-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SBOM files for applicable components #212
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 4.3.1 | ||
cpe: cpe:2.3:a:libcoap:libcoap:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: libcoap <https://libcoap.net/>' | ||
description: A CoAP (RFC 7252) implementation in C |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 2.5.0 | ||
cpe: cpe:2.3:a:libexpat_project:libexpat:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: libexpat_project' | ||
description: Fast streaming XML parser written in C99 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 9.1.0 | ||
cpe: cpe:2.3:a:fmt:fmt:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: fmt <https://fmt.dev/latest/index.html>' | ||
description: A modern formatting library |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 1.6.39 | ||
cpe: cpe:2.3:a:libpng:libpng:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: libpng' | ||
description: Portable Network Graphics support, official PNG reference library |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 1.52.0 | ||
cpe: cpe:2.3:a:nghttp2:nghttp2:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: nghttp2 <https://nghttp2.org/' | ||
description: nghttp2 - HTTP/2 C Library and tools |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
version: 1.2.13 | ||
cpe: cpe:2.3:a:zlib:zlib:{}:*:*:*:*:*:*:* | ||
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD' | ||
originator: 'Organization: zlib <http://www.zlib.net/>' | ||
description: A massively spiffy yet delicately unobtrusive compression library |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mahavirj , I'm a little bit confused and probably missing something. Why are we changing the versions in
idf_component.yml
? For example here from2.5.0
to2.5.0~1
. Also just a note, if the version is not found insbom.yml
it will be take fromidf_component.yml
if presented. The same goes for description. So maybe we can avoid the duplication. Now I'm starting to think that maybe we should ask @kumekay if it would be possible to add the sbom fields support intoidf_component.yml
so we do not have to keep the info on two places for the managed components. Just a thought. Thank you.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are adding a new file to this component, we must bump up its version so that it gets pushed to the upstream registry.
Okay, in that case, I can remove
version
field from thesbom.yml
file. Probably we can remove description field as well?That makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the explanation @mahavirj . I will sync with @kumekay to see what can be done about this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would also make the implementation of automatic version updates (#174) a lot easier if there are less files which have to be modified for each version bump.
For now, espressif/github-actions#40 has added support for updating the submodule itself and the version in idf_component.yml. Having to update also
sbom-version
andsbom-hash
in .gitmodules, plus the new sbom.yml file, definitely makes the implementation more complex...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way, do I understand it right that after the SBOM information is moved into sbom.yml, we will revert the .gitmodules changes done in #199? I'm trying to understand whether I have to implement automatic updates to sbom-version and sbom-hash entries from update_submodule_versions action.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mahavirj , @kumekay I quickly tried, with idf-component-manager 1.3.2, some local test managed component and I can confirm that the root variables are used and not reported. With e.g.
1.2.3
I get thisI just wanted to point this out, because if we update
idf_component.yml
files, people with older manager will run into this. I'm not sure if this is(could be) a problem.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be an override switch as well. If the version is present under sbom namespace then pick that one, else use the component version field itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we actually have two libraries, from SBOM point of view, here?
And in some cases, there could be more than one library inside a component. For example,
console
component in IDF:Not saying we should handle such cases in this MR, just thought it's relevant to the discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @igrr , thank you for the graphs!
IIUC the problem we are trying to solve is that even though we have the sbom information for submodules in
.gitmodules
, it's of course not propagated through component manager. So if I doidf.py add-dependency "espressif/libpng^1.6.39"
the libpng component added to my project has no info that the
libpng
subdir inmanaged_components/espressif__libpng/
is actually a submodule in theidf-extra-components
repo with sbom info for it in.gitmodules
.I agree with your point above, that from the sbom POV the libpng component should depend on libpng library, but this relationship is currently not possible to express in the tool :(. It works like presented in your graph if we have submodule entry for the libpng library available in
.gitmodules
and.gitmodules
available while the sbom is generated.For the first
libpng
component example, I think we have to extend the sbom.yml to allow to express this relationship. Maybe something like this added inidf_component.yml
This would actually replace the sbom data and component->submodule relationship from
.gitmodules
.For the second
console
component example, I think we can use the same approach as forlibpng
. We would just add two libs:argtable3
andlinenoise
. Also IIUCargtable3
andlinenoise
are actually not submodules, so maybe we can added their own sbom.yml into their dirs.Anyway both approaches require changes in the tool. I'm open and grateful for any ideas WRT this. Thank you very much!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fhrbata Proposal sounds good to me. Please let me know once you have tool side changes in place, alternatively please feel free to take over this PR. Thanks.