trustification / trustify

Apache License 2.0
10 stars 19 forks source link

Handle SBOM package external references of type "security" different #509

Open ctron opened 4 months ago

ctron commented 4 months ago

In recent SBOMs (not sure when that was added) the SBOM packages contain additional external CPE references of type "security" (also see: https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f2-security):

It’s recommended practice for SPDX SBOM document creators to include one or more package identifiers (e.g. CPE, GitBOM, PURL or SWID) when using SPDX external references for the purpose of resolving current security vulnerability information.

As they don't act as a reference to the packages/components, but are an additional information "where to find security information for". In fact, this is how it looks for a random component out of this SBOM:

{
    "copyrightText": "[…]",
    "downloadLocation": "https://access.redhat.com/downloads/content/package\u002Dbrowser",
    "externalRefs": [
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "PACKAGE_MANAGER",
        "referenceLocator": "pkg:rpm/redhat/pkgconf@1.7.3-10.el9?arch=src",
        "referenceType": "purl"
    }
    ],
    "filesAnalyzed": false,
    "homepage": "NOASSERTION",
    "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
    "licenseConcluded": "AUTOCONF-EXCEPTION-2.0 AND AUTOCONF-SIMPLE-EXCEPTION AND AUTOCONF-SIMPLE-EXCEPTION-2.0 AND BSD-ORIGINAL AND BSD-SIMPLIFIED AND FREE-UNKNOWN AND FSF-FREE AND FSF-UNLIMITED AND FSF-UNLIMITED-NO-WARRANTY AND GPL-2.0-PLUS AND GPL-3.0-PLUS AND ISC AND LIBTOOL-EXCEPTION-2.0 AND MIT AND MIT-TAYLOR-VARIANT AND PUBLIC-DOMAIN AND X11-XCONSORTIUM",
    "licenseDeclared": "ISC",
    "name": "pkgconf",
    "originator": "NOASSERTION",
    "packageFileName": "pkgconf-1.7.3-10.el9.src.rpm",
    "SPDXID": "SPDXRef-01191fde-41d3-46e8-912e-9a22e3b9d633",
    "supplier": "Organization: Red Hat",
    "versionInfo": "1.7.3-10.el9"
}

This means that we can't simply assign the CPEs to the SBOM packages as reference without a further qualifier.

ctron commented 4 months ago

Ok, it looks like ignoring all but PACKAGE_MANGER will lead to not having CPEs at all. So maybe we need a different approach now.