[Buildroot] CycloneDX SBOM support

Arnout Vandecappelle arnout at mind.be
Tue Aug 29 06:55:54 UTC 2023 


On 29/08/2023 01:19, Robert Smigielski wrote:
> 
> 
>       >  I think Robert is not necessarily primarily concerned with finding
>       >  vulnerabilities, but rather with constructing a meaningful and
>       > accurate SBoM (which is what dependencytrack does).
> 
>     True. The monitoring stuff seems quite interesting for vulnerabilities
>     though.
> 
> 
> Yes I am concerned with creating a valid CycloneDX official SBOM for use in 
> other projects as an input. For example take the output file <product>.json as 
> input to Dependency Track. It does work. That is exactly what I need for my 
> daily work.
> 
>     OK. It doesn't sound like it will bring a lot of advantages for the
>     effort to maintain PURL identifiers :/

  From a pure vulnerabilities tracking point of view, it may seem it doesn't. 
However, I expect that there are vulnerabilities that are tracked in OSV for 
ecosystems like PyPI, Go, and crates.io, which don't have a corresponding CVE or 
where the CPE information is inaccurate/incorrect. And I'm very sure that there 
are vulnerabilities that are found by OSS-Fuzz which don't get a CVE (I think 
OSS-Fuzz never creates CVEs themselves, they expect the package maintainers to 
do that). Of course, the question is how valuable those OSS-Fuzz vulnerability 
reports are: they just have a reproducer, no analysis of the risk or impact.

  Anyway: creating a purl based on the PyPI, Go and crates.io ecosystems based 
on the information already in Buildroot should be rather trivial, and it has value.


>  From my view point - if Buildroot supports PURL I will add that data to my 
> project. If not, that is okay.
> 
> 
>       > each with a distinct PURL. We could start our own namespace, but
>       > that's kind of pointless unless we also issue advisories...
> 
> 
> Yes, Buildroot could consider itself a package manager, because it does that. 
> That idea is a possibility.

  IMHO, though, the idea that a package manager creates a namespace is not very 
valuable. It should be up to the actual package maintainers to decide which 
ecosystem they belong to.



>     I guess we should use the one matching where we get the source code from
>     (if any). The cyclonedx tool uses a "generic"
>     pkg:generic/$name?download_url=$site/$tarball, so we could default to
>     that and just use pypi/github/whatever for the special cases where there
>     is a more accurate one

  Exactly.

> Yes, the tool I wrote uses the "generic"  package. There is a place holder out 
> there in PURL for Buildroot if you want to go that way in the future.

  As I wrote above: I don't think that generic placeholder is very valuable. 
Although, it does give you a unified URI scheme that points you to the exact 
source and version that was used. But because it's not a unique identifier, i.e. 
there are many different PURIs that point to exactly the same source. E.g. for 
github automatically generated tarballs, there's a bit of freedom in how you 
construct the tarball name and we actually make use of that freedom. This means 
that you cannot compare generic PURIs from different sources and expect them to 
have a meaningful match. So it's no use for vulnerability tracking.

  BTW, is this "generic" namespace something official or something you invented?


>       >  There's by the way another issue (which also exists for the CPE-based
>       >  approach): our "BoM" for the cargo and go packages is not correct: we
>       > vendor the dependencies, but they're not taken into account in the
>       > BoM. The tarball we put in legal-info does include the vendored
>       > dependencies, but they're not mentioned in the manifest, and we don't
>       > scan their vulnerabilities.
> 
> 
> If data is not in the legal-info, then no problem, the CycloneDX-Buildroot 
> project will not see it.  Note that CycloneDX has support for cargo and for go 
> already. Maybe that can help.

  I don't think there's a tool that you can feed the CycloneDX SBoM and that 
will add all the missing go/crates dependencies to it. There are tools that do 
this based on the source, though.

  However, it's not _that_ difficult to get this information from within 
buildroot. When we do the vendoring in the download step, we can ask the 
download tool (cargo / go mod) to also create a manifest of the vendored 
dependencies. In fact, I think they do that automatically. So it's "just" a 
matter of parsing this manifest and including it in the SBoM.


  Regards,
  Arnout

More information about the buildroot mailing list