Attention is currently required from: Felix Singer, Nico Huber, Martin L Roth, Paul Menzel, Maximilian Brune, Angel Pons. Hello build bot (Jenkins), Nico Huber, Martin L Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/63639
to look at the new patch set (#28).
Change subject: Add SBOM (Software Bill of Materials) Generation ......................................................................
Add SBOM (Software Bill of Materials) Generation
Firmware is most of the time just one final Image that get's flashed. since this final image consists of binaries/code from a vast amount of different people/companies, it's hard to actually determine all the small parts included in it. the goal is to take a firmware image and easily find out what it consists of. basically answering the question: who supplied the code that's running on my system right now? for example buyers can use an SBOM to perform an automated vulnerability check or license analysis, both of which can be used to evaluate risk in a product. Furthermore one can check fast if the firmware is exposed to a new vulnerability included in one of the software parts (with the specified version) of the firmware. further reference: https://blogs.gnome.org/hughsie/2022/03/10/ firmware-software-bill-of-materials/
- Add Makefile.inc to generate and build coswid tags - Add templates for most payloads, coreboot, intel-microcode and intel-management engine - Add Kconfig entries to optionaly add coswid tags for payloads, coreboot, intel microcode and intel mangement engine - Add CBFS entry called SBOM to each build via Makefile.inc - Add goswid utility tool to generate SBOM data
Signed-off-by: Maximilian Brune maximilian.brune@9elements.com Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0 --- M Makefile.inc M src/Kconfig A src/sbom/Makefile.inc A src/sbom/coreboot.json.src A src/sbom/intel-me.json.src A src/sbom/intel-microcode.json.src A src/sbom/payload-BOOTBOOT.json.src A src/sbom/payload-FILO.json.src A src/sbom/payload-GRUB2.json.src A src/sbom/payload-LinuxBoot.json.src A src/sbom/payload-SeaBIOS.json.src A src/sbom/payload-U-Boot.json.src A src/sbom/payload-Yabits.json.src A src/sbom/payload-depthcharge.json.src A src/sbom/payload-iPXE.json.src A src/sbom/payload-skiboot.json.src A util/goswid/cmd/main.go A util/goswid/go.mod A util/goswid/go.sum A util/goswid/pkg/uswid/uswid.go A util/goswid/vendor/github.com/davecgh/go-spew/LICENSE A util/goswid/vendor/github.com/davecgh/go-spew/spew/bypass.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/common.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/config.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/doc.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/dump.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/format.go A util/goswid/vendor/github.com/davecgh/go-spew/spew/spew.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/.gitignore A util/goswid/vendor/github.com/fxamacker/cbor/v2/.golangci.yml A util/goswid/vendor/github.com/fxamacker/cbor/v2/CBOR_BENCHMARKS.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/CBOR_GOLANG.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/CODE_OF_CONDUCT.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/CONTRIBUTING.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/LICENSE A util/goswid/vendor/github.com/fxamacker/cbor/v2/README.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/SECURITY.md A util/goswid/vendor/github.com/fxamacker/cbor/v2/cache.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/decode.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/doc.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/encode.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/stream.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/structfields.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/tag.go A util/goswid/vendor/github.com/fxamacker/cbor/v2/valid.go A util/goswid/vendor/github.com/google/uuid/.travis.yml A util/goswid/vendor/github.com/google/uuid/CONTRIBUTING.md A util/goswid/vendor/github.com/google/uuid/CONTRIBUTORS A util/goswid/vendor/github.com/google/uuid/LICENSE A util/goswid/vendor/github.com/google/uuid/README.md A util/goswid/vendor/github.com/google/uuid/dce.go A util/goswid/vendor/github.com/google/uuid/doc.go A util/goswid/vendor/github.com/google/uuid/hash.go A util/goswid/vendor/github.com/google/uuid/marshal.go A util/goswid/vendor/github.com/google/uuid/node.go A util/goswid/vendor/github.com/google/uuid/node_js.go A util/goswid/vendor/github.com/google/uuid/node_net.go A util/goswid/vendor/github.com/google/uuid/null.go A util/goswid/vendor/github.com/google/uuid/sql.go A util/goswid/vendor/github.com/google/uuid/time.go A util/goswid/vendor/github.com/google/uuid/util.go A util/goswid/vendor/github.com/google/uuid/uuid.go A util/goswid/vendor/github.com/google/uuid/version1.go A util/goswid/vendor/github.com/google/uuid/version4.go A util/goswid/vendor/github.com/pmezard/go-difflib/LICENSE A util/goswid/vendor/github.com/pmezard/go-difflib/difflib/difflib.go A util/goswid/vendor/github.com/stretchr/testify/LICENSE A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_compare.go A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_format.go A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_format.go.tmpl A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_forward.go A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_forward.go.tmpl A util/goswid/vendor/github.com/stretchr/testify/assert/assertions.go A util/goswid/vendor/github.com/stretchr/testify/assert/doc.go A util/goswid/vendor/github.com/stretchr/testify/assert/errors.go A util/goswid/vendor/github.com/stretchr/testify/assert/forward_assertions.go A util/goswid/vendor/github.com/stretchr/testify/assert/http_assertions.go A util/goswid/vendor/github.com/stretchr/testify/require/doc.go A util/goswid/vendor/github.com/stretchr/testify/require/forward_requirements.go A util/goswid/vendor/github.com/stretchr/testify/require/require.go A util/goswid/vendor/github.com/stretchr/testify/require/require.go.tmpl A util/goswid/vendor/github.com/stretchr/testify/require/require_forward.go A util/goswid/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl A util/goswid/vendor/github.com/stretchr/testify/require/requirements.go A util/goswid/vendor/github.com/veraison/swid/.gitignore A util/goswid/vendor/github.com/veraison/swid/.golangci.yml A util/goswid/vendor/github.com/veraison/swid/CODE_OF_CONDUCT.md A util/goswid/vendor/github.com/veraison/swid/CONTRIBUTING.md A util/goswid/vendor/github.com/veraison/swid/LICENSE A util/goswid/vendor/github.com/veraison/swid/Makefile A util/goswid/vendor/github.com/veraison/swid/README.md A util/goswid/vendor/github.com/veraison/swid/cbor.go A util/goswid/vendor/github.com/veraison/swid/common.go A util/goswid/vendor/github.com/veraison/swid/coswid_extension.go A util/goswid/vendor/github.com/veraison/swid/directories.go A util/goswid/vendor/github.com/veraison/swid/directory.go A util/goswid/vendor/github.com/veraison/swid/directory_extension.go A util/goswid/vendor/github.com/veraison/swid/doc.go A util/goswid/vendor/github.com/veraison/swid/entities.go A util/goswid/vendor/github.com/veraison/swid/entity.go A util/goswid/vendor/github.com/veraison/swid/entity_extension.go A util/goswid/vendor/github.com/veraison/swid/evidence.go A util/goswid/vendor/github.com/veraison/swid/evidence_extension.go A util/goswid/vendor/github.com/veraison/swid/evidences.go A util/goswid/vendor/github.com/veraison/swid/file.go A util/goswid/vendor/github.com/veraison/swid/file_extension.go A util/goswid/vendor/github.com/veraison/swid/files.go A util/goswid/vendor/github.com/veraison/swid/filesystemitem.go A util/goswid/vendor/github.com/veraison/swid/globalattributes.go A util/goswid/vendor/github.com/veraison/swid/hashentry.go A util/goswid/vendor/github.com/veraison/swid/link.go A util/goswid/vendor/github.com/veraison/swid/link_extension.go A util/goswid/vendor/github.com/veraison/swid/links.go A util/goswid/vendor/github.com/veraison/swid/ownership.go A util/goswid/vendor/github.com/veraison/swid/payload.go A util/goswid/vendor/github.com/veraison/swid/payload_extension.go A util/goswid/vendor/github.com/veraison/swid/payloads.go A util/goswid/vendor/github.com/veraison/swid/process.go A util/goswid/vendor/github.com/veraison/swid/process_extension.go A util/goswid/vendor/github.com/veraison/swid/processes.go A util/goswid/vendor/github.com/veraison/swid/rel.go A util/goswid/vendor/github.com/veraison/swid/resource.go A util/goswid/vendor/github.com/veraison/swid/resource_extension.go A util/goswid/vendor/github.com/veraison/swid/resourcecollection.go A util/goswid/vendor/github.com/veraison/swid/resourcecollection_extension.go A util/goswid/vendor/github.com/veraison/swid/resources.go A util/goswid/vendor/github.com/veraison/swid/roles.go A util/goswid/vendor/github.com/veraison/swid/roundtripper.go A util/goswid/vendor/github.com/veraison/swid/softwareidentity.go A util/goswid/vendor/github.com/veraison/swid/softwaremeta.go A util/goswid/vendor/github.com/veraison/swid/softwaremeta_extension.go A util/goswid/vendor/github.com/veraison/swid/softwaremetas.go A util/goswid/vendor/github.com/veraison/swid/tagid.go A util/goswid/vendor/github.com/veraison/swid/test_utils.go A util/goswid/vendor/github.com/veraison/swid/use.go A util/goswid/vendor/github.com/veraison/swid/versionscheme.go A util/goswid/vendor/github.com/x448/float16/.travis.yml A util/goswid/vendor/github.com/x448/float16/LICENSE A util/goswid/vendor/github.com/x448/float16/README.md A util/goswid/vendor/github.com/x448/float16/float16.go A util/goswid/vendor/gopkg.in/yaml.v3/.travis.yml A util/goswid/vendor/gopkg.in/yaml.v3/LICENSE A util/goswid/vendor/gopkg.in/yaml.v3/NOTICE A util/goswid/vendor/gopkg.in/yaml.v3/README.md A util/goswid/vendor/gopkg.in/yaml.v3/apic.go A util/goswid/vendor/gopkg.in/yaml.v3/decode.go A util/goswid/vendor/gopkg.in/yaml.v3/emitterc.go A util/goswid/vendor/gopkg.in/yaml.v3/encode.go A util/goswid/vendor/gopkg.in/yaml.v3/parserc.go A util/goswid/vendor/gopkg.in/yaml.v3/readerc.go A util/goswid/vendor/gopkg.in/yaml.v3/resolve.go A util/goswid/vendor/gopkg.in/yaml.v3/scannerc.go A util/goswid/vendor/gopkg.in/yaml.v3/sorter.go A util/goswid/vendor/gopkg.in/yaml.v3/writerc.go A util/goswid/vendor/gopkg.in/yaml.v3/yaml.go A util/goswid/vendor/gopkg.in/yaml.v3/yamlh.go A util/goswid/vendor/gopkg.in/yaml.v3/yamlprivateh.go A util/goswid/vendor/modules.txt 159 files changed, 33,540 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/39/63639/28