From: Luis Augenstein <luis.augenstein@tngtech.com>
To: Nathan Chancellor <nathan@kernel.org>
Cc: nsc@kernel.org, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
gregkh@linuxfoundation.org, kstewart@linuxfoundation.org,
maximilian.huber@tngtech.com
Subject: Re: [PATCH v5 00/15] add SPDX SBOM generation script
Date: Wed, 6 May 2026 17:18:39 +0200 [thread overview]
Message-ID: <5396a630-9b65-4455-9141-9f3fc520b3ec@tngtech.com> (raw)
In-Reply-To: <177750859587.2042162.11401905742333459790.b4-review@b4>
[-- Attachment #1.1: Type: text/plain, Size: 4566 bytes --]
On 4/30/26 02:23, Nathan Chancellor wrote:
> On Fri, 10 Apr 2026 23:22:40 +0200, Luis <luis.augenstein@tngtech.com> wrote:
>> This patch series introduces a Python-based script for generating SBOM
>> documents in the SPDX 3.0.1 format for kernel builds.
>
> I see the following error when building ARCH=arm64 virtconfig sbom:
>
> | $ make -skj"$(nproc)" ARCH=arm64 CROSS_COMPILE=aarch64-linux- CROSS_COMPILE_COMPAT=arm-linux-gnueabi- mrproper virtconfig sbom
> | [ERROR] File "/src/scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py", line 33, in log_error_or_warning
> | Skipped parsing command arch/arm64/kernel/vdso32/../../../arm/vdso/vdsomunge arch/arm64/kernel/vdso32/vdso.so.raw arch/arm64/kernel/vdso32/vdso32.so.dbg because no matching parser was found
> | ...
> | make[3]: *** [/src/Makefile:2184: sbom] Error 1
> | ...
>
> I would highly recommend running some randconfig builds with ARCH=arm64
> and ARCH=x86_64 if you have not already done so to ensure you have
> caught all corner cases. This one was understandably missed because GCC
> builds require a separate 32-bit cross compiler (specified with
> CROSS_COMPILE_COMPAT) to build this code. Testing with LLVM=1 would help
> with that since the build system handles cross compile automatically in
> that case.
So far, I have mainly tested with tinyconfig, defconfig, allmodconfig,
and the configs from
https://github.com/gregkh/gregkh-linux/tree/master/stable/configs.
Additionally, I have now tested some randconfig builds. Still, there
will most likely be edge cases that we will only discover over time.
However, while the tool is designed to exit with a non-zero status code
when unknown commands are encountered, it still produces a valid SBOM
based on the information it was able to collect. So, despite missing
command parser errors like these, the tool remains usable.
There is also the --do-not-fail-on-unknown-build-command option to log
missing command parser errors as warnings and exit with a zero status
code. I have disabled this by default, though, to make people more
likely to report any missing command parser issues they encounter.
>> modules as root nodes, the script reconstructs the dependency graph up
>> to the original source files. Build dependencies are primarily derived from
>> the `.cmd` files generated by Kbuild, which record the full command used
>> to build each output file.
>>
>> Currently, the script only supports x86 and arm64 architectures.
>
> This does not appear to be codified anywhere? I can run the sbom target
> when targeting ARCH=arm for example, resulting in:
>
> | [ERROR] File "/src/scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py", line 33, in log_error_or_warning
> | Skipped parsing command sh /src/arch/arm/tools/syscallnr.sh /src/arch/arm/tools/syscall.tbl arch/arm/include/generated/asm/unistd-nr.h because no matching parser was found
> | [ERROR] File "/src/scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py", line 33, in log_error_or_warning
> | Skipped parsing command ./arch/arm/vdso/vdsomunge arch/arm/vdso/vdso.so.raw arch/arm/vdso/vdso.so.dbg because no matching parser was found
> | [WARNING] Could not infer primary purpose for /src/arch/arm/tools/mach-types
> | [WARNING] Could not infer primary purpose for /build/arch/arm/boot/compressed/piggy_data
Yes, this is not codified in the sense that the tool does not restrict
execution to specific architectures.
Should it?
As stated above, the tool is designed to collect as much of the
dependency graph as possible. For other architectures, it behaves the
same way, i.e., a valid SBOM is produced, but the missing parser errors
indicate that the SBOM is not complete. I think this behavior is more
useful than denying execution for other architectures entirely, but we
could change that if you think otherwise.
> Sashiko points out a number of things as well:
>
> https://sashiko.dev/#/patchset/20260410212255.9883-1-luis.augenstein@tngtech.com
Cool, thanks. I didn't know this exists.
I worked through the comments and will provide according changes in v6
of the patch series soon.
Best,
Luis
--
Luis Augenstein * luis.augenstein@tngtech.com * +4915225275761
TNG Technology Consulting GmbH, Beta-Str. 13, 85774 Unterföhring
Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres
Aufsichtsratsvorsitzender: Moritz Prinz
Sitz: Unterföhring * Amtsgericht München * HRB 135082
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
next prev parent reply other threads:[~2026-05-06 15:18 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 21:22 [PATCH v5 00/15] add SPDX SBOM generation script Luis
2026-04-10 21:22 ` [PATCH v5 01/15] scripts/sbom: add documentation Luis
2026-04-10 21:22 ` [PATCH v5 02/15] scripts/sbom: integrate script in make process Luis
2026-04-30 0:23 ` Nathan Chancellor
2026-04-10 21:22 ` [PATCH v5 03/15] scripts/sbom: setup sbom logging Luis
2026-04-10 21:22 ` [PATCH v5 04/15] scripts/sbom: add command parsers Luis
2026-04-10 21:22 ` [PATCH v5 05/15] scripts/sbom: add cmd graph generation Luis
2026-04-10 21:22 ` [PATCH v5 06/15] scripts/sbom: add additional dependency sources for cmd graph Luis
2026-04-10 21:22 ` [PATCH v5 07/15] scripts/sbom: add SPDX classes Luis
2026-04-10 21:22 ` [PATCH v5 08/15] scripts/sbom: add JSON-LD serialization Luis
2026-04-10 21:22 ` [PATCH v5 09/15] scripts/sbom: add shared SPDX elements Luis
2026-04-10 21:22 ` [PATCH v5 10/15] scripts/sbom: collect file metadata Luis
2026-04-10 21:22 ` [PATCH v5 11/15] scripts/sbom: add SPDX output graph Luis
2026-04-10 21:22 ` [PATCH v5 12/15] scripts/sbom: add SPDX source graph Luis
2026-04-10 21:22 ` [PATCH v5 13/15] scripts/sbom: add SPDX build graph Luis
2026-04-10 21:22 ` [PATCH v5 14/15] scripts/sbom: add unit tests for command parsers Luis
2026-04-10 21:22 ` [PATCH v5 15/15] scripts/sbom: add unit tests for SPDX-License-Identifier parsing Luis
2026-04-30 0:23 ` [PATCH v5 00/15] add SPDX SBOM generation script Nathan Chancellor
2026-05-06 15:18 ` Luis Augenstein [this message]
2026-05-07 9:42 ` Nathan Chancellor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5396a630-9b65-4455-9141-9f3fc520b3ec@tngtech.com \
--to=luis.augenstein@tngtech.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maximilian.huber@tngtech.com \
--cc=nathan@kernel.org \
--cc=nsc@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox