From: Christian Melki <christian.melki@t2data.com>
To: ptxdist@pengutronix.de, Gavin Schenk <g.schenk@eckelmann.de>,
Michael Olbrich <m.olbrich@pengutronix.de>,
Simon Falsig <sfalsig@verity.net>
Cc: "Jiři Vaněk" <jvanek@verity.net>
Subject: Re: [ptxdist] SBOM support
Date: Mon, 11 Sep 2023 19:08:42 +0200 [thread overview]
Message-ID: <d6a04ba5-35fe-4c2d-a756-68276c55599f@t2data.com> (raw)
In-Reply-To: <875y4g26tu.fsf@NB061.eckelmann.group>
Shameless plug here.
We (t2data) have been developing devsecops tools for quite some time.
MAIA, our internally developed tool is capable of a lot of things.
Among them is various classifications of software with licenses, CPE,
CVE, CWE etc. Including availability of new versions etc.
Built in is also various other aspects of the development process,
beside SBOM handling.
I use MAIA to help me track my projects in ptxdist and managing change
notifications so I easier can maintain ptxdist stuff.
https://t2data.com/maia-software/
Regards,
Christian
On 9/11/23 15:11, Gavin Schenk wrote:
> Hi,
>
>> On Thu, Sep 07, 2023 at 03:03:47PM +0000, Simon Falsig wrote:
>>> I saw a post from 2021 to the mailing list on generating SBOMs from ptxdist.
>>> Has there been any further work on this?
>>
>> I've not worked on this and I'm not aware of any other efforts in this
>> direction.
>>
>>> We've been looking at implementing this internally - plan would be to generate
>>> the SBOM in CycloneDX format, and consume it with Dependency-Track
>>> (https://dependencytrack.org) for automatic vulnerability and license monitoring.
>>>
>>> Looks like we're quite close to having a working setup, but it'd make a lot more
>>> sense to have it upstreamed rather than as local patches, so would like to get a
>>> bit of input on the approach, and see if we can make that happen :)
>
> we have a similar task. There is a rudimentary prototype running on our
> site. It uses licencse-complicance.yaml and a CPE-Dictionary from
> https://nvd.nist.gov/products/cpe to generate a bom.json. This bom.json
> can than be feed into dependency tracker (We are using docker-compose
> for demonstration).
>
> <snip bom>
> {
> "bomFormat": "CycloneDX",
> "specVersion": "1.4",
> "serialNumber": "urn:uuid:f20af5d1-0480-477d-8bea-8cbcf6d9268c",
> "components": [
> {
> "name": "attr",
> "version": "2.4.47",
> "cpe": "cpe:2.3:a:attr_project:attr:2.4.47:*:*:*:*:*:*:*",
> "licenses": [
> {
> "license": {
> "id": "GPL-2.0-only"
> }
> },
> {
> "license": {
> "id": "LGPL-2.0-only"
> }
> }
> ],
> "hashes": [
> {
> "alg": "MD5",
> "content": "84f58dec00b60f2dc8fd1c9709291cc7"
> }
> ]
> },
> ...
> </snip>
>
>
>> I know very little about this stuff, but I'm open to add support for this.
>> So please sent patches once they are ready.
>>
>>> We've identified two main steps:
>>> 1. Generate the SBOM itself. A minimal version of this can be created from the
>>> output of the existing fast-bsp-report in 40 lines of Python, using the
>>> CycloneDX library.
>>> I'd assume that such a script would just go into the scripts folder in ptxdist?
>>
>> Yes, just put it in the scripts/ folder.
>>
>
> Our script has 110 lines python. It patches some package names
> that does not match with the db e.g.
>
> expat -> libexpat
> gdbserver -> gdb
> kernel -> linux_kernel
> libmod -> kmod
> ...
>
> I am unsure, if this is too error prone. Adding CPE vars to the recepies,
> where only the VERSION is variable, should be more robust.
>
>>> Is there a common way of tracking / documenting dependencies of such scripts?
>>
>> You mean Python packages used by the script? Not directly.
>
> ptxdist-cyclonedx-bom master
> ❯ cat requirements.txt
> pyyaml==6.0.0
> lxml==4.9.2
>
>> Is the SBOM something that should be created for an image or for the
>> BSP as a whole?
>
> It should be per image imho. Because depending on configuration, layers,
> collectionconfig, content of images differs a lot. Starting from the
> image, should generate data that is 100% consistent. Not much of a
> difference to licence reports, I think.
>
>> For the license stuff I have plans to created documents for images. Because
>> those are delivered to customers, so license compliance really needs to be
>> done for each image.
>
> And this is the same for SBOMi, as mentioned before.
>
>> I'm not sure what makes sense. So you could either create a global option
>> and then generate the SBOM with each image. And then select
>> HOST_SYSTEM_PYTHON3_* in that option.
>> Or create an SBOM "image" for the whole BSP and select the options there.
>
> One thing to keep in mind is that cyclonedx is one format, but not the
> only one. Today it is one of the most common used. But there are
> alternatives. So there might be other users who might need the sbom in
> different formats. I wonder if it is easier to adapt to other formats
> using the one, or other approach?
>
>
>>> 2. To track vulnerabilities, it's necessary to track the Common Platform
>>> Enumeration (CPE) name of each package (from https://nvd.nist.gov/products/cpe).
>>> This will allow matching packages to CVEs.
>>> My suggestion would be to add a _CPE variable to each package (built from
>>> whatever other variables make sense, typically _VERSION).
>>
>> Makes sense to me. From what I understand, the CPE is machine readable and
>> can be split into its components if needed, right?
>
> I think it is. Here CPE number example for package expat:
> "cpe:2.3:a:attr_project:attr:2.4.47:*:*:*:*:*:*:*"
> ^- PTXCONF_EXPAT_VERSION
>
>>> I managed to add this
>>> for the fast report (extracting it to pkg_cpe in rules/post/ptxd_make_world_common.make,
>>> and adding it to the report in scripts/lib/ptxd_make_world_report.sh), but I
>>> wouldn't be surprised if there are other places/report that need to track this
>>> also for consistency?
>>
>> Just the fast and full reports are enough. Anything else in that direction
>> is legacy anyways and should be replaced with stuff based on these reports
>> anyways.
>>
>>> Packages that specify _CPE would then have this included in their report, and
>>> there'd be no change for the packages that don't specify it.
>>>
>>>
>>> I'd be happy to get a bit of initial feedback on the approach. I'll have a look
>>> at putting up some initial patches in the coming days too.
>
> I like it a lot. Need reviewers, testers, 1 mio Euro? We are willing to
> contribute.
>
> Regards
> Gavin
>
next prev parent reply other threads:[~2023-09-11 17:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-07 15:03 Simon Falsig
2023-09-07 16:24 ` Alexander Dahl
2023-09-08 9:05 ` Simon Falsig
2023-09-08 18:38 ` Michael Olbrich
2023-09-13 15:42 ` Simon Falsig
2023-09-08 18:22 ` Michael Olbrich
2023-09-11 13:11 ` Gavin Schenk
2023-09-11 17:08 ` Christian Melki [this message]
2023-09-13 16:05 ` Simon Falsig
2024-02-19 16:54 ` Simon Falsig
2024-03-01 7:34 ` Simon Falsig
2024-03-04 16:09 ` Michael Olbrich
2024-03-08 16:02 ` Simon Falsig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6a04ba5-35fe-4c2d-a756-68276c55599f@t2data.com \
--to=christian.melki@t2data.com \
--cc=g.schenk@eckelmann.de \
--cc=jvanek@verity.net \
--cc=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=sfalsig@verity.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox