Hello Simon, Am Thu, Sep 07, 2023 at 03:03:47PM +0000 schrieb Simon Falsig: > Hi, > > I saw a post from 2021 to the mailing list on generating SBOMs from ptxdist. > Has there been any further work on this? > > We've been looking at implementing this internally - plan would be to generate > the SBOM in CycloneDX format, and consume it with Dependency-Track > (https://dependencytrack.org) for automatic vulnerability and license > monitoring. > > Looks like we're quite close to having a working setup, but it'd make a lot > more > sense to have it upstreamed rather than as local patches, so would like to > get a > bit of input on the approach, and see if we can make that happen :) > > We've identified two main steps: > 1. Generate the SBOM itself. A minimal version of this can be created from the > output of the existing fast-bsp-report in 40 lines of Python, using the > CycloneDX library. > I'd assume that such a script would just go into the scripts folder in > ptxdist? > Is there a common way of tracking / documenting dependencies of such > scripts? > > 2. To track vulnerabilities, it's necessary to track the Common Platform > Enumeration (CPE) name of each package (from > https://nvd.nist.gov/products/cpe). > This will allow matching packages to CVEs. > My suggestion would be to add a _CPE variable to each package (built from > whatever other variables make sense, typically _VERSION). I managed to add > this > for the fast report (extracting it to pkg_cpe in > rules/post/ptxd_make_world_common.make, > and adding it to the report in scripts/lib/ptxd_make_world_report.sh), but > I > wouldn't be surprised if there are other places/report that need to track > this > also for consistency? > Packages that specify _CPE would then have this included in their report, > and > there'd be no change for the packages that don't specify it.
As far as I know buildroot [1] already has support for this. They construct this from defaults and override it with several different variables if defaults are not sufficient for a particular project: <PKG>_CPE_ID_VENDOR <PKG>_CPE_ID_VERSION <PKG>_CPE_ID_UPDATE <PKG>_CPE_ID_PRODUCT And maybe more? Some quirks handling like this is probably necessary in ptxdist, too? Greets Alex [1] https://buildroot.org/ > > > I'd be happy to get a bit of initial feedback on the approach. I'll have a > look > at putting up some initial patches in the coming days too. > > Thanks in advance and best regards, > Simon >
