{"id":2215861,"url":"http://patchwork.ozlabs.org/api/patches/2215861/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260325133343.1008245-6-martin@strongswan.org/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260325133343.1008245-6-martin@strongswan.org>","list_archive_url":null,"date":"2026-03-25T13:33:43","name":"[v3,5/5] utils/generate-cyclonedx: add hashes from .hash files to externalReferences","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d08c71aecec5147326d4f59d5989acfc4e96383a","submitter":{"id":736,"url":"http://patchwork.ozlabs.org/api/people/736/?format=json","name":"Martin Willi","email":"martin@strongswan.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260325133343.1008245-6-martin@strongswan.org/mbox/","series":[{"id":497444,"url":"http://patchwork.ozlabs.org/api/series/497444/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=497444","date":"2026-03-25T13:33:39","name":"Extend CycloneDX metadata","version":3,"mbox":"http://patchwork.ozlabs.org/series/497444/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215861/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2215861/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=e/D0qK38;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgntd20t4z1xy3\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 26 Mar 2026 00:34:01 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id D88E5838C9;\n\tWed, 25 Mar 2026 13:33:59 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 36NxM4Ckxiur; Wed, 25 Mar 2026 13:33:59 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id ED71083918;\n\tWed, 25 Mar 2026 13:33:58 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 5CBE8353\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:53 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 4339741190\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:53 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 5az6TfjU3hYn for <buildroot@buildroot.org>;\n Wed, 25 Mar 2026 13:33:52 +0000 (UTC)","from mail.codelabs.ch (mail.codelabs.ch [109.202.192.35])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 4858C41116\n for <buildroot@buildroot.org>; Wed, 25 Mar 2026 13:33:52 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by mail.codelabs.ch (Postfix) with ESMTP id 20AF35A0006;\n Wed, 25 Mar 2026 14:33:50 +0100 (CET)","from mail.codelabs.ch ([127.0.0.1])\n by localhost (fenrir.codelabs.ch [127.0.0.1]) (amavis, port 10024) with ESMTP\n id M5goy3inHdB9; Wed, 25 Mar 2026 14:33:48 +0100 (CET)","from zbook.home (unknown [185.12.128.224])\n by mail.codelabs.ch (Postfix) with ESMTPSA id 6A4CB5A0007;\n Wed, 25 Mar 2026 14:33:46 +0100 (CET)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org ED71083918","OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4858C41116"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1774445639;\n\tbh=SrqnNPou9uTlv4eoNaOSAZfp5h68ICKGYAsCY6pznxg=;\n\th=From:To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=e/D0qK38gTT8xKwumW6n860Zm7aHAZWJqo9+WSfebO6sp0Qiq48hNq4PE0qAqdG+T\n\t YFPZcDWGcJdu4iE1O11aRA14zDiSyjU1PmkuMqLHDXBDOCy9ReXMIQNM4hin99w9aQ\n\t bLDCwGLiK5ZQmkkaVJcDAa1YZLRQWRbz5VNOQMDcUlbip/gFlsYTsP5f1uKsInLsfo\n\t PeWnPf9t1j+XsUCYQFwwTq1zCq3knZw3xWNlHfCT9CLm0mup6Cs/FQutrRkP7nnRuQ\n\t UT/gODZ8jtHEZ8WXBr/jw5ST5DL+2hvvFDgVGPtXd4aoua//w3XknEQrXhntnqxQOY\n\t LID1us3k4f6FQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=109.202.192.35;\n helo=mail.codelabs.ch; envelope-from=martin@strongswan.org;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org 4858C41116","From":"Martin Willi <martin@strongswan.org>","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>","Date":"Wed, 25 Mar 2026 14:33:43 +0100","Message-ID":"<20260325133343.1008245-6-martin@strongswan.org>","In-Reply-To":"<20260325133343.1008245-1-martin@strongswan.org>","References":"<20260325133343.1008245-1-martin@strongswan.org>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=strongswan.org; s=default; t=1774445626;\n bh=4gk/0Y302/VLMZgaQbtf3N8qXLZvle5hyqc52KHNag0=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=IT8heUetYf7XhV5UIhGH12Xc+ISIEKNArS6BYLnq9U5awwb3bR+2/O0i08AxcyNs3\n pwR2azPYh4vLawhRNJDycW26uckUI0TNH3v9fHAVWp9sGz29Y4+EvETmUU+Z68/9eg\n 8exo4ZYvdbcmYc2cvK7TKx1wRymx6/RRrzh0s71doblV0bHB7XoR4d5EYctAOKjsYB\n w0Kv964zKNIQ1qdYEKQry1+YYzQpa+ljQJTuN788H/uC9jrv3v4UAltg+4BEwDMX8H\n co7UfNwGBfl/qvbPo1wApeLwBsDE5prV9/pp+MKYgtgKKAX2cEXhvw9SPzE/4DcwZU\n OckVLTKiWz85Q==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=strongswan.org","smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=strongswan.org header.i=@strongswan.org\n header.a=rsa-sha256 header.s=default header.b=IT8heUet"],"Subject":"[Buildroot] [PATCH v3 5/5] utils/generate-cyclonedx: add hashes\n from .hash files to externalReferences","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"BSI TR-03183-2 5.2.5 [1] lists the \"Hash value of the source code of the\ncomponent\" under \"Optional data fields for each component\", and as such\nCycloneDX \"MAY additionally include the [...] information, if it exists\".\n\nAs hash values are available in Buildroot, iterate over .hash file paths\nfrom show-info input and read hash values for the source distribution. Add\nall found hashes to externalReferences source-distribution entries.\n\n[1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5\n\nSigned-off-by: Martin Willi <martin@strongswan.org>\n---\n .../tests/utils/test_generate_cyclonedx.py    | 42 +++++++++++++++++++\n utils/generate-cyclonedx                      | 34 +++++++++++++++\n 2 files changed, 76 insertions(+)","diff":"diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py\nindex 9c2bd2bc9180..29f492803e10 100644\n--- a/support/testing/tests/utils/test_generate_cyclonedx.py\n+++ b/support/testing/tests/utils/test_generate_cyclonedx.py\n@@ -164,3 +164,45 @@ class TestGenerateCycloneDX(unittest.TestCase):\n                 }\n             ],\n         )\n+\n+    def test_external_references_hashes(self):\n+        with tempfile.TemporaryDirectory() as tmpdir:\n+            hash_file = Path(tmpdir) / \"foo.hash\"\n+            hash_file.write_text(\n+                \"# source archive checksums\\n\"\n+                \"sha256 1111111111111111111111111111111111111111111111111111111111111111 foo-1.2.tar.gz\\n\"\n+                \"sha1 2222222222222222222222222222222222222222 foo-1.2.tar.gz\\n\"\n+                \"sha256 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa LICENSE\\n\"\n+            )\n+\n+            info = self._make_show_info()\n+            info[\"package-foo\"][\"hashes\"] = [str(hash_file)]\n+            info[\"package-foo\"][\"downloads\"] = [\n+                {\n+                    \"source\": \"foo-1.2.tar.gz\",\n+                    \"uris\": [\"http|https+https://mirror.example.org/foo\"],\n+                },\n+            ]\n+\n+            result = self._run_script(show_info=info)\n+\n+        foo = self._find_component(result, \"package-foo\")\n+        self.assertEqual(\n+            foo[\"externalReferences\"],\n+            [\n+                {\n+                    \"type\": \"source-distribution\",\n+                    \"url\": \"https://mirror.example.org/foo/foo-1.2.tar.gz\",\n+                    \"hashes\": [\n+                        {\n+                            \"alg\": \"SHA-256\",\n+                            \"content\": \"1111111111111111111111111111111111111111111111111111111111111111\",\n+                        },\n+                        {\n+                            \"alg\": \"SHA-1\",\n+                            \"content\": \"2222222222222222222222222222222222222222\",\n+                        },\n+                    ],\n+                }\n+            ],\n+        )\ndiff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx\nindex 3946380ae3ef..4ef0548bae51 100755\n--- a/utils/generate-cyclonedx\n+++ b/utils/generate-cyclonedx\n@@ -278,6 +278,39 @@ def usable_download_uris(uris: list[str]) -> Iterator[str]:\n                 yield parts[1]\n \n \n+def cyclonedx_source_hashes(comp, source):\n+    \"\"\"Create CycloneDX hashes for a source distribution.\n+\n+    Args:\n+        comp (dict): The component information from the show-info output.\n+        source (str): The source distribution filename to look for in the hash file.\n+    Returns:\n+        dict: Hash information in CycloneDX format, or empty dict\n+    \"\"\"\n+    mapping = {\n+        \"sha1\": \"SHA-1\",\n+        \"sha256\": \"SHA-256\",\n+        \"sha512\": \"SHA-512\",\n+        \"md5\": \"MD5\",\n+    }\n+\n+    hashes = []\n+    for hash_file in comp.get(\"hashes\", []):\n+        with Path(hash_file).open() as f:\n+            for line in f:\n+                line = line.strip()\n+                if not line.startswith(\"#\") and line.endswith(f\" {source}\"):\n+                    parts = line.split()\n+                    if len(parts) >= 3 and parts[0] in mapping:\n+                        hashes.append({\n+                            \"alg\": mapping[parts[0]],\n+                            \"content\": parts[1],\n+                        })\n+    if hashes:\n+        return {\"hashes\": hashes}\n+    return {}\n+\n+\n def cyclonedx_external_refs(comp):\n     \"\"\"Create CycloneDX external references for a component.\n \n@@ -294,6 +327,7 @@ def cyclonedx_external_refs(comp):\n                         {\n                             \"type\": \"source-distribution\",\n                             \"url\": f\"{uri}/{source}\",\n+                            **cyclonedx_source_hashes(comp, source),\n                         }\n                     ]\n                 }\n","prefixes":["v3","5/5"]}