Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to limit SBOM content to packages added to the rootfs #9

Open
Jasper-Ben opened this issue Aug 29, 2024 · 10 comments
Open

Comments

@Jasper-Ben
Copy link

Currently, meta-cyclonedx will add any package that is built for the target architecture to the SBOM.

This might be desirable, as the package list might be incomplete otherwise (e.g. code might "spill over" from one package to another when doing static linking), however on the flip-side this also drastically increases the number of packages included in the sbom, with most of them not being relevant at runtime (see: #3 (comment)).

So while both options are not ideal, it would be great to be able to leave it up to the user to decide whether drastically limiting the number of packages in the SBOM is worth the (probably manageable) risk of potentially losing track of a handful of packages that do somehow end up on the target "undetected".

For this to work, we need to restructure the way meta-cyclonedx creates the SBOM file, as the information which packages end up in the rootfs is only available after the image rootfs has been constructed and not in the context of a component recipe (see: #7 (comment))

@groetingc
Copy link

Hi @Jasper-Ben !
Could the way of creating a SBOM done similar as Yocto's default https://git.yoctoproject.org/poky/tree/meta/classes/create-spdx.bbclass?h=kirkstone class does a good starting point? It looks more complex but it also uses the image_list_installed_packages to ensure that only packages are listed in the SBOM, which are really installed.
A usage of that class in conjunction of a transformation tool convertings a SPDX bom to CycloneDX bom could be also an option, isn't it?
BR,
Claus

@Jasper-Ben
Copy link
Author

A usage of that class in conjunction of a transformation tool convertings a SPDX bom to CycloneDX bom could be also an option, isn't it?

@groetingc You could look into that if you want, but I am not sure how well these tools work. The output of the create-spdx class is quite complex with multiple SBOMs referencing each other. It also contains a lot of information that we (at least for our use-case of CVE monitoring) aren't currently interested in. I have tried working with the SPDX java and python tools in the past and had a horrible experience with large SPDX files such as the Yocto ones. Though, I am not sure how the current state of things are now.

Personally, I feel like for the time being it would be easier and quicker to just change our current setup to write the bom information into temporary files and then have a post build task collect these into the final output while using the image_list_installed_packages function.

@Jasper-Ben
Copy link
Author

@groetingc FYI, I will start working on this next. However, I am on vacation for two weeks starting from next week. I don't think I'll be able to finish this before then, so there will be a slight delay

@iat-coder
Copy link

That would be a great feature to have. Instead of a switch - maybe just output both SBOMs (build-time and run-time)?
I needed this recently and ended up hacking poky classes (sieve through the generated SBOM and only keep those that relate to the installed packages). Achieved what I needed but very messy. I think image_list_installed_packages is only available in the image layer, not sure how to get a list of installed packages otherwise.

A run-time SBOM is essential when it comes to cybersecurity risk analysis as it significantly reduced the number of components and therefore the number of CVEs associated with them.

@Jasper-Ben
Copy link
Author

👋 @iat-coder what would be your use-case for having both? Just to clarify, the "build-time" sbom would currently be build-time PLUS run-time, NOT only build-time.

@iat-coder
Copy link

There is probably some value in having build-time dependencies SBOMed. But I'd say it's more out of academic interest. One can argue that a vulnerability in your build chain can lead to another vulnerability in your product. But for practical scenarios we only need to SBOM components in the final image. So my suggestion would be to exclude build-time and only have run-time items in there.

@Jasper-Ben
Copy link
Author

Quick update, I will still be working on this. Unfortunately, I have high priority tasks atm that I have to work through.

@LarsPlischke
Copy link

Hi @Jasper-Ben
i have currently the issue the meta-cyclondx delivers me only the highest level modules, not the libs i include
but spdx deliver much more like curl, glib, ...
is that also somehow issued to that what you mention here, or is it something totally different
or do you maybe know a way to include the dependencies in the cylonedx sbom

thanks
Lars

@Jasper-Ben
Copy link
Author

Hi @LarsPlischke do you include the libs statically or dynamically?

@LarsPlischke
Copy link

Hi @Jasper-Ben
good question, it's implemented in RUST and I'm not familiar with it
What I have found is a Cargo.lock where I see several dependencies including the version
and regardless of whether dynamic or static build, I would expect to get this information in my cyclondx sbom.
As already mentioned in the spdx folder all dependencies are there.

PS: I also build multiple components at once, so I expect both static and dynamic, but I'll try to validate this again
PPS sure if I link dynamically I can't be sure which version is finally used and which CVE reports exist for this version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants