Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Expands os-image-composer inspection and comparison capabilities to work with embedded SBOMs (SPDX JSON) inside generated images, including an SPDX-to-SPDX comparison mode and raw-partition SBOM extraction support (ext2/3/4 via debugfs).
Changes:
- Add SBOM discovery/parsing utilities (canonical SPDX hashing + package diffing) and include SBOM metadata in image inspection summaries/diffs.
- Extend CLI:
inspect --extract-sbom [out]to extract embedded SPDX andcompare --mode=spdxto compare two SPDX JSON files directly. - Enable raw ext2/3/4 reads for SBOM extraction using
debugfs(and allowlistdebugfsin the shell command map), plus unit tests.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/utils/shell/shell.go | Allowlists debugfs so raw ext* extraction can invoke it via the shell utility. |
| internal/image/imageinspect/sbom.go | Implements SBOM inspection, canonical SPDX hashing, and SPDX file comparison/diff helpers. |
| internal/image/imageinspect/sbom_test.go | Adds tests for canonical hashing stability and SPDX compare behavior. |
| internal/image/imageinspect/fs_raw.go | Adds raw-partition SBOM discovery + ext2/3/4 reading via debugfs. |
| internal/image/imageinspect/imageinspect.go | Adds SBOMSummary to ImageSummary and inspector options to enable SBOM inspection. |
| internal/image/imageinspect/compare.go | Adds SBOM diffing and summary reporting (SBOMChanged). |
| internal/image/imageinspect/renderer_text.go | Renders SBOM info in inspect output and SBOM diffs in compare text output; adds SPDX-compare text renderer. |
| internal/image/imageinspect/helpers_test.go | Updates verity-related tests for the renamed VeritySummary type. |
| internal/image/imageinspect/compare_test.go | Updates verity comparison tests for VeritySummary. |
| cmd/os-image-composer/inspect_cmd.go | Adds --extract-sbom flag handling and writes extracted SBOM to file/dir. |
| cmd/os-image-composer/inspect_cmd_test.go | Adds unit tests for SBOM extraction flag semantics and output writing. |
| cmd/os-image-composer/compare_cmd.go | Adds --mode=spdx to compare two SPDX JSON files (text/json output). |
| cmd/os-image-composer/compare_cmd_test.go | Adds tests covering SPDX compare mode without inspecting disk images. |
…o help with debugging SBOM inspection issues.
arodage
reviewed
Mar 9, 2026
arodage
approved these changes
Mar 9, 2026
Contributor
arodage
left a comment
arodage
left a comment
There was a problem hiding this comment.
One comment to address.Otherwise LGTM
Co-authored-by: Alpesh <alpesh.ramesh.rodage@intel.com>
stevenhoenisch
approved these changes
Mar 10, 2026
Contributor
stevenhoenisch
left a comment
stevenhoenisch
left a comment
There was a problem hiding this comment.
LGTM for the .md file in the commit set. (I didn't look at the .go files or other code files.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR
Description
/usr/share/sbom.inspectcommand has been expanded to optionally support extraction of the embeddedSPDX manifestfrom an image using the commandos-image-composer inspect --extract-sbom <filename>. The output filename is optional, if not provided, the filename as it appears on the filesystem will be usedcomparecommand has been extracted to support comparison of SBOM content by using the following mode;--mode=spdxwhere two SPDX JSON files can be provided for comparison highlighting all the differences between the two SBOMs.Any Newly Introduced Dependencies
How Has This Been Tested?
Added unit-test to cover inspect and compare commands