[PATCH] build: add explicit timezone in CycloneDX SBOM

Fri Jun 7 03:06:45 PDT 2024

On Tue, 4 Jun 2024 at 18:00, Roman Azarenko via openwrt-devel
<openwrt-devel at lists.openwrt.org> wrote:
>
> The sender domain has a DMARC Reject/Quarantine policy which disallows
> sending mailing list messages using the original "From" header.
>
> To mitigate this problem, the original message has been wrapped
> automatically by the mailing list software.
>
>
> ---------- Forwarded message ----------
> From: Roman Azarenko <roman.azarenko at iopsys.eu>
> To: openwrt-devel at lists.openwrt.org
> Cc:
> Bcc:
> Date: Tue,  4 Jun 2024 18:00:03 +0200
> Subject: [PATCH] build: add explicit timezone in CycloneDX SBOM
> Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
> the date/time when the BOM was created [1].
>
> Before the change, the value generated by the package-metadata.pl
> script would look like this:
>
>         2024-06-03T15:51:10
>
> CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
> which defines the `date-time` format [2] as derived from RFC 3339,
> section 5.6 [3]. In this format, the `time-offset` component is required,
> however in the original version of package-metadata.pl it is omitted.
>
> This is causing problems with OWASP Dependency-Track version 4.11.0 or
> newer, where it now validates submitted SBOMs against the JSON schema
> by default [4]. SBOMs with incorrect timestamp values are rejected with
> the following error:
>
>         {
>             "detail": "Schema validation failed",
>             "errors": [
>                 "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time"
>             ],
>             "status": 400,
>             "title": "The uploaded BOM is invalid"
>         }
>
> Add explicit `Z` (UTC) timezone offset in the `timestamp` field
> to satisfy the CycloneDX schema.
>
> [1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
> [2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
> [3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
> [4]: https://github.com/DependencyTrack/dependency-track/pull/3522
>
> Signed-off-by: Roman Azarenko <roman.azarenko at iopsys.eu>

Thanks for the patch, merged to main in:
https://github.com/openwrt/openwrt/commit/2ded629864de779df8ddd0224a875edf17f9fea5

Regards,
Robert
> ---
>  scripts/package-metadata.pl | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl
> index 1e47052ba028..82bd4360f3bb 100755
> --- a/scripts/package-metadata.pl
> +++ b/scripts/package-metadata.pl
> @@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json {
>                 serialNumber => "urn:uuid:$uuid",
>                 version => 1,
>                 metadata => {
> -                       timestamp => gmtime->datetime,
> +                       timestamp => gmtime->datetime . 'Z',
>                 },
>                 "components" => [@components],
>         };
> --
> 2.45.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel