[openwrt/openwrt] build: add explicit timezone in CycloneDX SBOM

LEDE Commits lede-commits at lists.infradead.org
Fri Jun 7 03:05:53 PDT 2024 

robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/2ded629864de779df8ddd0224a875edf17f9fea5

commit 2ded629864de779df8ddd0224a875edf17f9fea5
Author: Roman Azarenko <roman.azarenko at iopsys.eu>
AuthorDate: Tue Jun 4 18:00:03 2024 +0200

    build: add explicit timezone in CycloneDX SBOM
    
    The sender domain has a DMARC Reject/Quarantine policy which disallows
    sending mailing list messages using the original "From" header.
    
    To mitigate this problem, the original message has been wrapped
    automatically by the mailing list software.
    Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
    the date/time when the BOM was created [1].
    
    Before the change, the value generated by the package-metadata.pl
    script would look like this:
    
            2024-06-03T15:51:10
    
    CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
    which defines the `date-time` format [2] as derived from RFC 3339,
    section 5.6 [3]. In this format, the `time-offset` component is required,
    however in the original version of package-metadata.pl it is omitted.
    
    This is causing problems with OWASP Dependency-Track version 4.11.0 or
    newer, where it now validates submitted SBOMs against the JSON schema
    by default [4]. SBOMs with incorrect timestamp values are rejected with
    the following error:
    
            {
                "detail": "Schema validation failed",
                "errors": [
                    "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time"
                ],
                "status": 400,
                "title": "The uploaded BOM is invalid"
            }
    
    Add explicit `Z` (UTC) timezone offset in the `timestamp` field
    to satisfy the CycloneDX schema.
    
    [1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
    [2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
    [3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
    [4]: https://github.com/DependencyTrack/dependency-track/pull/3522
    
    Signed-off-by: Roman Azarenko <roman.azarenko at iopsys.eu>
---
 scripts/package-metadata.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl
index 1e47052ba0..82bd4360f3 100755
--- a/scripts/package-metadata.pl
+++ b/scripts/package-metadata.pl
@@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json {
 		serialNumber => "urn:uuid:$uuid",
 		version => 1,
 		metadata => {
-			timestamp => gmtime->datetime,
+			timestamp => gmtime->datetime . 'Z',
 		},
 		"components" => [@components],
 	};

More information about the lede-commits mailing list