Closed rhaley-starfish closed 7 months ago
Thanks @rhaley-starfish.
EDITED
The cpe value is 'generated'.if the supplier is specified (which is in your example). It always generates cpe:/a
' regardless of the component type. I will change it to generate cpe:/o
if the component type is set to operating-system.
Hi Anthony,
I am generating a SBOM for neutrino RTOS. I noted that the CPE for older versions of that OS is:
cpe:2.3:o:blackberry:qnx_neutrino_rtos:6.5.0:sp1:*:*:*:*:*:*
The CPE generated by lib4sbom is:
cpe:/a:BlackBerry:qnx_neutrino_rtos:7.1
which converts to CPE 2.3:
cpe:2.3:a:BlackBerry:qnx_neutrino_rtos:7.1:*:*:*:*:*:*:*
Note the "a" (I assume for application) instead of "o" (for operating system?)
The outputted component correctly identifies as an operating system:
{ "type": "operating-system", "bom-ref": "blackberry:qnx_neutrino_rtos@7.1", "name": "qnx_neutrino_rtos", "version": "7.1", "supplier": { "name": "BlackBerry" }, "cpe": "cpe:/a:BlackBerry:qnx_neutrino_rtos:7.1", "externalReferences": [ { "url": "https://blackberry.qnx.com/en/products/foundation-software/qnx-rtos", "type": "website", "comment": "Home page for project" } ] },