From: Simon Falsig <sfalsig@verity.net>
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Cc: "Jiři Vaněk" <jvanek@verity.net>
Subject: [ptxdist] SBOM support
Date: Thu, 7 Sep 2023 15:03:47 +0000 [thread overview]
Message-ID: <GV0P278MB0784CD72B739D3DB1BCADEB2CBEEA@GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM> (raw)
Hi,
I saw a post from 2021 to the mailing list on generating SBOMs from ptxdist.
Has there been any further work on this?
We've been looking at implementing this internally - plan would be to generate
the SBOM in CycloneDX format, and consume it with Dependency-Track
(https://dependencytrack.org) for automatic vulnerability and license monitoring.
Looks like we're quite close to having a working setup, but it'd make a lot more
sense to have it upstreamed rather than as local patches, so would like to get a
bit of input on the approach, and see if we can make that happen :)
We've identified two main steps:
1. Generate the SBOM itself. A minimal version of this can be created from the
output of the existing fast-bsp-report in 40 lines of Python, using the
CycloneDX library.
I'd assume that such a script would just go into the scripts folder in ptxdist?
Is there a common way of tracking / documenting dependencies of such scripts?
2. To track vulnerabilities, it's necessary to track the Common Platform
Enumeration (CPE) name of each package (from https://nvd.nist.gov/products/cpe).
This will allow matching packages to CVEs.
My suggestion would be to add a _CPE variable to each package (built from
whatever other variables make sense, typically _VERSION). I managed to add this
for the fast report (extracting it to pkg_cpe in rules/post/ptxd_make_world_common.make,
and adding it to the report in scripts/lib/ptxd_make_world_report.sh), but I
wouldn't be surprised if there are other places/report that need to track this
also for consistency?
Packages that specify _CPE would then have this included in their report, and
there'd be no change for the packages that don't specify it.
I'd be happy to get a bit of initial feedback on the approach. I'll have a look
at putting up some initial patches in the coming days too.
Thanks in advance and best regards,
Simon
next reply other threads:[~2023-09-07 15:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-07 15:03 Simon Falsig [this message]
2023-09-07 16:24 ` Alexander Dahl
2023-09-08 9:05 ` Simon Falsig
2023-09-08 18:38 ` Michael Olbrich
2023-09-13 15:42 ` Simon Falsig
2023-09-08 18:22 ` Michael Olbrich
2023-09-11 13:11 ` Gavin Schenk
2023-09-11 17:08 ` Christian Melki
2023-09-13 16:05 ` Simon Falsig
2024-02-19 16:54 ` Simon Falsig
2024-03-01 7:34 ` Simon Falsig
2024-03-04 16:09 ` Michael Olbrich
2024-03-08 16:02 ` Simon Falsig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV0P278MB0784CD72B739D3DB1BCADEB2CBEEA@GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM \
--to=sfalsig@verity.net \
--cc=jvanek@verity.net \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox