ThinkNotes

Simple is not easy | 化繁为简,知易行难

0%

发表于

HP SBOM release pack创建方法

背景

基于软件供应链相关安全法案U.S. Executive Order 14028’s “minimum elements” for SBOM,HP要求 SBOMs must include all NTIA-required fields at the component level, appropriately mapped to the CycloneDX schema

操作流程

安装uswid工具

安装python3.12(或其他3.1x高版本),再安装pip包管理器:

1
python -m ensurepip --upgrade

安装uswid工具:https://github.com/hughsie/python-uswid#

1
pip install --user uswid

安装完毕后在C:\Users<用户名>\AppData\Roaming\Python\Python312\Scripts会有uswid.exe程序

创建SBOM.ini

根据HP的SBOM Specification PDF,结合uswid工具的说明文档,创建INI配置文件。BH799BB FW示例如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[uSWID]
tag-id = BayHub_BB_FW_1.0.1.00150_2blocks_20241224_int1V2_ext1V8_sha256
software-name = BH799BB_FW
software-version = 1.0.1.00150
version-scheme = multipartnumeric
colloquial-version = C4346022678B36458653D6EE7CE5A316
cpe = cpe:2.3:a:bayhub:bh799bb_fw:1.0.1.00150:*:*:*:*:*:*:*
summary = Bayhub BH799BB Firmware

[uSWID-Entity:SoftwareCreator]
name = BayHub Technology Ltd
regid = www.bayhubtech.com
extra-roles = TagCreator,Maintainer,SoftwareCreator

# BH799FW is standalone firmware and it does not own any link or patch, comment below uSWID fields
# [uSWID-Link:vcs]
# rel = see-also
# href = https://xxxxxx
# [uSWID-Link:ancestor1]
# rel = ancestor {
# href= pkg:github/<original component path>
# [uSWID-Patch:patch1]
# type = cherry-pick
# url = https://xxxxxx
# description = xxxxxx
# references = https://xxxxxx

说明:

  1. colloquial-version是GUID,值来自HP Firmware发布包的DeviceCapsule.yaml的FIRMWARE_GUID,GUID可用windows powershell命令行生成。如果Firmare版本相同,GUID应该保持不变。

  2. CPE字段声明vendor-specific changes. 其生成规则是

    1
    cpe:2.3:a:<vendor>:<software-name>:<software-version>:*:*:*:*:*:*:*

  3. uSWID-Entity字段的extra-roles必须要有TagCreator,否则uswid工具解析ini会报错 all entries MUST have a tag-creator

  4. 被注释的uSWID-Link和uSWID-Patch字段是用于基于开源软件的发布包,说明上下游依赖关系。BH799BB Firmware是独立的片内固件,没有对第三方软件库的依赖,所以不需要这些字段。

生成SBOM.json

HP要求的SBOM格式为.sbom.cdx.json,CycloneDX格式。

需要使用uswid工具将ini文件转化为sbom.cdx.json文件(XML格式)

1
C:\Users\cursorhu\AppData\Roaming\Python\Python312\Scripts\uswid.exe --load Bayhub_BH799.sbom.ini --save  Bayhub_BH799.sbom.cdx.json

发布SBOM

将sbom.cdx.json和要发布的Firmware包(格式取决于HP要求,可能为自解压exe包)一起发布。