[Buildroot] Buildroot 2025.02 released

Wed Apr 16 19:44:44 UTC 2025

On 15/04/2025 09:24, Peter Korsgaard wrote:
>>>>>> "Robert" == Robert Smigielski <ptdropper at gmail.com> writes:
> Hi Robert,
>
>   > Hi Buildroot team
>   > I run a tiny open source project that also supports CycloneDX SBOM
>   > generation for Buildroot. I was part of this email channel but had to
>   > drop for work reasons.
>   > Glad to be back and offer support. The project I participate with is
>   > https://github.com/CycloneDX/cyclonedx-buildroot/ and would like to
>   > coordinate with you.
>
> Sorry for the slow response, things have been kind of busy here.
>
> Thanks for reaching out! I have used cyclonedx-buildroot in the past
> myself. Regarding coordination, can you give an overview of what the
> delta is in the output from cyclonedx-buildroot and our
> utils/generate-cyclonedx script? I have added Thomas, author of
> generate-cyclonedx here as well.

  I compared the two before applying the generate-cyclonedx code. The usage is 
slightly different - generate-cyclonedx expects show-info output as input, while 
cyclonedx-buildroot calls it internally.

  IIRC, the main differences in the output are:

- CVE exclusions are handled differently (or not at all in cyclonedx-buildroot?)

- generate-cyclonedx includes the patch contents, cyclonedx-buildroot just names 
them

- generate-cyclonedx doesn't add a PURL (but Thomas posted a series for that).

>
> For Buildroot, having a solid SBOM story out of the box is quite nice,
> so I would personally prefer to extend generate-cyclonedx if anything is
> missing.

  Yes, I also looked at just integrating cyclonedx-buildroot. However, that has 
quite a few PyPI dependencies, which we don't like to have for in-tree tools. 
generate-cyclonedx works with pure JSON instead of the cyclonedx python library.

  Regards,
  Arnout