rucoder
diff --git a/‎eve-tools/bpftrace-compiler/root/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎eve-tools/bpftrace-compiler/root/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/apparmor/Dockerfile‎
Lines changed: 4 additions & 1 deletion b/‎pkg/apparmor/Dockerfile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎pkg/bpftrace/Dockerfile‎
Lines changed: 7 additions & 1 deletion b/‎pkg/bpftrace/Dockerfile‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎pkg/bsp-imx/Dockerfile‎
Lines changed: 9 additions & 1 deletion b/‎pkg/bsp-imx/Dockerfile‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎pkg/debug/Dockerfile‎
Lines changed: 7 additions & 1 deletion b/‎pkg/debug/Dockerfile‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎pkg/dnsmasq/Dockerfile‎
Lines changed: 4 additions & 1 deletion b/‎pkg/dnsmasq/Dockerfile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎pkg/dom0-ztools/Dockerfile‎
Lines changed: 4 additions & 1 deletion b/‎pkg/dom0-ztools/Dockerfile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎pkg/edgeview/Dockerfile‎
Lines changed: 2 additions & 2 deletions b/‎pkg/edgeview/Dockerfile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/fscrypt/Dockerfile‎
Lines changed: 6 additions & 2 deletions b/‎pkg/fscrypt/Dockerfile‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎pkg/fw/Dockerfile‎
Lines changed: 33 additions & 4 deletions b/‎pkg/fw/Dockerfile‎
Lines changed: 33 additions & 4 deletions
@@ -7,7 +7,7 @@ FROM ${EVE_KERNEL} AS kernel
 
 FROM lfedge/eve-bpftrace:03c26b968615b09b491f71e61e35d3f2675835ef AS eve-bpftrace
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS bpftrace
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS bpftrace
 
 # hadolint ignore=DL3018
 RUN apk add --no-cache --initdb binutils make gcc g++ git perl musl-dev cmake zlib-dev bcc-dev libbpf-dev cereal flex bison llvm17-libs llvm17-dev llvm17-static clang17-dev clang17-static pahole gtest-dev bash
 
@@ -3,7 +3,7 @@
 # Copyright (c) 2023 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build
 ENV BUILD_PKGS linux-headers musl-dev musl-utils musl-libintl git gcc g++ \
                autoconf autoconf-archive automake libtool make flex bison \
                bash sed gettext
@@ -20,6 +20,9 @@ WORKDIR /apparmor/parser
 RUN ../common/list_af_names.sh > base_af_names.h
 RUN make CFLAGS="-Os"
 
+# Register apparmor in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n apparmor -v 4.1.3 -l GPL-2.0-only -u https://gitlab.com/apparmor/apparmor.git
+
 #Pull a selected set of artifacts into the final stage.
 FROM scratch
 COPY --from=build /out/ /
 
@@ -2,7 +2,7 @@
 
 # Copyright (c) 2024 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build
 
 ENV BUILD_PKGS libbpf-dev make gcc g++ git perl linux-headers musl-dev cmake elfutils-dev llvm17-libs llvm17-dev llvm17-gtest llvm17-static cereal flex bison clang17-extra-tools clang17-dev clang17-static pahole gtest-dev bash py3-setuptools zip zlib-dev
 
@@ -23,6 +23,8 @@ RUN cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_CXX_COMPILER=clang++-17 -DCMA
 RUN make -j "$(getconf _NPROCESSORS_ONLN)"
 RUN make install
 
+# Register bcc in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n bcc -v 0.27.0 -l Apache-2.0 -u https://github.com/iovisor/bcc.git
 
 RUN mkdir -p /usr/src
 ADD https://github.com/bpftrace/bpftrace.git#v0.20.3 /usr/src/bpftrace
@@ -35,6 +37,9 @@ RUN cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_CXX_COMPILER=clang++-17 -DCMA
 RUN make -j "$(getconf _NPROCESSORS_ONLN)"
 RUN make install
 
+# Register bpftrace in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n bpftrace -v 0.20.3 -l Apache-2.0 -u https://github.com/bpftrace/bpftrace.git
+
 # portability analyser is disabled, therefore skip those tests
 # skip file exist test - probably broken because of container
 # unfortunately /proc/cpuinfo on docker on M1 mac is not telling much, so let's use the bogomips
@@ -52,6 +57,7 @@ RUN if [ "$TARGETARCH" = "$BUILDARCH" ]; then \
     fi
 
 FROM scratch AS bin
+COPY --from=build /out/lib/apk/db/installed /lib/apk/db/installed
 COPY --from=build /usr/bin/bpftrace /bpftrace/usr/bin/bpftrace
 COPY --from=build /usr/bin/bpftrace-aotrt /bpftrace-aotrt/usr/bin/bpftrace-aotrt
 
 
@@ -4,7 +4,7 @@
 ARG BUILD_PKGS_BASE="bash binutils-dev build-base bc bison flex openssl-dev util-linux-dev swig gnutls-dev perl python3 python3-dev py3-setuptools py3-pycryptodome py3-elftools"
 
 # we use the same image in several places
-ARG EVE_ALPINE_IMAGE=lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3
+ARG EVE_ALPINE_IMAGE=lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1
 
 # OPTEE-OS images
 FROM lfedge/eve-optee-os:3c441f553d0037cbd49689e35b695632c2c8a9b4 AS optee-os
@@ -197,8 +197,16 @@ RUN for target in ${UBOOT_TARGETS}; do \
         [ -f "$udtb" ] && cp $udtb /bsp/ ;\
     done
 
+# Register imx-atf, firmware-imx and uboot-imx in the APK DB, mandatory for them to be included in the SBOM.
+RUN if [ "$EVE_TARGET_ARCH" = "aarch64" ]; then \
+        register-sbom-pkg.sh -n imx-atf -v "${ATF_COMMIT_imx8mp_pollux:0:8}" -l BSD-3-Clause -u https://github.com/nxp-imx/imx-atf && \
+        register-sbom-pkg.sh -n firmware-imx -v "${FIRMWARE_VER}" -l proprietary -u https://www.nxp.com && \
+        register-sbom-pkg.sh -n uboot-imx -v "${UBOOT_VERSION}" -l GPL-2.0-only -u https://github.com/nxp-imx/uboot-imx; \
+    fi
+
 FROM scratch
 ENTRYPOINT []
 CMD []
 COPY --from=build /bsp /bsp-imx
+COPY --from=build /out/lib/apk/db/installed /lib/apk/db/installed
 
@@ -10,7 +10,7 @@
 # into the package: see abuild/etc/abuild.conf.
 FROM lfedge/eve-recovertpm:478513dfbf4681b19f11a9afdede6194cceea301 AS recovertpm
 FROM lfedge/eve-bpftrace:03c26b968615b09b491f71e61e35d3f2675835ef AS bpftrace
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build
 ENV BUILD_PKGS="abuild curl tar make linux-headers patch g++ git gcc gpg gettext gettext-static ncurses-dev jq autoconf openssl-dev zlib-dev zlib-static gpg-agent"
 # Feel free to add additional packages here, but be aware that
 # EVE's rootfs image can be no larger than 300Mb (and don't
@@ -58,6 +58,9 @@ RUN for patch in *.patch; do \
     make -j$(nproc) -C src VERSION=B.${LSHW_VERSION} NO_VERSION_CHECK=1 RPM_OPT_FLAGS=-DNONLS ZLIB=1 GZIP="busybox gzip -n9" static && \
     cp src/lshw-static /out/usr/bin/lshw && strip /out/usr/bin/lshw
 
+# Register lshw in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n lshw -v "B.${LSHW_VERSION}" -l GPL-2.0-only -u https://www.ezix.org/software/files/lshw
+
 # building hexedit
 WORKDIR /tmp/hexedit/hexedit-1.5
 # hadolint ignore=DL4006
@@ -66,6 +69,9 @@ RUN tar -C .. -xzvf ../1.5.tar.gz
 # hadolint ignore=SC2046
 RUN ./autogen.sh && ./configure && make -j$(nproc) && make DESTDIR=/out install
 
+# Register hexedit in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n hexedit -v 1.5 -l GPL-2.0-only -u https://github.com/pixel/hexedit
+
 # tweaking various bit
 WORKDIR /out
 COPY debug-services.sh ssh-service.sh edgeview-collectinfo.sh spec.sh scripts/ ./usr/bin/
 
@@ -1,7 +1,7 @@
 # Copyright (c) 2025 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build
 ENV BUILD_PKGS gcc make patch libc-dev linux-headers tar xz coreutils
 RUN eve-alpine-deploy.sh
 
@@ -25,6 +25,9 @@ RUN rm -rf /out
 RUN make  -j "$(getconf _NPROCESSORS_ONLN)"
 RUN make install DESTDIR=/out PREFIX=/usr
 
+# Register dnsmasq in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n dnsmasq -v "${DNSMASQ_VERSION}" -l GPL-2.0-only -u https://thekelleys.org.uk/dnsmasq
+
 FROM build AS test
 
 COPY dnstest /dnstest
 
@@ -3,7 +3,7 @@
 # Copyright (c) 2025 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS zfs
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS zfs
 ENV BUILD_PKGS="git patch ca-certificates util-linux build-base gettext-dev libtirpc-dev automake autoconf \
     libtool linux-headers attr-dev e2fsprogs-dev glib-dev openssl-dev util-linux-dev coreutils"
 ENV PKGS="ca-certificates util-linux libintl libuuid libtirpc libblkid libcrypto3 zlib"
@@ -43,6 +43,9 @@ RUN rm -rf /tmp/zfs-out/usr/share && rm -rf /tmp/zfs-out/usr/src && \
 RUN find /tmp/zfs-out -mindepth 1|sed 's@/tmp/zfs-out@@'>/out/etc/zfs-files
 RUN cp -r /tmp/zfs-out/* /out
 
+# Register zfs in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n zfs -v "${ZFS_VERSION}" -l CDDL-1.0 -u https://github.com/openzfs/zfs
+
 # Add directory for CDI files
 RUN mkdir -p /out/etc/cdi
 
 
@@ -2,12 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # hadolint ignore=DL3006
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS runtime
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS runtime
 ENV PKGS alpine-baselayout musl-utils iproute2 iptables
 RUN eve-alpine-deploy.sh
 
 # hadolint ignore=DL3029
-FROM --platform=$BUILDPLATFORM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build
+FROM --platform=$BUILDPLATFORM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build
 ARG TARGETARCH
 
 COPY src/  /edge-view/.
 
@@ -2,7 +2,7 @@
 
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build-base
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build-base
 
 FROM build-base AS build-amd64
 FROM build-base AS build-arm64
@@ -28,5 +28,9 @@ RUN set -e && for patch in *.patch; do \
 
 RUN make -j "$(getconf _NPROCESSORS_ONLN)" && make DESTDIR="/out/opt/zededa" PREFIX="" install
 
+# Register fscrypt in the APK DB, mandatory for it to be included in the SBOM.
+RUN register-sbom-pkg.sh -n fscrypt -v "${FSCRYPT_COMMIT}" -l Apache-2.0 -u https://github.com/google/fscrypt
+
 FROM scratch
-COPY --from=build /out/opt/zededa/bin /opt/zededa/bin
+COPY --from=build /out/opt/zededa/bin /opt/zededa/bin
+COPY --from=build /out/lib/apk/db/installed /lib/apk/db/installed
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile-upstream:1.5.0-rc2-labs
 ARG PLATFORM=generic
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS build-base
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS build-base
 
 ARG TARGETARCH
 
@@ -100,10 +100,24 @@ ADD ${RPI_BT_FIRMWARE_URL}/${RPI_BT_FIRMWARE_VERSION}/broadcom/BCM4345C5.hcd .
 ENV HAILO_FW_VERSION=4.21.0
 ADD https://hailo-hailort.s3.eu-west-2.amazonaws.com/Hailo8/${HAILO_FW_VERSION}/FW/hailo8_fw.${HAILO_FW_VERSION}.bin /lib/firmware/hailo/hailo8_fw.bin
 
+# Register firmware packages in the APK DB, mandatory for them to be included in the SBOM.
+RUN register-sbom-pkg.sh -n wireless-regdb -v "${WIRELESS_REGDB_VERSION}" -l ISC -u https://wireless.wiki.kernel.org/en/developers/regulatory/wireless-regdb -o /sbom-out
+RUN register-sbom-pkg.sh -n linux-firmware -v "${LINUX_FIRMWARE_VERSION}" -l GPL-2.0-only -u https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git -o /sbom-out
+RUN register-sbom-pkg.sh -n rtw88-firmware -v "${RTL8822_FW_VERSION:0:8}" -l GPL-2.0-only -u https://github.com/lwfinger/rtw88 -o /sbom-out
+RUN register-sbom-pkg.sh -n hailo8-firmware -v "${HAILO_FW_VERSION}" -l proprietary -u https://hailo.ai -o /sbom-out
+RUN register-sbom-pkg.sh -n nvidia-l4t-firmware -v "${NVIDIA_FW_TEGRA}" -l proprietary -u https://repo.download.nvidia.com/jetson -o /sbom-out
+RUN if [ "${TARGETARCH}" = "arm64" ]; then \
+        register-sbom-pkg.sh -n rpi-firmware-nonfree -v "${RPI_FIRMWARE_VERSION:0:8}" -l proprietary -u https://github.com/RPi-Distro/firmware-nonfree -o /sbom-out && \
+        register-sbom-pkg.sh -n rpi-bluez-firmware -v "${RPI_BT_FIRMWARE_VERSION:0:8}" -l proprietary -u https://github.com/RPi-Distro/bluez-firmware -o /sbom-out; \
+    fi
+
 # generate initrd for Intel's and AMD's microcode
 # it makes sense only for x86_64 platform
-FROM --platform=${TARGETPLATFORM} lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS ucode-build-common
+FROM --platform=${TARGETPLATFORM} lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS ucode-build-common
 RUN mkdir -p /boot /tmp/ucode/intel /tmp/ucode/amd /usr/share/licenses/ucode
+# Ensure /sbom-out/lib/apk/db/installed exists for all archs so the COPY in
+# compactor-common works even when no ucode registrations run (arm64/riscv64).
+RUN register-sbom-pkg.sh -o /sbom-out
 
 FROM ucode-build-common AS ucode-build-amd64
 ENV BUILD_PKGS=iucode-tool
@@ -139,13 +153,22 @@ RUN cp /tmp/ucode/amd/linux-firmware/LICENSE.amd-ucode /usr/share/licenses/ucode
 # merge intel and amd microcode
 RUN cat /tmp/ucode/intel/intel-ucode.img /tmp/ucode/amd/amd-ucode.img >/boot/ucode.img
 
+# Register intel-ucode and amd-ucode in the APK DB, mandatory for them to be included in the SBOM.
+RUN register-sbom-pkg.sh -n intel-ucode -v "${INTEL_UCODE_VERSION}" -l proprietary -u https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files -o /sbom-out
+RUN register-sbom-pkg.sh -n amd-ucode -v "${AMD_UCODE_VERSION}" -l proprietary -u https://www.amd.com -o /sbom-out
+
 FROM ucode-build-common AS ucode-build-arm64
 FROM ucode-build-common AS ucode-build-riscv64
 FROM ucode-build-${TARGETARCH} AS ucode-build
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS compactor-common
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS compactor-common
 ENTRYPOINT []
 WORKDIR /
+# Reset the APK DB so the final image only reports source-built/firmware packages
+RUN rm -f /lib/apk/db/installed && register-sbom-pkg.sh -o /
+COPY --from=build /sbom-out/lib/apk/db/installed /tmp/sbom-fw
+COPY --from=ucode-build /sbom-out/lib/apk/db/installed /tmp/sbom-ucode
+RUN cat /tmp/sbom-fw /tmp/sbom-ucode >> /lib/apk/db/installed && rm -f /tmp/sbom-fw /tmp/sbom-ucode
 COPY --from=build /lib/firmware/regulatory* /lib/firmware/
 COPY --from=build /lib/firmware/bnx2x/* /lib/firmware/bnx2x/
 COPY --from=build /lib/firmware/mrvl/*.bin /lib/firmware/mrvl/
@@ -222,7 +245,12 @@ RUN if [ "$TARGETARCH" = "arm64" ]; then \
     fi
 
 
-FROM lfedge/eve-alpine:1f744180283ffb4eabcc3862531aeacf1de886b3 AS compactor-full
+FROM lfedge/eve-alpine:41f3648ded073c351d0dcd3432322f5816c9c7b1 AS compactor-full
+# Reset the APK DB so the final image only reports source-built/firmware packages
+RUN rm -f /lib/apk/db/installed && register-sbom-pkg.sh -o /
+COPY --from=build /sbom-out/lib/apk/db/installed /tmp/sbom-fw
+COPY --from=ucode-build /sbom-out/lib/apk/db/installed /tmp/sbom-ucode
+RUN cat /tmp/sbom-fw /tmp/sbom-ucode >> /lib/apk/db/installed && rm -f /tmp/sbom-fw /tmp/sbom-ucode
 # get all possible FW
 COPY --from=build /lib/firmware/ /lib/firmware/
 
@@ -239,5 +267,6 @@ ENTRYPOINT []
 WORKDIR /
 
 COPY --from=compactor /lib/firmware /lib/firmware
+COPY --from=compactor /lib/apk/db/installed /lib/apk/db/installed
 COPY --from=ucode-build /boot/ /boot/
 COPY --from=ucode-build /usr/share/licenses/ucode /usr/share/licenses/ucode