On 10/18/22 16:38, Pfendtner Steffen wrote:
Hi,
We decided to publish our internal fork of the Timesys SBOM Tool we found on
github. You find our version at: https://github.com/ads-tec/sbom-openwrt
It takes a complete OpenWRT build tree as input and will generate a SBOM
in CycloneDX JSON Format for the currently configured image.
This SBOM can be fed into your personal dependency track instance.
See https://dependencytrack.org/ if you don't know what this is.
In my opinion Dependency Track is much more usable compared to uscan.
However Dependency Tack currently heavily relies on valid CPE ID. Thus you will
need to fix the CPE IDs in the OpenWRT package Makefiles - some are missing.
I think it would be a great security benefit for the OpenWRT ecosystem if we
get a best possible coverage of CPE IDs in the available Makefiles.
I'll try to push our CPE ID additions upstream.
Best regards,
Steffen Pfendtner
Hi Steffen,
Nice tool, do you have some "demo" output for a recent OpenWrt release
somewhere?
One advantage of uscan from my point of view is that I just have to open
a website to see the results for OpenWrt master and the maintained
branches and do not have to run some scripts and install some tooling
myself.
Having multiple tools for such tasks is always helpful. Normally every
additional tool find additional problems.
Adding the missing CPE IDs is no problem, someone just has to do it. If
you already have some internal changes with additional CPE IDs it would
be nice if you could send a patch or pull request adding them to OpenWrt
master and then we can backport it to OpenWrt 22.03 too.
Petr added the missing CPE IDs to 4 packages recently.
Hauke
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
