| Message ID | mailman.41555.1717516823.1280.openwrt-devel@lists.openwrt.org |
|---|---|
| State | Accepted |
| Delegated to: | Robert Marko |
| Headers | show |
| Series | build: add explicit timezone in CycloneDX SBOM | expand |
On Tue, 4 Jun 2024 at 18:00, Roman Azarenko via openwrt-devel <openwrt-devel@lists.openwrt.org> wrote: > > The sender domain has a DMARC Reject/Quarantine policy which disallows > sending mailing list messages using the original "From" header. > > To mitigate this problem, the original message has been wrapped > automatically by the mailing list software. > > > ---------- Forwarded message ---------- > From: Roman Azarenko <roman.azarenko@iopsys.eu> > To: openwrt-devel@lists.openwrt.org > Cc: > Bcc: > Date: Tue, 4 Jun 2024 18:00:03 +0200 > Subject: [PATCH] build: add explicit timezone in CycloneDX SBOM > Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains > the date/time when the BOM was created [1]. > > Before the change, the value generated by the package-metadata.pl > script would look like this: > > 2024-06-03T15:51:10 > > CycloneDX 1.4 relies on the JSON Schema specification version draft-07, > which defines the `date-time` format [2] as derived from RFC 3339, > section 5.6 [3]. In this format, the `time-offset` component is required, > however in the original version of package-metadata.pl it is omitted. > > This is causing problems with OWASP Dependency-Track version 4.11.0 or > newer, where it now validates submitted SBOMs against the JSON schema > by default [4]. SBOMs with incorrect timestamp values are rejected with > the following error: > > { > "detail": "Schema validation failed", > "errors": [ > "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time" > ], > "status": 400, > "title": "The uploaded BOM is invalid" > } > > Add explicit `Z` (UTC) timezone offset in the `timestamp` field > to satisfy the CycloneDX schema. > > [1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121 > [2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1 > [3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 > [4]: https://github.com/DependencyTrack/dependency-track/pull/3522 > > Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu> Thanks for the patch, merged to main in: https://github.com/openwrt/openwrt/commit/2ded629864de779df8ddd0224a875edf17f9fea5 Regards, Robert > --- > scripts/package-metadata.pl | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl > index 1e47052ba028..82bd4360f3bb 100755 > --- a/scripts/package-metadata.pl > +++ b/scripts/package-metadata.pl > @@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json { > serialNumber => "urn:uuid:$uuid", > version => 1, > metadata => { > - timestamp => gmtime->datetime, > + timestamp => gmtime->datetime . 'Z', > }, > "components" => [@components], > }; > -- > 2.45.1 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl index 1e47052ba028..82bd4360f3bb 100755 --- a/scripts/package-metadata.pl +++ b/scripts/package-metadata.pl @@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json { serialNumber => "urn:uuid:$uuid", version => 1, metadata => { - timestamp => gmtime->datetime, + timestamp => gmtime->datetime . 'Z', }, "components" => [@components], };
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains the date/time when the BOM was created [1]. Before the change, the value generated by the package-metadata.pl script would look like this: 2024-06-03T15:51:10 CycloneDX 1.4 relies on the JSON Schema specification version draft-07, which defines the `date-time` format [2] as derived from RFC 3339, section 5.6 [3]. In this format, the `time-offset` component is required, however in the original version of package-metadata.pl it is omitted. This is causing problems with OWASP Dependency-Track version 4.11.0 or newer, where it now validates submitted SBOMs against the JSON schema by default [4]. SBOMs with incorrect timestamp values are rejected with the following error: { "detail": "Schema validation failed", "errors": [ "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time" ], "status": 400, "title": "The uploaded BOM is invalid" } Add explicit `Z` (UTC) timezone offset in the `timestamp` field to satisfy the CycloneDX schema. [1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121 [2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1 [3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 [4]: https://github.com/DependencyTrack/dependency-track/pull/3522 Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu> --- scripts/package-metadata.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)