Moving cyclonedx generation to syft for better compilance.

Dockerfile

@@ -13,6 +13,11 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-ins
 RUN git clone https://github.com/gardenlinux/resizefat32
 RUN make -C resizefat32 install
 
+FROM debian:testing AS syft
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates wget jq
+RUN wget --quiet https://github.com/anchore/syft/releases/download/v1.44.0/syft_1.44.0_linux_$(dpkg --print-architecture).deb
+RUN DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends ./syft_1.44.0_linux_$(dpkg --print-architecture).deb
+
 FROM debian:testing
 
 LABEL org.opencontainers.image.source="https://github.com/gardenlinux/builder"
@@ -24,6 +29,7 @@ COPY --from=mv_data /usr/bin/mv_data /usr/bin/mv_data
 COPY --from=datefudge /usr/lib/datefudge/datefudge.so /usr/lib/datefudge/datefudge.so
 COPY --from=datefudge /usr/bin/datefudge /usr/bin/datefudge
 COPY --from=resizefat32 /usr/bin/resizefat32 /usr/bin/resizefat32
+COPY --from=syft /usr/bin/syft /usr/bin/syft
 RUN curl "https://github.com/gardenlinux/aws-kms-pkcs11/releases/download/latest/aws_kms_pkcs11-$(dpkg --print-architecture).so" -sLo "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.so"
 COPY builder /builder
 RUN mkdir /builder/cert

README.md

@@ -66,6 +66,13 @@ ln -f -s ../builder/build build
 
 Now you can make your modifications inside the builder directory and running `./build ${target}` inside the gardenlinux repo will use the local builder, rebuilding the build container if necessary.
 
+
+If you want to use a modified builder docker image, you can edit your changes into the `Dockerfile` and run the image build with
+```
+cd gardenlinux
+./build --container-image localhost/builder aws-gardener_prod
+```
+
 ## Licensing
 
 Copyright 2025 SAP SE or an SAP affiliate company and GardenLinux contributors. Please see our [LICENSE](LICENSE) for

builder/image.sbom

@@ -9,10 +9,26 @@ tar --extract --xattrs --xattrs-include '*' --directory "$chroot_dir" < "$1"
 mount --rbind --make-rslave /proc "$chroot_dir/proc"
 
 # build cyclonedx sbom
-tmpfile="$(mktemp --suffix '.dpkg.csv')"
-#shellcheck disable=SC2016
-chroot "$chroot_dir" dpkg-query --show --showformat='${binary:Package}\t${Version}\t${Architecture}\t${Homepage}\t${Maintainer}\t${source:Package}\t${source:Version}\n' > "$tmpfile"
-./dpkg_to_cyclonedx --input "$tmpfile" --output "$2" --builder_features "$BUILDER_FEATURES" --builder_cname "$BUILDER_CNAME" --builder_arch "$BUILDER_ARCH" --builder_version "$BUILDER_VERSION" --builder_unixtimestamp "$BUILDER_TIMESTAMP"
+SYFT_CACHE_DIR="$chroot_dir"/syft-cache syft --quiet "$1" --config syft.yaml --output cyclonedx-json | jq \
+  --arg cname "$BUILDER_CNAME" \
+  --arg arch "$BUILDER_ARCH" \
+  --arg version "$BUILDER_VERSION" \
+  --arg features "$BUILDER_FEATURES" \
+  --arg builder_timestamp "$BUILDER_TIMESTAMP" \
+  --arg cpe "" \
+  '.metadata.lifecycles = [{"phase": "post-build"}] |
+   .metadata.component = {
+    "type": "operating-system",
+    "name": "GardenLinux",
+    "version": $version,
+    "cpe": $cpe,
+    "properties": [
+      {"name": "cname", "value": $cname},
+      {"name": "arch", "value": $arch},
+      {"name": "features", "value": $features},
+      {"name": "build timestamp", "value": $builder_timestamp}
+    ]
+  }' > "$2"
 
 umount -l "$chroot_dir/proc"
 

builder/syft.yaml

@@ -0,0 +1,10 @@
+catalogers:
+  - dpkg-db-cataloger
+
+format:
+  cyclonedx-json:
+    pretty: true
+
+package:
+  search-indexed-archives: true
+  search-unindexed-archives: true

pkg.list

@@ -16,6 +16,7 @@ gnupg2
 libcurl4
 libengine-pkcs11-openssl
 libjson-c5
+jq
 make
 mmdebstrap
 mtools