Re: [PATCH 02/15] scripts/sbom: integrate script in make process

[Nicolas Schier]

On Tue, Mar 31, 2026 at 05:30:09PM +0200, Nathan Chancellor wrote:
> On Tue, Mar 31, 2026 at 07:15:35AM +0200, Greg KH wrote:
> > On Mon, Mar 30, 2026 at 10:32:00PM +0200, Luis Augenstein wrote:
> > > Hi Nathan,
> > > 
> > > thanks a lot for your recommendations.
> > > 
> > > > Does sbom-roots.txt need to be cleaned up as well?
> > > 
> > > This file is only required to pass the roots into the python script.
> > > We could also use a tmp file. Then we don't need to worry about clean
> > > up. Together with your other suggested changes something like this
> > > should work:
> > > 
> > > # Script to generate .spdx.json SBOM documents describing the build
> > > #
> > > ---------------------------------------------------------------------------
> > > 
> > > ifdef building_out_of_srctree
> > > sbom_targets := sbom-source.spdx.json
> > > endif
> > > sbom_targets += sbom-build.spdx.json sbom-output.spdx.json
> > > quiet_cmd_sbom = GEN     $(notdir $(sbom_targets))
> > >       cmd_sbom = roots_file=$$(mktemp); \
> 
> I think I would rather have a named file in objtree instead of one in
> /tmp, as we want all output to remain in the build folder.

+1

The common way in kbuild is using '$(tmp-target)'.

> 
> > >                  printf "%s\n" "$(KBUILD_IMAGE)" >"$$roots_file"; \
> > >                  $(if $(CONFIG_MODULES),sed 's/\.o$$/.ko/'
> > > $(objtree)/modules.order >> "$$roots_file";) \
> > >                  $(PYTHON3) $(srctree)/scripts/sbom/sbom.py \
> > >                      --src-tree $(abspath $(srctree)) \
> > >                      --obj-tree $(abspath $(objtree)) \
> > >                      --roots-file "$$roots_file" \
> > >                      --output-directory $(abspath $(objtree)) \
> > >                      --generate-spdx \
> > >                      --package-license "GPL-2.0 WITH Linux-syscall-note" \
> > >                      --package-version "$(KERNELVERSION)" \
> > >                      --write-output-on-error;
> > >                  rm -f "$$roots_file"
> 
> The cmd macro uses 'set -e', so consider moving this up and making it
> 
>     trap  "rm -rf $$roots_file" EXIT; \
> 
> like try-run in scripts/Makefile.compiler does to ensure it is always
> cleaned up.

hm, well.  Yes, this should do as expected, but please be aware that
this also kills the $(delete-on-interrupt) which is part of $(cmd) and
removes $@ in case of error or interruption by installing a trap --
which will be overwritten.  See also below.

I think it might become a bit cleaner if the roots file is a separate
target and the 'sbom' target simply depends on it.  But we can defer
that.

> 
> > > PHONY += sbom
> > > sbom: $(notdir $(KBUILD_IMAGE)) include/generated/autoconf.h $(if
> > > $(CONFIG_MODULES),modules modules.order)
> > > 	$(call cmd,sbom)
> > > 
> > > Note, I will also add the --write-output-on-error flag by default such
> > > that the .spdx.json documents are generated as much as possible even if
> > > some build commands are unknown to the parser.
> 
> Seems reasonable to me.

If sbom.py is unable to parse the build commands, does it exit with a
non-zero exit code, correct?  As 'cmd_sbom' is run within a 'set -e'
shell environment, the $(delete-on-interrupt) will delete $@, thus there
should be _no_ output on error, regardless of --write-output-on-error.
So, it might make sense to kill $(delete-on-interrupt) by intention; but
that doesn't feel good to me, as the intention of 'cmd' will be
intransparently.

Kind regards,
Nicolas