cyclonedx / cyclonedx-buildroot Goto Github PK

View Code? Open in Web Editor NEW

7.0 6.0 3.0 155 KB

Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects

Home Page: https://cyclonedx.org

License: Apache License 2.0

Python 100.00%

bom bill-of-materials buildroot cyclonedx sbom sbom-generator sbom-tool software-bill-of-materials

cyclonedx-buildroot's People

Contributors

Stargazers

Watchers

Forkers

arthurep rlfagan

cyclonedx-buildroot's Issues

define appropriate dependencies for python distribution package

Jan Kowalleck

Your project does not define any dependencies, does it?

Answer: No it does not, that is the issue.

Follow https://packaging.python.org/en/latest/guides/writing-pyproject-toml/
for "setuptools" build system and define the appropriate dependencies.

The only thing you do is to define the dependencies and the version range they need to be in. The goal is to produce a distribution, that

is installable
defines the dependencies properly
results in a callable and runnable python module

Pypi packaging

pypi packaging and distribution

I tested the ability to package and distribute the update according to https://packaging.python.org/en/latest/tutorials/packaging-projects/.
The pypi project requires some specific content edits in the pyproject.toml file. The version value and the include statement are in need of updates.

Output export json doesn't seem to be a valid BOM

First of all I'd like to thank you for this project. It seems this is only available option to easily get a BOM from a buildroot environment.

I'm aware that this project is in its very early stage so I assume lot of things might not work well, yet I'd like to give it a shot to make it work.

After running python3 generateBuildrootSBOM.py -i manifest.csv -it csv using the manifest.csv generated from buildroot's make legal-info, I take the export output json and attempt to validate it via the cyclonedx-cli:

❯ cyclonedx validate --input-file export --input-format json --input-version v1_4
Validating JSON BOM...
Validation failed: 
#/properties
BOM is not valid.

FYI I have installed cyclonedx-python-lib 4.0.0 in my system and I am using the cyclonedx-cli 0.24.2

I was also able to reproduce the same issue using the manifest.csv from a recent buildroot tag default configuration:

git clone https://github.com/buildroot/buildroot.git
cd buildroot
git checkout 2023.02
make defconfig
make legal-info

Let me know if there's anything else I can provide. Thanks!

Create test cases

given a fixed input file test that the output data is valid

docs: fix readme

readme is wrong:

it speaks of a plugin, but this project is an executable

cyclonedx-buildroot/README.md

Line 12 in 8f44f54

    
           This [Buildroot][Buildroot_homepage] plugin generates [CycloneDX][CDX_homepage] Software Bill of Materials (SBOM) containing all direct and transitive dependencies of a buildroot project.

the usage is just wrong -- it does not call this project but something else

cyclonedx-buildroot/README.md

Line 25 in 8f44f54

$ python3 -m cyclonedxbuildroot.cli.generateBom -it buildroot -i <path>/manifest.csv -ot console -n "My Project" -v "1.2.3.4"

improper encapsulation of the license object

From: Elliot Kabay
is not a valid SBOM per the [specifications of cyclonedx] https://cyclonedx.org/docs/1.4/json/#components_items_licenses_items_license). The issue is in how the licenses are structured; license data, such as "id" and "name" needs to be encapsulated in another JSON object with its key being "license".

make_with_license dependency breaking change

With LicenseChoiceFactory class removed from license.py, the script generateBuildrootSBOM.py is not working as it utilizes the "make_with_license" function within LicenseChoiceFactory class.

Current branches are not working

Hello,

The current master doesn't seem to work :

Output BOM: export
SBOM Component Name: Test
SBOM Component Version: 1R3-RCX
Traceback (most recent call last):
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\generateBuildrootSBOM.py", line 119, in <module>
    main()
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\generateBuildrootSBOM.py", line 92, in main
    br_parser.Component(name=args.input_name, version=args.component_version,
TypeError: Component.__init__() got an unexpected keyword argument 'type'

When I try to use the latest python_executable branch it doesn't work either:

Input file: C:\Users\azsde\Downloads\manifest.csv
Output BOM: export
SBOM Component Name: Test
SBOM Component Version: 1R3-RCX
Traceback (most recent call last):
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\generateBuildrootSBOM.py", line 114, in <module>
    main()
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\generateBuildrootSBOM.py", line 93, in main
    new_bom = create_buildroot_sbom(args, br_bom)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\generateBuildrootSBOM.py", line 53, in create_buildroot_sbom
    next_component = cyclonedx.model.component.Component(name=row['PACKAGE'],
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Component.__init__() got an unexpected keyword argument 'package_url_type'

When I update the code so that package_url_type is updated to purl, I get the following error:

Input file: C:\Users\azsde\Downloads\cyclonedx-buildroot\manifest.csv
Output BOM: export
SBOM Component Name: Test
SBOM Component Version: 1R3-RCX
Traceback (most recent call last):
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\cyclonedx-buildroot\generateBuildrootSBOM.py", line 114, in <module>
    main()
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\cyclonedx-buildroot\generateBuildrootSBOM.py", line 93, in main
    new_bom = create_buildroot_sbom(args, br_bom)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\azsde\Downloads\cyclonedx-buildroot\cyclonedx-buildroot\generateBuildrootSBOM.py", line 58, in create_buildroot_sbom
    br_bom_local.add_component(component=next_component)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'Bom' object has no attribute 'add_component'. Did you mean: 'has_component'?

I installed all depencies as defined in requirement.txt

Should it be updated maybe ?

define python requirements and dependencies

gather the requirements/dependnecies (libraries, system, env)

purl links seems wrong, missing slash between site and filename

Add support for CycloneDX 1.6 specification.

Add support for CycloneDX 1.5 specification.

Generated purls not compatible with OSS analysis in Dependency-track

First of all, thanks for providing this tool.

Using this tool, I generated a CycloneDX SBOM and posted it to OWASP Dependency-track. It was ingested and showed the expected components, but I got no vulnerability data from either the internal (uses CPE) or Sonatype OSS (uses pURL) analyzers. What I discovered is that this tool generates a pURL, but it isn't compatible with the OSS analyzer lookup. It doesn't generate a CPE that could be used by the internal Dependency-track analyzer.

I provided more details in this stackoverflow question.

https://stackoverflow.com/questions/76574392/is-cyclonedx-buildroot-expected-to-generate-compatible-sboms-for-dependency-trac

So currently, the tool is useful for generating an SBOM that can work with Dependency-track to provide an inventory, but is not useful for vulnerability analysis in Dependency-track.

It would be excellent if the tool could generate CycloneDX SBOMs that are compatible with the vulnerability analyzers in OWASP Dependency-track by either generating a compatible pURL or a CPE.