithin some ancient container where I don't have a recent-enough Python\nto run generate-cyclonedx with. I already build host Python as part of\nmy build, so it seems like a good opportunity to reuse it for running\ngenerate-cyclonedx with it instead of going for a separate container\njust for running that script.\n\nThis however required a few changes. First, I needed to enable\nBR2_PACKAGE_HOST_PYTHON3_BZIP2 otherwise importing the bz2 module would\nfail.\nHowever after looking at the code deeper, there isn't a way right now\nfor this script to actually receive a compressed patch to parse,\ntherefore instead of requiring that option to be selected, the\ncompression \"support\" is removed from the script entirely.\n\nThen, I got hit by Python telling me it does not know what HTTPS is. The\nissue was that the ssl (well, technically _ssl) module wasn't built\nunless BR2_PACKAGE_HOST_PYTHON3_SSL is enabled and without that, no\nHTTPS support.\n\nGoing further, Python would then complain that it cannot verify the\ncertificates. The answer was to build a host variant of ca-certificates\nfor host Python to use. Another option is to go for host-python-certifi\ninstead, with the following diff:\n\n  diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\n  index fad0671166..461743692e 100755\n  --- a/utils/generate-cyclonedx\n  +++ b/utils/generate-cyclonedx\n  @@ -51,7 +51,13 @@ if not SPDX_SCHEMA_PATH.exists():\n       # Download the CycloneDX SPDX schema JSON, and cache it locally\n       cyclonedxpath.mkdir(parents=True, exist_ok=True)\n       try:\n  -        urllib.request.urlretrieve(SPDX_SCHEMA_URL, SPDX_SCHEMA_PATH)\n  +        import ssl\n  +        import certifi\n  +\n  +        context = ssl.create_default_context(cafile=certifi.where())\n  +        with urllib.request.urlopen(SPDX_SCHEMA_URL, context=context) as response, \\\n  +                open(SPDX_SCHEMA_PATH, \"wb\") as f:\n  +            f.write(response.read())\n       except urllib.error.URLError as e:\n           if \"CERTIFICATE_VERIFY_FAILED\" in str(e.reason):\n               raise Exception(\"Couldn't verify certificate. Try enabling BR2_PACKAGE_HOST_CA_CERTIFICATES.\")\n\nThe downside is that users running this script externally from Buildroot\nwill need to install certifi Python module to run the script. I guess\nwe could run urlretrieve first and if it fails, then fallback to\ncertifi. What do you think?\n\nSo, this adds a couple of messages hinting at the user what may be\nmissing for generate-cyclonedx to run. Note that\nBR2_PACKAGE_HOST_PYTHON3_SSL and BR2_PACKAGE_HOST_CA_CERTIFICATES are\noptional, they only are needed if the SPDX schema isn't available yet.\nOne can also decide to download it externally with wget/curl in the\nappropriate location and avoid having to build host ca-certificates\nand/or host Python with ssl support (it does bring host-libopenssl\nafter all!).\n\nSigned-off-by: Quentin Schulz <quentin.schulz@cherry.de>\n---\nQuentin Schulz (4):\n      utils/generate-cyclonedx: remove \"support\" for bz2 and gzip compressed patches\n      utils/generate-cyclonedx: better error message when host Python is built without ssl\n      package/ca-certificates: enable host package variant\n      utils/generate-cyclonedx: hint at missing Buildroot host package on a specific error\n\n package/Config.in.host                     |  1 +\n package/ca-certificates/Config.in.host     | 12 ++++++++++++\n package/ca-certificates/ca-certificates.mk | 30 ++++++++++++++++++++++++++++++\n utils/generate-cyclonedx                   | 29 +++++++++++++++--------------\n 4 files changed, 58 insertions(+), 14 deletions(-)\n---\nbase-commit: ac4c32f6f839d1b813125e64f0e23a98922ac602\nchange-id: 20260407-generate-cyclonedx-br-2b2d2561072c\n\nBest regards,\n--  \nQuentin Schulz <quentin.schulz@cherry.de>"}