Hi, On Sat, Dec 23, 2023 at 02:47:36AM -0800, fabian.hanke via lists.yoctoproject.org wrote: > Hello Yocto community, > > we must provide a SBOM for our Yocto based product which will then be used > for (internal) CVE scanning by the security department. Generating the base > document in cycloneDX format is fairly easy (thanks to the nature of Yocto).
Note that SBOM is mostly used for documenting SW components and their licenses. Obvious but needs to be made clear. > But we do not know how to include information about CVE patches for each > package in the document. Not providing these, will cause a lot of “false” > feedback on CVEs for specific versions which are already patched (but version > number did not change). This problem was also mentioned a few days ago in the > presentation from David Reyna: https://youtu.be/PegU1G1bA80?t=1127. I like > the proposed solution of adding a vendor specific string to the package > version. But I'm still wondering: How would the CVE scanner vendor know which > CVEs are included in a yocto specific version and which are not? If the intention is to know CVE paching and analysis status of a product, then I'd use the yocto upstream tooling for this, cve-check.bbclass. SBOM and SPDX are tempting but not actually useful for CVE patching and analysis work, except when they show that a lot of old open source SW components are embedded into various binaries. The work needed to push CVE data into SPDX and SBOM is not worth it and it's better to put the saved effort into fixing the actual CVEs. If management wants reports, generate them from cve-check.bbclass output, but note that CVE database is a moving target too. AFAIK, and I'd be happy to be proven wrong, SPDX and SBOM don't help matching SW component names and version strings so that comparison against CVE database information works. Only license names are standardized. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62063): https://lists.yoctoproject.org/g/yocto/message/62063 Mute This Topic: https://lists.yoctoproject.org/mt/103332846/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
