Add a SBOM file in CycloneDX format
Jouni Malinen
j at w1.fi
Wed Dec 25 08:43:16 PST 2024
On Fri, Nov 15, 2024 at 12:22:35PM +0000, Richard Hughes wrote:
> I would like to contribute this template SBOM file into your project that gets included into source control with substituted values that get populated automatically. I'm not super familiar with wpa_supplicant, and so I've done my best populating the project values -- but please point out any that are incorrect and I'll fix them up. I've also put the `sbom.cdx.json` file in what I feel is the right place, but please say if you want me to put it somewhere different or name it a different thing; the directory and `sbom` prefix are unimportant.
Is this targeting only wpa_supplicant or both wpa_supplicant and
hostapd? Those are two components that share quite a bit of source code
and that are maintained in a single repository, but that are commonly
distributed as two distinct software components.
> Subject: [PATCH] Add a SBOM file in CycloneDX format
>
> Improve supply chain security by including a SBOM file with substituted values.
>
> This will be used to construct a composite platform SBOM.
It would be helpful for the commit message itself to be a bit clearer on
where the format and macros used in this file are defined. This message
itself did cover some of that above the commit message itself.
> diff --git a/sbom.cdx.json b/sbom.cdx.json
> new file mode 100644
Depending on the answer to the first question above, root directory of
the repository may not be the best location for this..
wpa_supplicant/sbom.cdx.json and hostapd/sbom.cdx.json would likely be
better; or just one of those if only one of the software components is
targeted.
> +{
> + "bomFormat": "CycloneDX",
> + "specVersion": "1.6",
A reference to the spec (https://cyclonedx.org/docs/1.6/json/ ?) and
some link to documentation might be nice to include in the commit
message..
> + "version": 1,
How would this be managed? Is there a need to update that in the
upstream repository when changing this file or would this be changed by
whatever tools are pulling in this software? Since the default value
seems to be 1, could this be simply omitted if it is not maintained in
this repository?
> + "components": [
> + {
> + "type": "library",
What is this based on? I would have used "application".
> + "bom-ref": "pkg:hostapd/wpa_supplicant@@VCS_TAG@",
> + "cpe": "cpe:2.3:a:hostapd:wpa_supplicant:@VCS_TAG@:*:*:*:*:*:*:*",
Why hostapd/wpa_supplicant in these?
> + "name": "wpa_supplicant",
And wpa_supplicant here?
> + "version": "@VCS_VERSION@",
How and when would this macro be replaced and based on what? hostap.git
is a git repository, but wpa_supplicant releases (i.e., a tarball built
by the build_release script) contains a subset of the files from the
repository and it does not include .git, so the things like 'git
describe --tags' would not work).
> + "description": "The IEEE 802.1X/WPA component, implementing key negotiation with an authenticator",
This would sounds like wpa_supplicant, but no hostapd..
> + "authors": [
> + {
> + "name": "@VCS_SBOM_AUTHORS@"
> + }
> + ],
What is this supposed to be? "The person(s) who created the component."
sounds like something that would be about wpa_supplicant and/or hostapd,
but 'git shortlog -n -s -- sbom.cdx.json' would list names of people who
have modified the SBOM file and not the actual component..
> + "supplier": {
> + "name": "wpa_supplicant developers"
> + },
Another one of those wpa_supplicant vs. hostapd items here..
> + "externalReferences": [
> + {
> + "type": "website",
> + "url": "https://hostap.epitest.fi/wpa_supplicant/"
> + },
That is not a valid URL for the project anymore. That should be
https://w1.fi/wpa_supplicant/ or https://w1.fi/hostapd/ instead.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list