From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 07 Sep 2023 17:04:17 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qeGYL-007DPp-Vk for lore@lore.pengutronix.de; Thu, 07 Sep 2023 17:04:17 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qeGYJ-0008FJ-Ck; Thu, 07 Sep 2023 17:04:15 +0200 Received: from mail-zr0che01on2089.outbound.protection.outlook.com ([40.107.24.89] helo=CHE01-ZR0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qeGXv-0008Cc-FI for ptxdist@pengutronix.de; Thu, 07 Sep 2023 17:03:52 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BkV5bH+MS2zPBQSOZkwXa3SITkVNSFXeH+KzkAZBTfMX8OqRzZKxkyuve1gLNr1O1o4i3a+j4akpzIq5kStrwEOwF1BW1rFnMlFf+oyzaLWgXEkAGXqyH8tlRurWYRNo5revqcbiY57Nmyp47u3yr9xwbPLV8gNGt79USF7+11LRkUl2mGcj2WZbctzkmVgoNT/660Fq9xJ9rUC5qT0inQunxOY5sG3DkokGfoRSm5ZCsr5RAtISU8kPZK7mv5RRAsGTbo+6C98Ct0WGZS3l+MIeSMAeUujxsc3sFkNo3PhcxUc7pZhNKLBydngdLnboWmARoa/YVp3qzjEvdyq19Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xl7XlbRxDupQpX2A+QXRiPwrRqAlJhY6u9bCV5Ch6Xs=; b=hGxT1TfUrbkDh1L5mtx6AeP2TSJm/XDKywvB7PDl82pwQw8WqhGdCYpl2q7QPbWpl36y/lKOWGeV41DOUjr8qOf2yEYSKdOWXslyAavJbFPbViJ+9X6GPv9GuP1a87XN7c1OQrHve8YQU6w1PgT2LJv3ak9aPV6t45kKaTyuqNANFI3VyE0qNkLKWhqc4VKaDgtTjQPYKxpzmpckKv/4sUYTuH6k95IUnRkxUulA/bHF5tX1AsId19kn5FctAOmJenuiNRUclRZjSw5DFmXtD6OWQpj/K+KwEd/zDhdenihpXFCJffajw5WX8ACX4dbxNWe3kftgzkkQ+qAwPRSj+A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xl7XlbRxDupQpX2A+QXRiPwrRqAlJhY6u9bCV5Ch6Xs=; b=JWfMjcsQvIzzYx1cPHO9hRfCDV6FSLucVJ0DJCpVPr31mcYh+gf/pWIMms6Cu5zakNNTKb+tWc5YpJ1sytaCGMiiBGFta4rS4bk5i1/ED5Le3efQfrbTq3u8BBt7RF3rSDC+eO0T8LVNCbIfniuJ8W9bCUHa73mVyfCfrt4B2ockipyRr8X9+7XvS+bdjySJP7boT/GVrySz1LZ9Jq1vZE+crHvQZReO73bdJlS/ezSDP6oQ64G8OW5DuXaT7pic8oKmZSTPtwpPCXbrtWBWiYS6mOFyOpPBrhSpD45FZDAsV/bsNGiRQT7qcJm1gBlbII9uFbEEqkIuIuVOThg1fw== Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) by GV0P278MB1107.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:58::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.33; Thu, 7 Sep 2023 15:03:48 +0000 Received: from GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::102f:6736:1508:d2f1]) by GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM ([fe80::102f:6736:1508:d2f1%4]) with mapi id 15.20.6745.035; Thu, 7 Sep 2023 15:03:47 +0000 From: Simon Falsig To: "ptxdist@pengutronix.de" Thread-Topic: SBOM support Thread-Index: AdnhnHsNiqon0zJeSR+/uNVF6SJp1A== Date: Thu, 7 Sep 2023 15:03:47 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GV0P278MB0784:EE_|GV0P278MB1107:EE_ x-ms-office365-filtering-correlation-id: 700c31e7-b74f-4874-43c1-08dbafb3a373 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: p0iyBMi1o1jd/cIfizD5icEJ9GxO2btBlLndMvF1wIpAUp/x5I+wEc4e49efKxyHL/+4BrUAkU4J4zvZbxZzLmBQOQTj8C6ZGloFkcBDzYNCf5SjS4lrJb1nepMPnArtdLqY3cCH4pIqDzZFOKPj5Y64TKm7fJBOif4VmTBPPw1NIIFhJYuF5iOsAU3q+cPxtQyrs1YND/lAdlTAvLnvRWKrCwN/yrk0bUGLgOVk0lAJhL3Qr34cGXNg9CL+6f+Qjcsh8IO2XG6VfIezWD4O7D6E4PAaeb06XdUB+CmywNdvxw5qvTqDkvhHd9KjyvBtlEH+zwBiHJ6EBjXNyJ+pqDgOqaU0YA5GKBBj0tpcDiZAi1z+TszWKofJzEG47jkJrenrtrD++pGqxx7otCue+fL8SMNLAQx6CQ1a1fHNKas7mU2Z5sE5hQ9jWGKWP33xpPm74g9R4KeX/n5DWR6wH0m8J3vaZPLz7DXSqW8uCEzUbUZJ3EB3hnYi+LEp0K0ALhGA89gWEsVliT42qbdx2DDaSbYc4zAy4dBIYHC2BhNOtDjhboSDqfNOJWijHfEgMBkYHRxLNqHVjAvbE6NG7ALLv97G2inJsyHQvu7rKjQ= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(346002)(39840400004)(136003)(366004)(396003)(451199024)(1800799009)(186009)(122000001)(7696005)(6506007)(71200400001)(33656002)(38100700002)(38070700005)(86362001)(55016003)(3480700007)(107886003)(26005)(966005)(9686003)(83380400001)(478600001)(76116006)(41300700001)(52536014)(7116003)(8936002)(8676002)(4326008)(5660300002)(316002)(66446008)(2906002)(6916009)(66946007)(66556008)(66476007)(64756008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-2?Q?X69eE2mGfhqrPe8huVRHVy/eVsQFj/p6MpH/7U94FSZBAffC9O1x7+38lZ?= =?iso-8859-2?Q?nSNzQPurER6tg5gqeOEdHh1hMXfeJ3g85z2NOqNMkC4mkM/PTjabCqnUiZ?= =?iso-8859-2?Q?tEcH396CXVauoC+vZP32lK6Elbo1KJz/pStPkY7dw3itaIqOS/ptZi5oSp?= =?iso-8859-2?Q?vhMW59HXtVk65NDbzZS7TutUelgDHOe5+IsPv4ytrgEQjWQTsR70K104dX?= =?iso-8859-2?Q?5lRh/nTLMFPfnoTWzLe5EsmNg0a6IZHQ6ors3rxqdRz25w3KFrTSqjQ+dH?= =?iso-8859-2?Q?frzhzh0j/rOOYxWz9J/OmrkkCQY1r72WZ6iNsiTCRITgEi3MTf5JInira3?= =?iso-8859-2?Q?p5tzbdYx2gjtnWRJc6RemNQhfGzV8ti9kpGUB8yW9mIeL5RTgYrO8pTMMg?= =?iso-8859-2?Q?IdxEDGpAgfIKhYsqwXbwRusQ33W/Q+UvCVO5yqEUTkSI3cs43L5vzj5ilZ?= =?iso-8859-2?Q?+gzeeoenCV6PyghEt1BtEIovv1KgOg8ea65Nm4raTl8ywnHOnHjs/Je19a?= =?iso-8859-2?Q?NuVequC/CgxT1MqCRjh2CWRHTD0nouTXgysXsWRyCl/xMxMMvAJbtymm71?= =?iso-8859-2?Q?97XuHs39wNrxUYJbfJAUE/ExqTfd/2yu9fEljz/AK0eqZ7qrDbAWDfWvDa?= =?iso-8859-2?Q?LPtIWk+3swQ11yRcQLkdDbA5ivthjth/B6GLKt6WhLV9SbU7xI6QuSxD1w?= =?iso-8859-2?Q?t4HWTfChKSNXZM1kR9Oh5BzJqrwUFiPhd68vGBp7wlYfley2J0CDg0D0Zq?= =?iso-8859-2?Q?5+CggYny7412bNrVEpe6T2eqw0tU9ALjFZYUyd/A+8CpikQbU4eVXfzOf6?= =?iso-8859-2?Q?PHjEb3PSw3ZztGs12czIhofr0tOwDo+dWEylR2Duya/Ym5Wq+cfPpW8bw1?= =?iso-8859-2?Q?37AJ9cnAN1D9YQm6RRXEMDJEpYyHQmIrtUZpXglshGw0SoxEyAesxGgC/j?= =?iso-8859-2?Q?Pby4FOIRart2kgShXNCMiBWcRRs9NjzKZkAKnTmUcvmXLqgDTi7ZXaet9h?= =?iso-8859-2?Q?uF6j4g+P4Sz2Az6AhVefcyZhAalO5lU4Tl75XaYW4y3812e2wTwlKgXa92?= =?iso-8859-2?Q?OlYvyUMaBVwPxaIf+GhrrRAE6tnWZsNzRxky/ke9k+5wdkctGjwKyYwFoi?= =?iso-8859-2?Q?mYNx1WVJYzG1NpgFMXOwVYlt0syY0V/XKDHujDRwYKrCXEROOsGF3JfdVR?= =?iso-8859-2?Q?MXkTx0Y4kYQGU0V4kkk7+TMJ8AGQ173J1ehZT3JT8wRRYpTzdGelCPy5fK?= =?iso-8859-2?Q?ozJWAAo2N0JhRhtZ0TLu5GAygF2riD9ioxq0sDH1D++VLZvUZD8AXTG3xo?= =?iso-8859-2?Q?BLaL5ZRqlt72mpqpZrVSMd2tcARmfoCfG3F1nQ3bSz9V2Fy4bnrHs4bwaW?= =?iso-8859-2?Q?d2y1gCth9qdKOxBFTkMZclXYKSWvhXP5Kc6Wt3rnQAyWTs7PAfp3Eg6avs?= =?iso-8859-2?Q?vjyPZt8UBC5lid7dxSCOEP0lVDi/yQfvVfJSbrQl91Vwk/b0l7p0o3YYir?= =?iso-8859-2?Q?4R4pvivZk7cNDFQOHVdxjCbVV2arBv/Sbw/4Ori+DyM93mCYaGdlX4e/kA?= =?iso-8859-2?Q?eVG4273F9AJBZ4ub1u1gTzfddBCa3qdctuq8WqqLwRy8I1ACumwzeXbidP?= =?iso-8859-2?Q?Yet/ZW0nQUhTixIu9gldpfXSU00QZ87evm?= Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 700c31e7-b74f-4874-43c1-08dbafb3a373 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 15:03:47.8744 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iUCZUlwqnYvscIA9ByGZGgk2B+RqTXJJkFjG+XCGlZ13j37NR6E4yd87jQ60sTpj1tEz/eAeHxfzc9dRx3uarw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV0P278MB1107 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-1.3 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] SBOM support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: =?iso-8859-2?Q?Ji=F8i_Van=ECk?= Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Hi, I saw a post from 2021 to the mailing list on generating SBOMs from ptxdist= . Has there been any further work on this? We've been looking at implementing this internally - plan would be to gener= ate the SBOM in CycloneDX format, and consume it with Dependency-Track=20 (https://dependencytrack.org) for automatic vulnerability and license monit= oring. Looks like we're quite close to having a working setup, but it'd make a lot= more sense to have it upstreamed rather than as local patches, so would like to = get a bit of input on the approach, and see if we can make that happen :) We've identified two main steps: 1. Generate the SBOM itself. A minimal version of this can be created from = the output of the existing fast-bsp-report in 40 lines of Python, using the CycloneDX library. I'd assume that such a script would just go into the scripts folder in p= txdist? Is there a common way of tracking / documenting dependencies of such scr= ipts? 2. To track vulnerabilities, it's necessary to track the Common Platform Enumeration (CPE) name of each package (from https://nvd.nist.gov/produc= ts/cpe). This will allow matching packages to CVEs. My suggestion would be to add a _CPE variable to each package (built fro= m whatever other variables make sense, typically _VERSION). I managed to a= dd this for the fast report (extracting it to pkg_cpe in rules/post/ptxd_make_wo= rld_common.make, and adding it to the report in scripts/lib/ptxd_make_world_report.sh), b= ut I wouldn't be surprised if there are other places/report that need to trac= k this also for consistency? Packages that specify _CPE would then have this included in their report= , and there'd be no change for the packages that don't specify it. I'd be happy to get a bit of initial feedback on the approach. I'll have a = look at putting up some initial patches in the coming days too. Thanks in advance and best regards, Simon