Skip to content

Commit 4a48d3f

Browse files
oaubreyoaubrey
authored
Merge pull request #86 from haripate/ISV-6864
chore(ISV-6864): Add information about CPE_ID in sbom section.
2 parents 447a9ca + c6d11fa commit 4a48d3f

11 files changed

Lines changed: 274 additions & 1 deletion

docs/sbom.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ state of the software as it is distributed to end users. This SBOM type should s
7474
as defined by CISA, but it simply includes additional metadata that is not available during the build process and is
7575
added later on. For lack of a better term, we could call these _Curated Build SBOMs_.
7676

77+
For component-level _Release-time_ SBOMs (for example, container images), the package that represents the component may include product CPE(s) in its externalRefs with referenceCategory `SECURITY` and referenceType `cpe22Type` (and the CPE string in referenceLocator), so the component is explicitly associated with the Red Hat product(s) it is released as part of.
78+
7779
Red Hat's publicly available SBOMs are of the release-time type, including details about where an artifact
7880
can be located after being released.
7981

@@ -283,7 +285,9 @@ A more detailed breakdown of some of the fields:
283285
: At least one of the references must include a Package URL (purl) unless the object is describing a product.
284286
[Identifying Red Hat components using Package URL](./purl.md) documents what purl strings for different types of
285287
components should look like. Note that multiple purls may be used for a single package to identify multiple
286-
locations from where the package can be accessed.
288+
locations from where the package can be accessed. For release-time component-level SBOMs, externalRefs may also
289+
include `SECURITY` references with referenceType `cpe22Type` and the product CPE string(s) in `referenceLocator`, linking
290+
the component to the Red Hat product(s) it is released as part of; one or more CPEs per package is allowed.
287291

288292
[`checksums`](https://spdx.github.io/spdx-spec/v2.3/package-information/#710-package-checksum-field)
289293
: The checksums of the component. The type of checksum used will depend on the type of the component. See below

sbom/examples/container_image/release/from_catalog.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,13 @@ def get_rpms(image_id):
4949
return sorted(response.json()["rpms"], key=lambda rpm: rpm["nvra"])
5050

5151

52+
def append_cpe_external_refs(pkg, cpe_ids):
53+
for cpe in cpe_ids or []:
54+
pkg["externalRefs"].append(
55+
{"referenceCategory": "SECURITY", "referenceType": "cpe22Type", "referenceLocator": cpe}
56+
)
57+
58+
5259
def create_sbom(
5360
image_id, root_package, packages, rel_type, other_pkgs=None, other_rels=None, source_pkgs=None
5461
):
@@ -209,6 +216,7 @@ def generate_sboms_for_image(image_nvr):
209216
"referenceLocator": purl,
210217
}
211218
image_index_pkg["externalRefs"].append(ref)
219+
append_cpe_external_refs(image_index_pkg, image.get("cpe_ids"))
212220

213221
arch = image["architecture"]
214222
spdx_image_id = sanitize_spdxid(f"SPDXRef-{image_nvr_name}-{arch}")
@@ -238,6 +246,7 @@ def generate_sboms_for_image(image_nvr):
238246
"referenceLocator": purl,
239247
}
240248
image_pkg["externalRefs"].append(ref)
249+
append_cpe_external_refs(image_pkg, image.get("cpe_ids"))
241250
per_arch_images.append(image_pkg)
242251

243252
image_data = koji_session.getBuild(image_nvr)

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25.spdx.json

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@
2424
"referenceCategory": "PACKAGE-MANAGER",
2525
"referenceType": "purl",
2626
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
27+
},
28+
{
29+
"referenceCategory": "SECURITY",
30+
"referenceType": "cpe22Type",
31+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
2737
}
2838
],
2939
"checksums": [
@@ -45,6 +55,16 @@
4555
"referenceCategory": "PACKAGE-MANAGER",
4656
"referenceType": "purl",
4757
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:ed976a0ba418a498b05a56cb05afa0cb36a65e750771f3840b12e9bae3afb22d?arch=amd64&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
58+
},
59+
{
60+
"referenceCategory": "SECURITY",
61+
"referenceType": "cpe22Type",
62+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
63+
},
64+
{
65+
"referenceCategory": "SECURITY",
66+
"referenceType": "cpe22Type",
67+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
4868
}
4969
],
5070
"checksums": [
@@ -66,6 +86,16 @@
6686
"referenceCategory": "PACKAGE-MANAGER",
6787
"referenceType": "purl",
6888
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:9e74a91f532b7550ee909c6ce1636122982a5c5e32859c40c3bfe68231d31100?arch=arm64&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
89+
},
90+
{
91+
"referenceCategory": "SECURITY",
92+
"referenceType": "cpe22Type",
93+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
94+
},
95+
{
96+
"referenceCategory": "SECURITY",
97+
"referenceType": "cpe22Type",
98+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
6999
}
70100
],
71101
"checksums": [
@@ -87,6 +117,16 @@
87117
"referenceCategory": "PACKAGE-MANAGER",
88118
"referenceType": "purl",
89119
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:32a9929e6f11dfefb7a339d6767d1050cec2b24d397856cbd9b46a1bbc3f8827?arch=ppc64le&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
120+
},
121+
{
122+
"referenceCategory": "SECURITY",
123+
"referenceType": "cpe22Type",
124+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
125+
},
126+
{
127+
"referenceCategory": "SECURITY",
128+
"referenceType": "cpe22Type",
129+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
90130
}
91131
],
92132
"checksums": [

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@
2424
"referenceCategory": "PACKAGE-MANAGER",
2525
"referenceType": "purl",
2626
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:ed976a0ba418a498b05a56cb05afa0cb36a65e750771f3840b12e9bae3afb22d?arch=amd64&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
27+
},
28+
{
29+
"referenceCategory": "SECURITY",
30+
"referenceType": "cpe22Type",
31+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
2737
}
2838
],
2939
"checksums": [
@@ -4005,6 +4015,16 @@
40054015
"referenceCategory": "PACKAGE-MANAGER",
40064016
"referenceType": "purl",
40074017
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd?tag=1.19.4-18"
4018+
},
4019+
{
4020+
"referenceCategory": "SECURITY",
4021+
"referenceType": "cpe22Type",
4022+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4023+
},
4024+
{
4025+
"referenceCategory": "SECURITY",
4026+
"referenceType": "cpe22Type",
4027+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40084028
}
40094029
],
40104030
"checksums": [
@@ -4026,6 +4046,16 @@
40264046
"referenceCategory": "PACKAGE-MANAGER",
40274047
"referenceType": "purl",
40284048
"referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els"
4049+
},
4050+
{
4051+
"referenceCategory": "SECURITY",
4052+
"referenceType": "cpe22Type",
4053+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4054+
},
4055+
{
4056+
"referenceCategory": "SECURITY",
4057+
"referenceType": "cpe22Type",
4058+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40294059
}
40304060
],
40314061
"checksums": [

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@
2424
"referenceCategory": "PACKAGE-MANAGER",
2525
"referenceType": "purl",
2626
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:9e74a91f532b7550ee909c6ce1636122982a5c5e32859c40c3bfe68231d31100?arch=arm64&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
27+
},
28+
{
29+
"referenceCategory": "SECURITY",
30+
"referenceType": "cpe22Type",
31+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
2737
}
2838
],
2939
"checksums": [
@@ -4005,6 +4015,16 @@
40054015
"referenceCategory": "PACKAGE-MANAGER",
40064016
"referenceType": "purl",
40074017
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6?tag=1.19.4-18"
4018+
},
4019+
{
4020+
"referenceCategory": "SECURITY",
4021+
"referenceType": "cpe22Type",
4022+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4023+
},
4024+
{
4025+
"referenceCategory": "SECURITY",
4026+
"referenceType": "cpe22Type",
4027+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40084028
}
40094029
],
40104030
"checksums": [
@@ -4026,6 +4046,16 @@
40264046
"referenceCategory": "PACKAGE-MANAGER",
40274047
"referenceType": "purl",
40284048
"referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els"
4049+
},
4050+
{
4051+
"referenceCategory": "SECURITY",
4052+
"referenceType": "cpe22Type",
4053+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4054+
},
4055+
{
4056+
"referenceCategory": "SECURITY",
4057+
"referenceType": "cpe22Type",
4058+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40294059
}
40304060
],
40314061
"checksums": [

sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@
2424
"referenceCategory": "PACKAGE-MANAGER",
2525
"referenceType": "purl",
2626
"referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:sha256:32a9929e6f11dfefb7a339d6767d1050cec2b24d397856cbd9b46a1bbc3f8827?arch=ppc64le&repository_url=registry.access.redhat.com/kmm/kernel-module-management-rhel9-operator&tag=1.1.2-25"
27+
},
28+
{
29+
"referenceCategory": "SECURITY",
30+
"referenceType": "cpe22Type",
31+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
2737
}
2838
],
2939
"checksums": [
@@ -4005,6 +4015,16 @@
40054015
"referenceCategory": "PACKAGE-MANAGER",
40064016
"referenceType": "purl",
40074017
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a?tag=1.19.4-18"
4018+
},
4019+
{
4020+
"referenceCategory": "SECURITY",
4021+
"referenceType": "cpe22Type",
4022+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4023+
},
4024+
{
4025+
"referenceCategory": "SECURITY",
4026+
"referenceType": "cpe22Type",
4027+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40084028
}
40094029
],
40104030
"checksums": [
@@ -4026,6 +4046,16 @@
40264046
"referenceCategory": "PACKAGE-MANAGER",
40274047
"referenceType": "purl",
40284048
"referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els"
4049+
},
4050+
{
4051+
"referenceCategory": "SECURITY",
4052+
"referenceType": "cpe22Type",
4053+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
4054+
},
4055+
{
4056+
"referenceCategory": "SECURITY",
4057+
"referenceType": "cpe22Type",
4058+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
40294059
}
40304060
],
40314061
"checksums": [

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860.spdx.json

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,16 @@
2929
"referenceCategory": "PACKAGE-MANAGER",
3030
"referenceType": "purl",
3131
"referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
37+
},
38+
{
39+
"referenceCategory": "SECURITY",
40+
"referenceType": "cpe22Type",
41+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
3242
}
3343
],
3444
"checksums": [
@@ -55,6 +65,16 @@
5565
"referenceCategory": "PACKAGE-MANAGER",
5666
"referenceType": "purl",
5767
"referenceLocator": "pkg:oci/ubi9-micro@sha256:sha256:26f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4?arch=ppc64le&repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
68+
},
69+
{
70+
"referenceCategory": "SECURITY",
71+
"referenceType": "cpe22Type",
72+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
73+
},
74+
{
75+
"referenceCategory": "SECURITY",
76+
"referenceType": "cpe22Type",
77+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
5878
}
5979
],
6080
"checksums": [
@@ -81,6 +101,16 @@
81101
"referenceCategory": "PACKAGE-MANAGER",
82102
"referenceType": "purl",
83103
"referenceLocator": "pkg:oci/ubi9-micro@sha256:sha256:2c9e70f4174747c6b53d253e879177c52731cc4bdc5fe9c6a2555412d849a952?arch=s390x&repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
104+
},
105+
{
106+
"referenceCategory": "SECURITY",
107+
"referenceType": "cpe22Type",
108+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
109+
},
110+
{
111+
"referenceCategory": "SECURITY",
112+
"referenceType": "cpe22Type",
113+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
84114
}
85115
],
86116
"checksums": [
@@ -107,6 +137,16 @@
107137
"referenceCategory": "PACKAGE-MANAGER",
108138
"referenceType": "purl",
109139
"referenceLocator": "pkg:oci/ubi9-micro@sha256:sha256:c72c705fe4e9de2e065a817be2fbf1b6406010610532243727fdc3042227c71b?arch=arm64&repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
140+
},
141+
{
142+
"referenceCategory": "SECURITY",
143+
"referenceType": "cpe22Type",
144+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
145+
},
146+
{
147+
"referenceCategory": "SECURITY",
148+
"referenceType": "cpe22Type",
149+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
110150
}
111151
],
112152
"checksums": [
@@ -133,6 +173,16 @@
133173
"referenceCategory": "PACKAGE-MANAGER",
134174
"referenceType": "purl",
135175
"referenceLocator": "pkg:oci/ubi9-micro@sha256:sha256:213fd2a0116a76eaa274fee20c86eef4dfba9f311784e8fb7d7f5fc38b32f3ef?arch=amd64&repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
176+
},
177+
{
178+
"referenceCategory": "SECURITY",
179+
"referenceType": "cpe22Type",
180+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
181+
},
182+
{
183+
"referenceCategory": "SECURITY",
184+
"referenceType": "cpe22Type",
185+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
136186
}
137187
],
138188
"checksums": [

sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,16 @@
2929
"referenceCategory": "PACKAGE-MANAGER",
3030
"referenceType": "purl",
3131
"referenceLocator": "pkg:oci/ubi9-micro@sha256:sha256:213fd2a0116a76eaa274fee20c86eef4dfba9f311784e8fb7d7f5fc38b32f3ef?arch=amd64&repository_url=registry.access.redhat.com/ubi9-micro&tag=9.4-6.1716471860"
32+
},
33+
{
34+
"referenceCategory": "SECURITY",
35+
"referenceType": "cpe22Type",
36+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
37+
},
38+
{
39+
"referenceCategory": "SECURITY",
40+
"referenceType": "cpe22Type",
41+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
3242
}
3343
],
3444
"checksums": [
@@ -490,6 +500,16 @@
490500
"referenceCategory": "PACKAGE-MANAGER",
491501
"referenceType": "purl",
492502
"referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5?tag=9.4-947"
503+
},
504+
{
505+
"referenceCategory": "SECURITY",
506+
"referenceType": "cpe22Type",
507+
"referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream"
508+
},
509+
{
510+
"referenceCategory": "SECURITY",
511+
"referenceType": "cpe22Type",
512+
"referenceLocator": "cpe:/o:redhat:enterprise_linux:9::baseos"
493513
}
494514
],
495515
"checksums": [

0 commit comments

Comments
 (0)