From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 11 Sep 2023 19:09:49 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qfkQ2-00BiHj-PM for lore@lore.pengutronix.de; Mon, 11 Sep 2023 19:09:49 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qfkQ1-00032Q-Bh; Mon, 11 Sep 2023 19:09:49 +0200 Received: from mail-vi1eur02on2040.outbound.protection.outlook.com ([40.107.241.40] helo=EUR02-VI1-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qfkPe-00032D-4m; Mon, 11 Sep 2023 19:09:27 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L+Jlw1qfcQ7LMGBdz5hqgRW/0OQhxZUXQ41wmUdK0W8TvnxJh+MTP+p02YydJIvn2XcirM1KYwi7zvVaePHyDg15yUcB+9Ookq6aBVIPlNlDIJO8X0r9gDqngZsgXHV6/fSFMlq38a5A2aEPmWhw6DjQ6ZJtsgxZjcw1Sb5xtRmBJ9stbScuUJ9BF/hshBJY9k6k180i71gooS4ojLsqSiYlcJnAqP4cwB0nOvJBhE7llLfnd2ZzowWf1BSejgWIiSQAA685QO296IdQjA1gZ1jX+fHk2Dq6nHUlS/zGZ5aqBdpfShUDSDhYB4dmHa8bnztr8EEscG4A2Ci0mP0atw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bcyqJHQ2cPTD8XPGK6p7lTEjOhxemrHTz8V83v89xAA=; b=ZCfGiNotgKN86u1s6d05VLX49rf8x6R+LaBDSj5IHdFiUfllenZzYAWjq04G8OlUBMtIYeLoNtdGiXfd/uPlV60whT5IlaXeVIKEvCcjx31NoQfUDuVR6eqIGLwTob3NTha9ThxhhKsw+4v+Lnq4xTFKTBm/8V/0T1Xj5qo+SY6Lm+PuMjNdPULtcmPA9hQLcp23g21dZky0QPvpw5w5fJsdkvclTT947mtgByX83hPh3OiJ5cRtTBlP10LqKtmJp5VnauHNkfv/s4TAVLQ/GmEB8vJ5RUCHk/bbonmyEnbY20YWzaR1gWIDW4QrzSid3+fP7Bv0n2854WgAGg/vSw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bcyqJHQ2cPTD8XPGK6p7lTEjOhxemrHTz8V83v89xAA=; b=hR5zIqeQY4mYPVPYs9nVY/N3G3ibtKBRohRKFeNwHn59NxqDMBPt/G7+jmXF0tz3WCdIOYOFK3OVhf6qbN78JXxZJPFnfeAYe/8S5N9pwioOH5wccBkgsoAbrBycvuVXQNnX0jFMUYg7zzWyj7JZJ03AlxfCPtScO20zsik1Qls= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t2data.com; Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by AS1P251MB0583.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:48e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.30; Mon, 11 Sep 2023 17:09:11 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::ba2b:f72d:8ac5:b2c1]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::ba2b:f72d:8ac5:b2c1%7]) with mapi id 15.20.6768.029; Mon, 11 Sep 2023 17:09:11 +0000 Message-ID: Date: Mon, 11 Sep 2023 19:08:42 +0200 User-Agent: Mozilla Thunderbird Content-Language: en-US To: ptxdist@pengutronix.de, Gavin Schenk , Michael Olbrich , Simon Falsig References: <875y4g26tu.fsf@NB061.eckelmann.group> From: Christian Melki In-Reply-To: <875y4g26tu.fsf@NB061.eckelmann.group> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-ClientProxiedBy: GVX0EPF000013EB.SWEP280.PROD.OUTLOOK.COM (2603:10a6:144:1::17) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P251MB0618:EE_|AS1P251MB0583:EE_ X-MS-Office365-Filtering-Correlation-Id: 7514882d-9742-43df-bb04-08dbb2e9d123 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ADAfSflhKf2NEDWwsUuz06NT+AR8XYmu1kWWPfZ6ATsDcsvxogvvgKStBR7RGDrR8TMjatk4DQSdSPEnr29/1Zi/JQgXcHgXJ8c2SMxiiwCG20s3RH30wYcR994eyOggAu4MGCwX2wlHLE8xsNMqMyg6Sfw0uWGfr6I36lExEB87ounAFT6nJ5Ixxz4zbXdT9lt56LEiBroO2cGTkauOUTEJKGuuGgW44SI/2zgNmQP7QDuXn37pmxngxRCVbRnrIfF7FLJdAht8d1FLuROJalXbxXLYpaL0APL0e1w9vOrC5U/iGjAy3QSM/CEuuE8uiQaHYHQmQ0eZUv/a0P7PhjKQqJH3R4rn+XKRzJPO0rxayflSyzP102/9fRNc8PoPbgDqxlomxxXYsXIhf7zptOtnUjcLCvv8aGUPIqrm1+s5aWFV+MpgIhmkIbnoopZlGANzmkiTPbG59t6+zz/ynhWouOzMQvXLailkTD6bbFm9zypSbG9MzO0hP3MBU9UOSOZiZlZGXKylwiUtSbNv2rhjrWaDeydGR9vBXgq8aEyyw0/ax1l2Xfcp274Exvl+TrpST/YsjhRgbFgdY5KgkFtjGXzDaAVygqNqXKu+FhMMDpZF5WphAgut/b0PHMarlm/kZbhzt/s9IaTzRCSoRQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(39830400003)(376002)(346002)(366004)(396003)(186009)(1800799009)(451199024)(966005)(2906002)(4326008)(3450700001)(6666004)(53546011)(66946007)(110136005)(6486002)(66476007)(66556008)(8936002)(26005)(478600001)(6506007)(83380400001)(5660300002)(8676002)(41300700001)(2616005)(44832011)(316002)(6512007)(36756003)(31696002)(38100700002)(86362001)(31686004)(43740500002)(45980500001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ODh3SzRkSHRta0pOd05YcUs2SDFqVHIzc0lDeFl3bUkwME1wS0FxL1BuV2hF?= =?utf-8?B?UTdZWTBzb0VlUGVjUnkrQ3E4Mkg4ZzVPbzlScnFQWUt4M21xUVJrZHZEVjJl?= =?utf-8?B?TGV3L0xMMjZyM0NodmsrbFZad1VxbVE1eW5TMHRSK1o5c1BFZk4rWE1xWkx4?= =?utf-8?B?U2pOWnRiL1RVa0QrN1YwcjV3Z2lqSTZiWWRlSXhlRU8xd3RiMjlSVjdvdmZ1?= =?utf-8?B?c2NxeE1lcEt2QVg1aDdCb0xpZzZ3WmdPZUg3bks4RTJzWUNmQ2tUVXcxbEly?= =?utf-8?B?S0owMlVYdWJqaUJ2dHBES0p6S1V3YVpuMkxpUmcyZCsycElSNEw3R010NmFO?= =?utf-8?B?ditsQjhxQjBJbVR1dVQ4dTZtOWFpdnY4ZCs4TmpvakZleGgrbWZyRnNwNzF1?= =?utf-8?B?MkdkMnVZeTEzekRHcWsyV3lyemxEb1ZrM3ZxbVJpZEJZMGtuWmdnTjFaQU81?= =?utf-8?B?akxOeTNPYVBFV0hlU2p5RnVFSnIzVG5OdUhmcEJRRVM2SS92bUVza2pCa2Iw?= =?utf-8?B?RWREU3k5MDdtakZjYXkwcEhWVjBKMUluVlREaG9aVzJMdytwZzRzbGJEdWhF?= =?utf-8?B?YUtNYkhlSmlOZjViblkwU2R5dzhUMDYrZkxLS0F2ckZKcmRxQ0VGVEtEcENC?= =?utf-8?B?dWhlaXJETHJTeXYyenA5b1F3aEZPcHVlY0xBUUxhL05SMGpRNk1oWkVFWVBz?= =?utf-8?B?MStSKzBDa0wvdEpOcFVQMWNGMjRyaWM2NWNxVVhYNjI0U2Vuc25SVHJzT2dV?= =?utf-8?B?cGtOSVdYd0k0NFZOZVQ4a2lQQVRRcjhLdVNicitpSkEyM2lJdHo0VjFLZGJD?= =?utf-8?B?WXU3SlpEVjlXL3ZobXYrNTEzY3ZkaHF4SE5mMUFLNUdQWHRRLzdORWdKa0My?= =?utf-8?B?bEx5cC9HOTlIN2tJMEgvOUhFWDhGREpsalVSUmEzb1BaSVRMZDhWWllvekpR?= =?utf-8?B?QVlQRk1YMW4rY3ZNWEcvTXkvUnhvckF0cS9DZzV3bFFjTkN4VDJqUEVFUCth?= =?utf-8?B?U2hCaGlqVXlQbHNocXhsamJvUUs2bjVCai9DWEZKMnpIN29JYkZxd3RsRTU5?= =?utf-8?B?OUluQW1QTmdpZ3R6SDhiS2NSNFlvWStXMnVmSFZyQytlUXJSTTdxdDl4ci9N?= =?utf-8?B?UEhnWjBaOExDRDd1ZUpWWVQvU2pPTWplS00wU21jeEgveVZYYjdodEd6cWxO?= =?utf-8?B?REg5YWZLYTg2QkpFT3RhdFVhSjROQlZ4SE9vTnFValRjMHoycS9JaWJXcnBo?= =?utf-8?B?NjFVUGJickF2WlV2M3pqaE1zRmRPLzEwUmdsRkxUSUpCOUhwNnp4aWlmVUZ3?= =?utf-8?B?SGRQd29lMzhlRTF6ZkRHLy9YQStRNm9HZ3JWSGM3b1lYUCtvYU1ValpRa0NW?= =?utf-8?B?c2JSRDdBQ1U3TTE3Vkl0YmxLS2NSY0xUWUpuOWluODRxNXN6RGFqRjZDRFF4?= =?utf-8?B?dzAyK1ZlVnBSSmxOOXRlSGMrT0pLZXQrYy9QS0VJOWlPVjRMVXJLYmtDU3h5?= =?utf-8?B?MitDMXAvWGFaRGJDNUVaQ0tCbXdCalZjSHpXN0ZnMjRqaHhPSEY2L3lUNTlh?= =?utf-8?B?bXh3ZXZ5dkZwR2xrem9PeGRRV2pUdlQ2dFl3dEVQRG5ZMHZMSXVKekpNTnhi?= =?utf-8?B?bERUdkx3cCtSbElLMlFUMFl5TUtKL29IZTh6NXlrRXBSdmlUS01VN09DcThY?= =?utf-8?B?bW1ORWRNZDg2T1pkM2RsTnZicUZTdzczRU5vQjZ1VU93VEk1a052UWs0VEt6?= =?utf-8?B?RGM4SFhYbzVSUUVUZVRHVnJDWW8rOEZQd2xHWEwydjY3ZkFjQ2xuZ0o3emxy?= =?utf-8?B?UXpRdHBOZklEK0xLUGlpWktMczMxcURNQ3Q0cktsM1F6aUVHMk84ZkNvVGgw?= =?utf-8?B?TmdROVQvM0sySy80eWtFamZjVlFpb1dDbTAxZWJXWEtwL3NNTTcxZVg4UE83?= =?utf-8?B?QThJQWpUQ3IwWStPTnp5NlF1ckZYNHg5M0JMa3pMcHVmNEJZTmlBbFdncnEy?= =?utf-8?B?UzF6WjZvSjFuVURNemFCV1I1VU91OVJQd25zWEdadzFvQ1RFSjFiSVo5bVRj?= =?utf-8?B?Q00vaG9rNG5uN012cld4RHp2UnhreitEdGprR0xRR2d1MnU3dCtyRE90MnJG?= =?utf-8?B?eWpJVnMrTzVOT2ZTd2dqdVBwc2w1K0JwbXhlVjRZazgyRThla2J1VDUyMDJz?= =?utf-8?B?bEE9PQ==?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7514882d-9742-43df-bb04-08dbb2e9d123 X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2023 17:09:11.0962 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mU49jnwUNRr1nDTuQXPbkD1/BuvbJ/GYEg/OVKNKHpXclEhn9QOaUqT3yV6z7RgYUGPo+Unh2gj7967IBs08U6QwLqoUKKX3hq2NvONGsRM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1P251MB0583 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] SBOM support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de, christian.melki@t2data.com Cc: =?UTF-8?B?SmnFmWkgVmFuxJtr?= Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Shameless plug here. We (t2data) have been developing devsecops tools for quite some time. MAIA, our internally developed tool is capable of a lot of things. Among them is various classifications of software with licenses, CPE, CVE, CWE etc. Including availability of new versions etc. Built in is also various other aspects of the development process, beside SBOM handling. I use MAIA to help me track my projects in ptxdist and managing change notifications so I easier can maintain ptxdist stuff. https://t2data.com/maia-software/ Regards, Christian On 9/11/23 15:11, Gavin Schenk wrote: > Hi, > >> On Thu, Sep 07, 2023 at 03:03:47PM +0000, Simon Falsig wrote: >>> I saw a post from 2021 to the mailing list on generating SBOMs from ptxdist. >>> Has there been any further work on this? >> >> I've not worked on this and I'm not aware of any other efforts in this >> direction. >> >>> We've been looking at implementing this internally - plan would be to generate >>> the SBOM in CycloneDX format, and consume it with Dependency-Track >>> (https://dependencytrack.org) for automatic vulnerability and license monitoring. >>> >>> Looks like we're quite close to having a working setup, but it'd make a lot more >>> sense to have it upstreamed rather than as local patches, so would like to get a >>> bit of input on the approach, and see if we can make that happen :) > > we have a similar task. There is a rudimentary prototype running on our > site. It uses licencse-complicance.yaml and a CPE-Dictionary from > https://nvd.nist.gov/products/cpe to generate a bom.json. This bom.json > can than be feed into dependency tracker (We are using docker-compose > for demonstration). > > > { > "bomFormat": "CycloneDX", > "specVersion": "1.4", > "serialNumber": "urn:uuid:f20af5d1-0480-477d-8bea-8cbcf6d9268c", > "components": [ > { > "name": "attr", > "version": "2.4.47", > "cpe": "cpe:2.3:a:attr_project:attr:2.4.47:*:*:*:*:*:*:*", > "licenses": [ > { > "license": { > "id": "GPL-2.0-only" > } > }, > { > "license": { > "id": "LGPL-2.0-only" > } > } > ], > "hashes": [ > { > "alg": "MD5", > "content": "84f58dec00b60f2dc8fd1c9709291cc7" > } > ] > }, > ... > > > >> I know very little about this stuff, but I'm open to add support for this. >> So please sent patches once they are ready. >> >>> We've identified two main steps: >>> 1. Generate the SBOM itself. A minimal version of this can be created from the >>> output of the existing fast-bsp-report in 40 lines of Python, using the >>> CycloneDX library. >>> I'd assume that such a script would just go into the scripts folder in ptxdist? >> >> Yes, just put it in the scripts/ folder. >> > > Our script has 110 lines python. It patches some package names > that does not match with the db e.g. > > expat -> libexpat > gdbserver -> gdb > kernel -> linux_kernel > libmod -> kmod > ... > > I am unsure, if this is too error prone. Adding CPE vars to the recepies, > where only the VERSION is variable, should be more robust. > >>> Is there a common way of tracking / documenting dependencies of such scripts? >> >> You mean Python packages used by the script? Not directly. > > ptxdist-cyclonedx-bom master > ❯ cat requirements.txt > pyyaml==6.0.0 > lxml==4.9.2 > >> Is the SBOM something that should be created for an image or for the >> BSP as a whole? > > It should be per image imho. Because depending on configuration, layers, > collectionconfig, content of images differs a lot. Starting from the > image, should generate data that is 100% consistent. Not much of a > difference to licence reports, I think. > >> For the license stuff I have plans to created documents for images. Because >> those are delivered to customers, so license compliance really needs to be >> done for each image. > > And this is the same for SBOMi, as mentioned before. > >> I'm not sure what makes sense. So you could either create a global option >> and then generate the SBOM with each image. And then select >> HOST_SYSTEM_PYTHON3_* in that option. >> Or create an SBOM "image" for the whole BSP and select the options there. > > One thing to keep in mind is that cyclonedx is one format, but not the > only one. Today it is one of the most common used. But there are > alternatives. So there might be other users who might need the sbom in > different formats. I wonder if it is easier to adapt to other formats > using the one, or other approach? > > >>> 2. To track vulnerabilities, it's necessary to track the Common Platform >>> Enumeration (CPE) name of each package (from https://nvd.nist.gov/products/cpe). >>> This will allow matching packages to CVEs. >>> My suggestion would be to add a _CPE variable to each package (built from >>> whatever other variables make sense, typically _VERSION). >> >> Makes sense to me. From what I understand, the CPE is machine readable and >> can be split into its components if needed, right? > > I think it is. Here CPE number example for package expat: > "cpe:2.3:a:attr_project:attr:2.4.47:*:*:*:*:*:*:*" > ^- PTXCONF_EXPAT_VERSION > >>> I managed to add this >>> for the fast report (extracting it to pkg_cpe in rules/post/ptxd_make_world_common.make, >>> and adding it to the report in scripts/lib/ptxd_make_world_report.sh), but I >>> wouldn't be surprised if there are other places/report that need to track this >>> also for consistency? >> >> Just the fast and full reports are enough. Anything else in that direction >> is legacy anyways and should be replaced with stuff based on these reports >> anyways. >> >>> Packages that specify _CPE would then have this included in their report, and >>> there'd be no change for the packages that don't specify it. >>> >>> >>> I'd be happy to get a bit of initial feedback on the approach. I'll have a look >>> at putting up some initial patches in the coming days too. > > I like it a lot. Need reviewers, testers, 1 mio Euro? We are willing to > contribute. > > Regards > Gavin >