Handle SBOM package external references of type "security" different #509

ctron · 2024-07-05T07:40:22Z

In recent SBOMs (not sure when that was added) the SBOM packages contain additional external CPE references of type "security" (also see: https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f2-security):

It’s recommended practice for SPDX SBOM document creators to include one or more package identifiers (e.g. CPE, GitBOM, PURL or SWID) when using SPDX external references for the purpose of resolving current security vulnerability information.

As they don't act as a reference to the packages/components, but are an additional information "where to find security information for". In fact, this is how it looks for a random component out of this SBOM:

{
    "copyrightText": "[…]",
    "downloadLocation": "https://access.redhat.com/downloads/content/package\u002Dbrowser",
    "externalRefs": [
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "SECURITY",
        "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos",
        "referenceType": "cpe22Type"
    },
    {
        "referenceCategory": "PACKAGE_MANAGER",
        "referenceLocator": "pkg:rpm/redhat/pkgconf@1.7.3-10.el9?arch=src",
        "referenceType": "purl"
    }
    ],
    "filesAnalyzed": false,
    "homepage": "NOASSERTION",
    "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
    "licenseConcluded": "AUTOCONF-EXCEPTION-2.0 AND AUTOCONF-SIMPLE-EXCEPTION AND AUTOCONF-SIMPLE-EXCEPTION-2.0 AND BSD-ORIGINAL AND BSD-SIMPLIFIED AND FREE-UNKNOWN AND FSF-FREE AND FSF-UNLIMITED AND FSF-UNLIMITED-NO-WARRANTY AND GPL-2.0-PLUS AND GPL-3.0-PLUS AND ISC AND LIBTOOL-EXCEPTION-2.0 AND MIT AND MIT-TAYLOR-VARIANT AND PUBLIC-DOMAIN AND X11-XCONSORTIUM",
    "licenseDeclared": "ISC",
    "name": "pkgconf",
    "originator": "NOASSERTION",
    "packageFileName": "pkgconf-1.7.3-10.el9.src.rpm",
    "SPDXID": "SPDXRef-01191fde-41d3-46e8-912e-9a22e3b9d633",
    "supplier": "Organization: Red Hat",
    "versionInfo": "1.7.3-10.el9"
}

This means that we can't simply assign the CPEs to the SBOM packages as reference without a further qualifier.

The "security" category is intended to find security information about this package, but not describing the package itself. Works around trustification#509

ctron · 2024-07-05T09:32:52Z

Ok, it looks like ignoring all but PACKAGE_MANGER will lead to not having CPEs at all. So maybe we need a different approach now.

The "security" category is intended to find security information about this package, but not describing the package itself. Works around trustification#509

The "security" category is intended to find security information about this package, but not describing the package itself. Works around #509

ctron mentioned this issue Jul 5, 2024

Improve ingestion of CPEs #510

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle SBOM package external references of type "security" different #509

Handle SBOM package external references of type "security" different #509

ctron commented Jul 5, 2024

ctron commented Jul 5, 2024