Giter VIP home page Giter VIP logo

esp-idf-sbom's People

Contributors

dobairoland avatar espressif-bot avatar fhrbata avatar jakub-kocka avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

esp32de fhrbata krsh

esp-idf-sbom's Issues

SBOM data for mbedtls @ esp-idf (IDFGH-11278)

Hi!

For mbedtls you added this commit:
espressif/mbedtls@bb6ae0d

to support the SBOM generation for the mbedtls library.

Now I'm wondering: Is this truly ARMs mbedtls or should it rather be viewed as an Espressif fork of mbedtls?

I can see a few commits on top that seem to originate from Espressif, so it's certainly slightly different than the pure ARM mbedtls version.

Now I was wondering if you have an opinion on this and how it's best handled in the SBOM data? Should a new CPE be registered or should it perhaps be expressed in some other field of the SBOM to clarify?

SBOM data for tools? (IDFGH-11317)

Hi!

I was looking at the example SBOM created in an earlier issue and it seems to include tooling, for example xtensa-esp32-elf toolchain and app_trace. This is not part of the generated firmware, but rather used for creating the firmware or analyzing memory dumps or similar.

This doesn't seem correct to me. Shouldn't the SBOM just specify such components that end up in the firmware?

Complete SBOM? (IDFGH-11319)

Previously in another issue I received an example SBOM.
I also asked previously about mbed-tls in yet another issue.

Now, I've been analyzing it a bit and I have a few additional questions.

The mbed-tls is expressed in the example SBOM as two separate things:

mbedtls component (Espressif)
and
mbedtls-mbedtls submodule (ARM)

Now, I think that in general the Espressif-component actually shouldn't be in the SBOM, since it has no CPE. Nobody will be cross-checking this component towards the NVD for example. It should get folded up into esp-idf which has a CPE. Registering a specific CPE for this subcomponent, which is only used by esp-idf would also not be an appropriate solution.

Any thoughts on this?

The second part of my question relates to another component, FreeRTOS. I can't from the example-SBOM figure out the base version of FreeRTOS.

So this feeds into my second request, regarding f.ex. FreeRTOS, but really the SBOM in general: Are you planning to generate a complete SBOM for any SDK version? And in such case any idea when?

In a complete SBOM I would expect to see exact versions of components, like for example for mbed-tls and FreeRTOS, but not have "unnecessary" components in there either, like for tooling, testing, internal components, and so forth. Just information which has relevance for cybersecurity and in a format which is typically useful for the cybersecurity tasks, e.g. cross-checking against a database.

Have you thought about this more general problem statement? Are you in a position to comment on your plans going forward?

`check` does not give any useful output, all components are skipped (IDFGH-11259)

I am testing this tool in the IDF container shared to Docker Hub by Espressif, v5.1.1. I have verified that the two required commits detailed in the README are ancestors of the v5.1.1 tag so I don't think there is any need to run git cherry-pick.

When I use esp-idf-sbom to create a spdx SBOM and then check it against the vulnerability database, all the components are skipped so I do not get useful information on vulnerabilities.

In addition, there is significantly more helpful licence information in spdx file produced by version 0.5.0 of esp-idf-sbom vs later versions.

Test code:

CONTAINER_ID=$(docker run --rm -it --detach espressif/idf:v5.1.1)
TIMESTAMP=$(date +"%Y%m%d-%H%M")
docker exec -i $CONTAINER_ID bash -c '
cd /opt/esp/idf/examples/get-started/hello_world/
git describe
git merge-base --is-ancestor 0f781c718c8548cd2b0e41a30e1814f1c6ed93a2 HEAD
echo $?
git merge-base --is-ancestor 03162bb276d4155760e8aa839020f0587f5ef599 HEAD
echo $?
. /opt/esp/idf/export.sh
idf.py build
pip install esp-idf-sbom==0.5.0
esp-idf-sbom create -o hello-world.spdx build/project_description.json
esp-idf-sbom check --format json hello-world.spdx > hello-world-check.json
'
docker cp $CONTAINER_ID:/opt/esp/idf/examples/get-started/hello_world/hello-world.spdx hello-world_$TIMESTAMP.spdx
docker cp $CONTAINER_ID:/opt/esp/idf/examples/get-started/hello_world/hello-world-check.json hello-world-check_$TIMESTAMP.json

Resulting files for versions 0.5.0, 0.6.0, and 0.8.0 (latest) of esp-idf-sbom attached:
sample_output.zip

Please can you help me understand if I am doing something wrong here?

Which ESP-IDF version is supported by esp-idf-sbom? (IDFGH-10621)

I wanted to try out this new tool (I realise it is experimental at the moment), but I immediately get the error

E: Project description file "build/project_description.json" does not support SBOM generation. Please see the list of IDF versions supported by esp-idf-sbom.

This happens even if I create a sbom.yml file in the root of my project (using the example from the README). Maybe it is because the components in my project do not have manifest files too, or maybe it is dependent on manifest files in the ESP-IDF components.

Which ESP-IDF versions are intended to work with the esp-idf-sbom tool? I currently use v5.0.2.

Invalid SPDX Identifier Field Symbols (IDFGH-12708)

The SPDX identifier field format is not being followed correctly when using --files add command. The ESP-IDF SBOM Tool is including the plus symbol from c++ packages in the file path or filenames. This is based on esp-idf-sbom v0.14.0.

For example:

FileName: ./esp-12.2.0_20230208/xtensa-esp32s3-elf/xtensa-esp32s3-elf/include/c++/12.2.0/parallel/algo.h
SPDXID: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-algo.h
FileChecksum: SHA1: 380d250ee001305577c9d50fbd5a924c4256c0f4
FileChecksum: SHA256: 50db25a884fc8209eb7acee134ab43b6eed025ae62f0a1c301711616a2eec8ff
LicenseInfoInFile: NOASSERTION
LicenseConcluded: NOASSERTION
FileCopyrightText: NOASSERTION

The official specification https://spdx.github.io/spdx-spec/v2.3/file-information/ states:

image

This causes problems for the official SPDX python tool, for example, when converting to another format like RDF:

spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-algo.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-algobase.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-algorithm
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-algorithmfwd.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-balanced-quicksort.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-base.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-basic-iterator.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-checkers.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-compatibility.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-compiletime-settings.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-equally-split.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-features.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-find.h
spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: SPDXRef-FILE-xtensa-esp32s3-elf-xtensa-esp32s3-elf-esp-12.2.0-20230208-xtensa-esp32s3-elf-xtensa-esp32s3-elf-include-c++-12.2.0-parallel-find-selectors.h

In this case you could replace + with p. I could see other problems arising based on how people name packages or file paths. I do see that _ gets changed to - automatically.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.