Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Adding purl entries to generated SBOM through purl2cpe ? #3317

Open
ffontaine opened this issue Sep 6, 2023 · 5 comments
Open

feat: Adding purl entries to generated SBOM through purl2cpe ? #3317

ffontaine opened this issue Sep 6, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@ffontaine
Copy link
Contributor

Description

It would be very useful to generate SBOM with purl entries through purl2cpe which is licensed under MIT. My basic idea would be to fill purl entries depending on what is returned by purl2cpe database. Here is an example:

sqlite> select distinct purl from purl2cpe where cpe like "%d-bus_project:d-bus%";
pkg:deb/debian/dbus
pkg:deb/ubuntu/dbus
pkg:github/freedesktop/dbus
pkg:rpm/fedora/dbus

Why?

With purl, SBOM managers will retrieve useful upstream information: latest version, repository activity, etc.

Environment context (optional)

Currently, cve-bin-tool is used during our pentests to detect vulnerable components and ask manufacturers to upgrade them.
We're now starting to also use cve-bin-tool to generate SBOM.
Hopefully, SBOM should help the project manager to handle CVEs through out the product lifecycle.
Ideally, SBOM should be provided by manufacturers but for the moment, cve-bin-tool generates better SBOM than the manufacturer ...

Anything else?

I'm not sure where purl2cpe should be integrated: in cve-bin-tool or in lib4sbom?
@ffontaine ffontaine added the enhancement New feature or request label Sep 6, 2023
@terriko
Copy link
Contributor

terriko commented Sep 11, 2023

This sounds like a good idea.

For sbom generation: we're leaning heavily on lib4sbom so it'd be good to have it in there.

But I think we're going to internally want purl for the language parsers as well, so it probably makes sense to integrate it or something similar as part of the parsers too.

@anthonyharrison
Copy link
Contributor

#2685 also suggests using purl to improve product management. Note there is not a 1-1 mapping of cpe to purl (or vice versa!). so there will need to be some decisions taken as regards which purl entry to use.

purls can be added to sbom generation as external references. Adding this to the SBOM generation within cve-bin-tool is relatively easy as lib4sbom already handles purls (and cpes) as external references.

@anthonyharrison
Copy link
Contributor

Having spent a bit more time looking at this, I think this is an awesome idea. I note that there is a utility which loads the data into an sqllite database which means we could just include a pre-poulated database with an install of cve-bin-tool.

We then need to be add some queries to see if the cpe and/or purl entries in a SBOM match and then work out how we map this information into the existing database

@ffontaine
Copy link
Contributor Author

Thanks @anthonyharrison, I also worked a bit on the subject. I'll send you a PR so you can take a look at it and hopefully improve it ;-). I also sent a question to purl2cpe to seek advise on the best way to use their project: scanoss/purl2cpe#10

@ffontaine
Copy link
Contributor Author

Here is a first iteration: anthonyharrison/lib4sbom#16.

@inosmeet inosmeet mentioned this issue Mar 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@terriko @ffontaine @anthonyharrison