feat: add missing tools to SBOM#1346
Conversation
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Ron <45816308+rjaegers@users.noreply.github.com>
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
There was a problem hiding this comment.
Pull request overview
This PR updates the Rust devcontainer image to make additional Rust tooling explicitly versioned and to improve SBOM completeness by annotating installed binaries with ELF package metadata so Syft can detect them.
Changes:
- Parameterized versions for
cargo-binutils,cargo-mutants,flip-link, andprobe-rs-toolsvia newARGs. - Updated the
cargo-binstallinstallation step to use the versionARGs. - Added a build step that annotates selected binaries with a
.note.packagesection containing name/version/purl metadata for SBOM generation.
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 23 | 0 | 0 | 0.2s | |
| ✅ DOCKERFILE | hadolint | 4 | 0 | 0 | 0.18s | |
| ✅ JSON | npm-package-json-lint | yes | no | no | 0.37s | |
| ✅ JSON | prettier | 37 | 8 | 0 | 0 | 0.71s |
| ✅ JSON | v8r | 37 | 0 | 0 | 9.31s | |
| markdownlint | 13 | 0 | 1 | 0 | 1.02s | |
| ✅ MARKDOWN | markdown-table-formatter | 13 | 0 | 0 | 0 | 0.2s |
| ✅ REPOSITORY | checkov | yes | no | no | 32.48s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.7s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.06s | |
| ✅ REPOSITORY | grype | yes | no | no | 49.88s | |
| osv-scanner | yes | 1 | no | 0.85s | ||
| ✅ REPOSITORY | secretlint | yes | no | no | 1.81s | |
| ✅ REPOSITORY | syft | yes | no | no | 4.48s | |
| ✅ REPOSITORY | trivy | yes | no | no | 13.45s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.24s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 2.18s | |
| lychee | 105 | 5 | 0 | 11.59s | ||
| ✅ YAML | prettier | 32 | 0 | 0 | 0 | 1.11s |
| ✅ YAML | v8r | 32 | 0 | 0 | 8.96s | |
| ✅ YAML | yamllint | 32 | 0 | 0 | 1.88s |
Detailed Issues
⚠️ SPELL / lychee - 5 errors
📝 Summary
---------------------
🔍 Total..........147
🔗 Unique.........123
✅ Successful.....137
⏳ Timeouts.........0
🔀 Redirected......18
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........5
⛔ Unsupported......5
Errors in .github/CONTRIBUTING.md
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ (at 89:64) | Network error: Connection reset by peer (os error 104)
Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads (at 38:7) | Rejected status code: 403 Forbidden
Errors in test/cpp/features/security.feature
[ERROR] https://slsa.dev/spec/v1.0/levels (at 20:30) | Connection failed. Check network connectivity and firewall settings
[ERROR] https://slsa.dev/spec/v1.0/threats (at 28:19) | Connection failed. Check network connectivity and firewall settings
[ERROR] https://slsa.dev/spec/v1.0/verifying-artifacts (at 24:25) | Connection failed. Check network connectivity and firewall settings
Hint: Followed 18 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ MARKDOWN / markdownlint - 1 error
docs/adr/0000-record-architecture-decisions.md:30:401 error MD013/line-length Line length [Expected: 400; Actual: 520]
⚠️ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
Scanned .devcontainer/docs/requirements.txt file and found 14 packages
Scanned .devcontainer/cpp/requirements.txt file and found 20 packages
Scanned package-lock.json file and found 73 packages
Scanned test/rust/workspace/cargo/Cargo.lock file and found 1 package
Scanned test/rust/workspace/test/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-m/Cargo.lock file and found 20 packages
Scanned test/rust/workspace/clippy/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-mf/Cargo.lock file and found 20 packages
End status: 103 dirs visited, 338 inodes visited, 8 Extract calls, 22.74689ms elapsed, 22.74702ms wall time
Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| https://osv.dev/RUSTSEC-2026-0110 | | crates.io | bare-metal | 0.2.5 | -- | test/rust/workspace/cortex-m/Cargo.lock |
| https://osv.dev/RUSTSEC-2026-0110 | | crates.io | bare-metal | 0.2.5 | -- | test/rust/workspace/cortex-mf/Cargo.lock |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
Notices
📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)
See detailed reports in MegaLinter artifacts
You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
- oxsecurity/megalinter/flavors/salesforce@v9.5.0 (59 linters)
- oxsecurity/megalinter/flavors/javascript@v9.5.0 (62 linters)
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
…m/philips-software/amp-devcontainer into feature/add-missing-tools-to-sbom
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.devcontainer/cpp/Dockerfile:78
ARM_GNU_TOOLCHAIN_VERSIONis now configurable, but the SHA256 values are still hard-coded for 15.2.rel1. If someone builds with a different--build-arg ARM_GNU_TOOLCHAIN_VERSION=..., the checksum verification will fail (or worse, be updated incorrectly without being tied to the version). Consider either (a) removing the version build-arg and keeping the URL/version fully pinned, or (b) adding per-arch checksum build args (or a version→checksum mapping) that are updated together with the version.
if [[ "${BUILD_EMBEDDED_FLAVOR}" == "true" ]]; then
ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/${ARM_GNU_TOOLCHAIN_VERSION}/binrel/arm-gnu-toolchain-${ARM_GNU_TOOLCHAIN_VERSION}-$(uname -m)-arm-none-eabi.tar.xz"
ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"
if [[ "$(uname -m)" == "x86_64" ]]; then
ARM_GNU_TOOLCHAIN_SHA256="597893282ac8c6ab1a4073977f2362990184599643b4c5ee34870a8215783a16"
elif [[ "$(uname -m)" == "aarch64" ]]; then
ARM_GNU_TOOLCHAIN_SHA256="d061559d814b205ed30c5b7c577c03317ec447ca51cd5a159d26b12a5bbeb20c"
fi
| [ | ||
| "bats", | ||
| "bats-assert", | ||
| "bats-support", | ||
| "git", | ||
| "gnupg2", | ||
| "wget" | ||
| ] |
There was a problem hiding this comment.
[MegaLinter] reported by reviewdog 🐶
| [ | |
| "bats", | |
| "bats-assert", | |
| "bats-support", | |
| "git", | |
| "gnupg2", | |
| "wget" | |
| ] | |
| ["bats", "bats-assert", "bats-support", "git", "gnupg2", "wget"] |
| [ | ||
| "graphviz", | ||
| "plantuml", | ||
| "sbdl" | ||
| ] |
There was a problem hiding this comment.
[MegaLinter] reported by reviewdog 🐶
| [ | |
| "graphviz", | |
| "plantuml", | |
| "sbdl" | |
| ] | |
| ["graphviz", "plantuml", "sbdl"] |
|



🚀 Hey, I have created a Pull Request
Description of changes
This pull request introduces a system for generating and publishing a curated, per-flavor tool inventory for each devcontainer image, ensuring that the set of included tools and their versions are clearly documented and tracked in the release notes. It does this by annotating binaries so they are reliably detected in the SBOM, filtering the SBOM against an allowlist, and updating the release automation and templates to include tool tables and attach inventories as release assets.
The most important changes are:
SBOM Annotation and Tool Detection Improvements
.devcontainer/base/add-sbom-note.sh, a script that annotates ELF binaries with systemd.note.packagemetadata so Syft can reliably detect tools installed outside of package managers and include them in the SBOM. This script is installed into the base image and used by downstream flavors. (.devcontainer/base/add-sbom-note.sh,.devcontainer/base/Dockerfile, [1] [2] [3]add-sbom-noteto annotate tools that would otherwise be missed by Syft, ensuring a complete SBOM. (.devcontainer/cpp/Dockerfile,.devcontainer/rust/Dockerfile, [1] [2]Tool Inventory Generation and Tracking
tool-inventory.json) per devcontainer flavor to specify which tools to track, and a script (.github/scripts/generate-tool-inventory.sh) to extract tool/version/purl info from the SBOM, failing builds if expected tools are missing. (.devcontainer/base/tool-inventory.json,.devcontainer/cpp/tool-inventory.json,.devcontainer/embedded-cpp/tool-inventory.json,.devcontainer/rust/tool-inventory.json,.devcontainer/docs/tool-inventory.json, [1] [2] [3] [4] [5] [6]Release Notes and Automation Enhancements
.github/RELEASE_TEMPLATE.md,.github/workflows/release-build.yml, [1] [2].github/workflows/build-push-test.yml,.github/workflows/wc-build-push-test.yml,.github/workflows/wc-build-push.yml, [1] [2] [3] [4]Dependency Updates
binutilsas a required package in the base image to support ELF annotation. (.devcontainer/base/apt-requirements.json, .devcontainer/base/apt-requirements.jsonR3)General Improvements
These changes ensure that the devcontainer images have transparent, reproducible tool inventories, and that any accidental tool removals or renames are caught early in CI.
✔️ Checklist