search

CycloneDX / cyclonedx-buildroot

Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects
https://cyclonedx.org
Apache License 2.0
10 stars 4 forks source link

Output export json doesn't seem to be a valid BOM #2

Closed arthurep closed 1 year ago

arthurep commented 1 year ago

First of all I'd like to thank you for this project. It seems this is only available option to easily get a BOM from a buildroot environment.

I'm aware that this project is in its very early stage so I assume lot of things might not work well, yet I'd like to give it a shot to make it work.

After running python3 generateBuildrootSBOM.py -i manifest.csv -it csv using the manifest.csv generated from buildroot's make legal-info, I take the export output json and attempt to validate it via the cyclonedx-cli:

❯ cyclonedx validate --input-file export --input-format json --input-version v1_4
Validating JSON BOM...
Validation failed: 
#/properties
BOM is not valid.

FYI I have installed cyclonedx-python-lib 4.0.0 in my system and I am using the cyclonedx-cli 0.24.2

I was also able to reproduce the same issue using the manifest.csv from a recent buildroot tag default configuration:

git clone https://github.com/buildroot/buildroot.git
cd buildroot
git checkout 2023.02
make defconfig
make legal-info

Let me know if there's anything else I can provide. Thanks!

ptdropper commented 1 year ago

Thanks arthurep for your comment and encouragement. I know that others must be using Buildroot and your feedback helps me see that fact. I did my initial commit to this project April 26 to capture my incremental update using an Agile philosophy. This project does not yet work properly. I have some further studies to understand the cyclonedx python abstract data types, how to map the data from Buildoot's csv and your info on how to check for a valid output is also new to me. The cycloneDX library of python code is new to me. I did the commit/push because I am able to map the data from the manifest.csv to the Components data type. The resulting file output is not at a valid Cyclone DX SBOM at this time. Stay tuned for further updates as time allows.

arthurep commented 1 year ago

No problem. Glad to help :)

I have found the issues with the SBOM format. Here's a comparison with the official cycloneDX SBOM 1.4 Schema: https://www.jsonschemavalidator.net/s/LmSBLlRk

You can see there are a minor issues with it. Since they were simple fixes, I took the liberty to make a pull request to fix these: https://github.com/CycloneDX/cyclonedx-buildroot/pull/3

ptdropper commented 1 year ago

Fixed. I put out a new tag called v1.0 to provide json and xml output from the Buildroot manifest.csv. The command line accepts the name of your Buildroot project and the version you assign to your Buildroot project.