Add a SBOM file in CycloneDX format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

My name is Richard Hughes and I'm a developer at Red Hat. I'm the maintainer of fwupd and LVFS, and am trying to improve software supply chain security by encouraging OEMs, ODMs and IBVs to ship Software Bill of Materials with each firmware binary blob (SBOMs).

I'm working alongside lots of other companies proactively trying to do the right thing. The reason I'm emailing is because your project is either used in the *build process* of a firmware we care about (e.g. EDK II, or coreboot) or is built *into the firmware binary* itself. Although my personal focus is on firmware, the SBOM file is in CycloneDX format (one of the most popular industry standards) which makes it also useful when building containers or OS images too.

I would like to contribute this template SBOM file into your project that gets included into source control with substituted values that get populated automatically. I'm not super familiar with wpa_supplicant, and so I've done my best populating the project values -- but please point out any that are incorrect and I'll fix them up. I've also put the `sbom.cdx.json` file in what I feel is the right place, but please say if you want me to put it somewhere different or name it a different thing; the directory and `sbom` prefix are unimportant.

I've written a bit more about this proposal here https://blogs.gnome.org/hughsie/2024/11/14/firmware-sboms-for-open-source-projects/ and there's also lot more information about firmware SBOMs here: https://lvfs.readthedocs.io/en/latest/sbom.html – many thanks for your time.

I've attached a patch to this email. Comments welcome.

Richard
From 9669c08ca92cb23db479ce3e7e3b865f7706305b Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@xxxxxxxxxxx>
Date: Fri, 15 Nov 2024 12:17:38 +0000
Subject: [PATCH] Add a SBOM file in CycloneDX format

Improve supply chain security by including a SBOM file with substituted values.

This will be used to construct a composite platform SBOM.

Signed-off-by: Richard Hughes <richard@xxxxxxxxxxx>
---
 sbom.cdx.json | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 sbom.cdx.json

diff --git a/sbom.cdx.json b/sbom.cdx.json
new file mode 100644
index 000000000..86d535afb
--- /dev/null
+++ b/sbom.cdx.json
@@ -0,0 +1,40 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "pkg:hostapd/wpa_supplicant@@VCS_TAG@",
+      "cpe": "cpe:2.3:a:hostapd:wpa_supplicant:@VCS_TAG@:*:*:*:*:*:*:*",
+      "name": "wpa_supplicant",
+      "version": "@VCS_VERSION@",
+      "description": "The IEEE 802.1X/WPA component, implementing key negotiation with an authenticator",
+      "authors": [
+        {
+          "name": "@VCS_SBOM_AUTHORS@"
+        }
+      ],
+      "supplier": {
+        "name": "wpa_supplicant developers"
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "BSD-3-Clause"
+          }
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "website",
+          "url": "https://hostap.epitest.fi/wpa_supplicant/";
+        },
+        {
+          "type": "vcs",
+          "url": "git://w1.fi/srv/git/hostap.git"
+        }
+      ]
+    }
+  ]
+}
-- 
2.47.0


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux