SBOM Tool for OpenWRT to feed Dependency Track

Dave Taht dave.taht at gmail.com
Mon Oct 24 15:54:03 PDT 2022


This work (cleaning up SBOM, clearly identifying CVEs, getting on top
of more) sounds like an *ideal* candidate for funding under the NLNET
entrust fund:

https://nlnet.nl/entrust/

Applications are easy, the amount available per project usually in the
range of 30-50k eu, and usually approval is very rapid.
Go for it! tell me what you called the proposal and I'll put in a good
word for you.

Somewhat related, I've been looking for someones in europe (for a
proposal to that fund) with xdp and ebpf experience to help both port
libreqos.io (or bracketqos) to openwrt, and also harden it against not
just DDOS attacks but malformed ecn usage.

On Mon, Oct 24, 2022 at 3:38 PM Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> On 10/18/22 16:38, Pfendtner Steffen wrote:
> > Hi,
> >
> > We decided to publish our internal fork of the Timesys SBOM Tool we found on
> > github. You find our version at: https://github.com/ads-tec/sbom-openwrt
> >
> > It takes a complete OpenWRT build tree as input and will generate a SBOM
> > in CycloneDX JSON Format for the currently configured image.
> > This SBOM can be fed into your personal dependency track instance.
> > See https://dependencytrack.org/ if you don't know what this is.
> >
> > In my opinion Dependency Track is much more usable compared to uscan.
> >
> > However Dependency Tack currently heavily relies on valid CPE ID. Thus you will
> > need to fix the CPE IDs in the OpenWRT package Makefiles - some are missing.
> > I think it would be a great security benefit for the OpenWRT ecosystem if we
> > get a best possible coverage of CPE IDs in the available Makefiles.
> >
> > I'll try to push our CPE ID additions upstream.
> >
> > Best regards,
> > Steffen Pfendtner
>
> Hi Steffen,
>
> Nice tool, do you have some "demo" output for a recent OpenWrt release
> somewhere?
>
> One advantage of uscan from my point of view is that I just have to open
> a website to see the results for OpenWrt master and the maintained
> branches and do not have to run some scripts and install some tooling
> myself.
>
> Having multiple tools for such tasks is always helpful. Normally every
> additional tool find additional problems.
>
> Adding the missing CPE IDs is no problem, someone just has to do it. If
> you already have some internal changes with additional CPE IDs it would
> be nice if you could send a patch or pull request adding them to OpenWrt
> master and then we can backport it to OpenWrt 22.03 too.
>
> Petr added the missing CPE IDs to 4 packages recently.
>
> Hauke
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



-- 
This song goes out to all the folk that thought Stadia would work:
https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-6981366665607352320-FXtz
Dave Täht CEO, TekLibre, LLC



More information about the openwrt-devel mailing list