revert: deduplication for vulnerabilities in vex #12
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
README: removed reference to dependency-track and modified description. Added support for PURL and patch CPE generation by removing🅰️ which is not applicable for linux kernel for example.
…x-export sbom-export: export components to CycloneDX format
Two variables was not renamed correctly
CycloneDX's JSON schema uses the predefined date-time format which according to the [JSON schema docs](https://json-schema.org/understanding-json-schema/reference/string#dates-and-times) corresponds to [RFC3339 sec. 5.6](https://datatracker.ietf.org/doc/html/rfc3339#section-5.6), which is a subset of [ISO8601](https://datatracker.ietf.org/doc/html/rfc3339#ref-ISO8601). Thus, a valid SBOM does NOT support all forms of ISO8601 date formats.
The OE build system contains information on fixed (e.g. backported) or ignored CVEs (e.g. limited to Windows platforms). To take these into account we create and populate a CycloneDX VEX file alongside with the sbom. Co-authored-by: Aoife Power <[email protected]>
Using UTC may be better to: - make result more consistent - remove unnecessary information about local time of the computer producing it
All relevant information for constructing the sbom is available within the recipes themselves, thus there is no reason to depend on do_fetch. Removing this dependency has the advantage that when running bitbake with the --runonly=do_cyclonedx_package_collect flag (i.e. one is interested in only the sbom, not actual build artifacts) will not depend on unnecessary fetch tasks, thus generating the sbom will be fast regardless of the availability of a populated dl_dir.
When same CVE is reported for different package, prefer adding new reference in "affects" array rather than adding same vulnerability two times
Inspired by the cve-check.bbclass, we correctly handle additional cases where recipes should be skipped.
This reverts commit 7c200bc.
PURL format is not purl:vendor/... or purl:generic/... It's in fact purl:generic/vendor/... or purl:generic/... This commit fix this small error
deduplication was causing information loss when same vulns was reported by differents recipes with different status. More details issue #7
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
deduplication was causing information loss when same vulns was reported by different recipes with different status. More details issue #7