Skip to content

feat: add missing tools to SBOM#1346

Open
Ron (rjaegers) wants to merge 25 commits into
mainfrom
feature/add-missing-tools-to-sbom
Open

feat: add missing tools to SBOM#1346
Ron (rjaegers) wants to merge 25 commits into
mainfrom
feature/add-missing-tools-to-sbom

Conversation

@rjaegers

@rjaegers Ron (rjaegers) commented Jul 9, 2026

Copy link
Copy Markdown
Member

🚀 Hey, I have created a Pull Request

Description of changes

This pull request introduces a system for generating and publishing a curated, per-flavor tool inventory for each devcontainer image, ensuring that the set of included tools and their versions are clearly documented and tracked in the release notes. It does this by annotating binaries so they are reliably detected in the SBOM, filtering the SBOM against an allowlist, and updating the release automation and templates to include tool tables and attach inventories as release assets.

The most important changes are:

SBOM Annotation and Tool Detection Improvements

  • Added .devcontainer/base/add-sbom-note.sh, a script that annotates ELF binaries with systemd .note.package metadata so Syft can reliably detect tools installed outside of package managers and include them in the SBOM. This script is installed into the base image and used by downstream flavors. (.devcontainer/base/add-sbom-note.sh, .devcontainer/base/Dockerfile, [1] [2] [3]
  • Updated Dockerfiles for C++, Rust, and other flavors to use add-sbom-note to annotate tools that would otherwise be missed by Syft, ensuring a complete SBOM. (.devcontainer/cpp/Dockerfile, .devcontainer/rust/Dockerfile, [1] [2]

Tool Inventory Generation and Tracking

  • Added allowlist files (e.g., tool-inventory.json) per devcontainer flavor to specify which tools to track, and a script (.github/scripts/generate-tool-inventory.sh) to extract tool/version/purl info from the SBOM, failing builds if expected tools are missing. (.devcontainer/base/tool-inventory.json, .devcontainer/cpp/tool-inventory.json, .devcontainer/embedded-cpp/tool-inventory.json, .devcontainer/rust/tool-inventory.json, .devcontainer/docs/tool-inventory.json, [1] [2] [3] [4] [5] [6]

Release Notes and Automation Enhancements

  • Updated the release template to include tables of tools and their versions per flavor, as recorded in the SBOM. The release workflow now generates these tables and attaches the full inventory as a release asset. (.github/RELEASE_TEMPLATE.md, .github/workflows/release-build.yml, [1] [2]
  • Updated build and test workflows to pass the allowlist to the build process, ensuring inventories are generated and validated in CI. (.github/workflows/build-push-test.yml, .github/workflows/wc-build-push-test.yml, .github/workflows/wc-build-push.yml, [1] [2] [3] [4]

Dependency Updates

General Improvements

  • Various ARGs and build steps were refactored to improve maintainability and to support the new tool annotation and inventory system. [1] [2] [3] [4] [5]

These changes ensure that the devcontainer images have transparent, reproducible tool inventories, and that any accidental tool removals or renames are caught early in CI.

✔️ Checklist

  • I have followed the contribution guidelines for this repository
  • I have added tests for new behavior, and have not broken any existing tests
  • I have added or updated relevant documentation
  • I have verified that all added components are accounted for in the SBOM

@rjaegers Ron (rjaegers) requested a review from a team as a code owner July 9, 2026 19:37
Copilot AI review requested due to automatic review settings July 9, 2026 19:37
@rjaegers Ron (rjaegers) changed the title Feature/add missing tools to SBOM feat: add missing tools to SBOM Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edgeghcr.io/philips-software/amp-devcontainer-base:pr-1346

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 71.79 MB 75.35 MB +3.56 MB (+4.95%) 🔼
linux/arm64 70.09 MB 73.44 MB +3.35 MB (+4.78%) 🔼

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Rust devcontainer image to make additional Rust tooling explicitly versioned and to improve SBOM completeness by annotating installed binaries with ELF package metadata so Syft can detect them.

Changes:

  • Parameterized versions for cargo-binutils, cargo-mutants, flip-link, and probe-rs-tools via new ARGs.
  • Updated the cargo-binstall installation step to use the version ARGs.
  • Added a build step that annotates selected binaries with a .note.package section containing name/version/purl metadata for SBOM generation.

Comment thread .devcontainer/rust/Dockerfile Outdated
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 23 0 0 0.2s
✅ DOCKERFILE hadolint 4 0 0 0.18s
✅ JSON npm-package-json-lint yes no no 0.37s
✅ JSON prettier 37 8 0 0 0.71s
✅ JSON v8r 37 0 0 9.31s
⚠️ MARKDOWN markdownlint 13 0 1 0 1.02s
✅ MARKDOWN markdown-table-formatter 13 0 0 0 0.2s
✅ REPOSITORY checkov yes no no 32.48s
✅ REPOSITORY gitleaks yes no no 0.7s
✅ REPOSITORY git_diff yes no no 0.06s
✅ REPOSITORY grype yes no no 49.88s
⚠️ REPOSITORY osv-scanner yes 1 no 0.85s
✅ REPOSITORY secretlint yes no no 1.81s
✅ REPOSITORY syft yes no no 4.48s
✅ REPOSITORY trivy yes no no 13.45s
✅ REPOSITORY trivy-sbom yes no no 0.24s
✅ REPOSITORY trufflehog yes no no 2.18s
⚠️ SPELL lychee 105 5 0 11.59s
✅ YAML prettier 32 0 0 0 1.11s
✅ YAML v8r 32 0 0 8.96s
✅ YAML yamllint 32 0 0 1.88s

Detailed Issues

⚠️ SPELL / lychee - 5 errors
📝 Summary
---------------------
🔍 Total..........147
🔗 Unique.........123
✅ Successful.....137
⏳ Timeouts.........0
🔀 Redirected......18
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........5
⛔ Unsupported......5

Errors in .github/CONTRIBUTING.md
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ (at 89:64) | Network error: Connection reset by peer (os error 104)

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads (at 38:7) | Rejected status code: 403 Forbidden

Errors in test/cpp/features/security.feature
[ERROR] https://slsa.dev/spec/v1.0/levels (at 20:30) | Connection failed. Check network connectivity and firewall settings
[ERROR] https://slsa.dev/spec/v1.0/threats (at 28:19) | Connection failed. Check network connectivity and firewall settings
[ERROR] https://slsa.dev/spec/v1.0/verifying-artifacts (at 24:25) | Connection failed. Check network connectivity and firewall settings

Hint: Followed 18 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ MARKDOWN / markdownlint - 1 error
docs/adr/0000-record-architecture-decisions.md:30:401 error MD013/line-length Line length [Expected: 400; Actual: 520]
⚠️ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
Scanned .devcontainer/docs/requirements.txt file and found 14 packages
Scanned .devcontainer/cpp/requirements.txt file and found 20 packages
Scanned package-lock.json file and found 73 packages
Scanned test/rust/workspace/cargo/Cargo.lock file and found 1 package
Scanned test/rust/workspace/test/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-m/Cargo.lock file and found 20 packages
Scanned test/rust/workspace/clippy/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-mf/Cargo.lock file and found 20 packages
End status: 103 dirs visited, 338 inodes visited, 8 Extract calls, 22.74689ms elapsed, 22.74702ms wall time

Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.

+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| OSV URL                           | CVSS | ECOSYSTEM | PACKAGE    | VERSION | FIXED VERSION | SOURCE                                   |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| https://osv.dev/RUSTSEC-2026-0110 |      | crates.io | bare-metal | 0.2.5   | --            | test/rust/workspace/cortex-m/Cargo.lock  |
| https://osv.dev/RUSTSEC-2026-0110 |      | crates.io | bare-metal | 0.2.5   | --            | test/rust/workspace/cortex-mf/Cargo.lock |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-docs:edgeghcr.io/philips-software/amp-devcontainer-docs:pr-1346

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 196.54 MB 200.11 MB +3.57 MB (+1.82%) 🔼
linux/arm64 192.98 MB 196.34 MB +3.35 MB (+1.74%) 🔼

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edgeghcr.io/philips-software/amp-devcontainer-rust:pr-1346

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 468.61 MB 468.82 MB +208.53 kB (+0.04%) 🔼
linux/arm64 419.79 MB 419.61 MB 186.03 kB (-0.04%) 🔽

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edgeghcr.io/philips-software/amp-devcontainer-cpp:pr-1346

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 371.94 MB 372.05 MB +100.84 kB (+0.03%) 🔼
linux/arm64 352.19 MB 352.21 MB +12.79 kB (+0%) 🔼

@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 9, 2026 19:47 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-embedded-cpp:edgeghcr.io/philips-software/amp-devcontainer-embedded-cpp:pr-1346

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 560.33 MB 560.43 MB +105.2 kB (+0.02%) 🔼
linux/arm64 538.93 MB 538.86 MB 65.16 kB (-0.01%) 🔽

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Test Results

 21 files  ± 0   21 suites  ±0   17m 33s ⏱️ - 1m 59s
 44 tests + 4   44 ✅ + 4  0 💤 ±0  0 ❌ ±0 
185 runs  +16  185 ✅ +16  0 💤 ±0  0 ❌ ±0 

Results for commit f4cb804. ± Comparison against base commit 8731e2a.

♻️ This comment has been updated with latest results.

Copilot AI review requested due to automatic review settings July 9, 2026 20:07

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

.devcontainer/cpp/Dockerfile:78

  • ARM_GNU_TOOLCHAIN_VERSION is now configurable, but the SHA256 values are still hard-coded for 15.2.rel1. If someone builds with a different --build-arg ARM_GNU_TOOLCHAIN_VERSION=..., the checksum verification will fail (or worse, be updated incorrectly without being tied to the version). Consider either (a) removing the version build-arg and keeping the URL/version fully pinned, or (b) adding per-arch checksum build args (or a version→checksum mapping) that are updated together with the version.
    if [[ "${BUILD_EMBEDDED_FLAVOR}" == "true" ]]; then
        ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/${ARM_GNU_TOOLCHAIN_VERSION}/binrel/arm-gnu-toolchain-${ARM_GNU_TOOLCHAIN_VERSION}-$(uname -m)-arm-none-eabi.tar.xz"
        ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"

        if [[ "$(uname -m)" == "x86_64" ]]; then
            ARM_GNU_TOOLCHAIN_SHA256="597893282ac8c6ab1a4073977f2362990184599643b4c5ee34870a8215783a16"
        elif [[ "$(uname -m)" == "aarch64" ]]; then
            ARM_GNU_TOOLCHAIN_SHA256="d061559d814b205ed30c5b7c577c03317ec447ca51cd5a159d26b12a5bbeb20c"
        fi

Comment thread .devcontainer/rust/Dockerfile Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings July 10, 2026 12:39
Comment on lines +1 to +8
[
"bats",
"bats-assert",
"bats-support",
"git",
"gnupg2",
"wget"
]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MegaLinter] reported by reviewdog 🐶

Suggested change
[
"bats",
"bats-assert",
"bats-support",
"git",
"gnupg2",
"wget"
]
["bats", "bats-assert", "bats-support", "git", "gnupg2", "wget"]

Comment on lines +1 to +5
[
"graphviz",
"plantuml",
"sbdl"
]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MegaLinter] reported by reviewdog 🐶

Suggested change
[
"graphviz",
"plantuml",
"sbdl"
]
["graphviz", "plantuml", "sbdl"]

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated no new comments.

@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 10, 2026 12:49 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 10, 2026 13:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Comment thread .devcontainer/base/add-sbom-note.sh Outdated
Comment thread .github/workflows/release-build.yml Outdated
Comment thread .github/workflows/wc-build-push.yml
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 10, 2026 13:41 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 12, 2026 11:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Comment thread .devcontainer/rust/Dockerfile Outdated
Comment thread .devcontainer/base/add-sbom-note.sh
Copilot AI review requested due to automatic review settings July 12, 2026 11:20
@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Comment thread .devcontainer/base/add-sbom-note.sh
Comment thread test/base/integration-tests.bats
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 12, 2026 11:30 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants