Staging tree of Jo-Philipp Wich https://git-03.infra.openwrt.org/openwrt/staging/jow/atom?h=main 2024-06-07T10:05:49Z 2024-06-07T10:05:49Z Roman Azarenko 2024-06-04T16:00:03Z urn:sha1:2ded629864de779df8ddd0224a875edf17f9fea5 The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains the date/time when the BOM was created [1]. Before the change, the value generated by the package-metadata.pl script would look like this: 2024-06-03T15:51:10 CycloneDX 1.4 relies on the JSON Schema specification version draft-07, which defines the `date-time` format [2] as derived from RFC 3339, section 5.6 [3]. In this format, the `time-offset` component is required, however in the original version of package-metadata.pl it is omitted. This is causing problems with OWASP Dependency-Track version 4.11.0 or newer, where it now validates submitted SBOMs against the JSON schema by default [4]. SBOMs with incorrect timestamp values are rejected with the following error: { "detail": "Schema validation failed", "errors": [ "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time" ], "status": 400, "title": "The uploaded BOM is invalid" } Add explicit `Z` (UTC) timezone offset in the `timestamp` field to satisfy the CycloneDX schema. [1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121 [2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1 [3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 [4]: https://github.com/DependencyTrack/dependency-track/pull/3522 Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu> 2024-05-25T17:27:06Z Akshay Bhat 2024-04-19T18:26:45Z urn:sha1:d8939ff2d5daac4eb3ff932f38ea9d63e091697a Prior e8725a932e16eaf6ec51add8c084d959cbe32ff2, version used to be VERSION:=$(PKG_VERSION)-$(PKG_RELEASE) After e8725a932e16eaf6ec51add8c084d959cbe32ff2, the version is: VERSION:=$(PKG_VERSION)-r$(PKG_RELEASE) Hence the gen_*_cyclonedxsbom functions need to be updated to remove the trailing -r prefix in the version in order to generate correct version info in the SBOM. Signed-off-by: Akshay Bhat <nodeax@gmail.com> 2024-05-17T20:21:26Z Paul Spooren 2024-05-14T10:36:59Z urn:sha1:d788ab376f859164df84e2054cbbbb0921943c5b A new option called `USE_APK` is added which generated APK packages (.apk) instead of OPKG packages (.ipk). Some features like fstools `snapshot` command are not yet ported Signed-off-by: Paul Spooren <mail@aparcar.org> 2024-03-01T15:42:34Z Cedric DOURLENT 2024-03-01T15:42:34Z urn:sha1:84331215e57090a9cdae4af75af2539c39cd7de7 As stated in the cycloneDX documentation, the field "type" is mandatory for all components. More details here (https://cyclonedx.org/docs/1.5/json/#components_items_type) Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com> 2023-11-01T11:14:41Z Petr Štetiar 2023-10-24T08:27:13Z urn:sha1:d604a07225c5c82b942cd3374cc113ad676a2519 CycloneDX is an open source standard developed by the OWASP foundation. It supports a wide range of development ecosystems, a comprehensive set of use cases, and focuses on automation, ease of adoption, and progressive enhancement of SBOMs (Software Bill Of Materials) throughout build pipelines. So lets add support for CycloneDX SBOM for packages and images manifests. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2023-11-01T11:14:39Z Petr Štetiar 2022-10-19T13:46:45Z urn:sha1:8562c65ff8aae3899cdb190319709500b7651492 Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. In order for the information to be processed further, it should also be available in JSON package manifests. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2023-09-01T17:30:32Z Felix Fietkau 2023-09-01T17:26:29Z urn:sha1:ae88f00357c8d9b616bc034b1f266340f6bef3e3 When a dependency is pulled in via conditional depends, and the condition is already selected earlier in the chain, drop the condition. This avoids some corner cases that trigger recursive dependencies. Signed-off-by: Felix Fietkau <nbd@nbd.name> 2023-09-01T16:34:58Z Felix Fietkau 2023-09-01T16:34:36Z urn:sha1:6252c18d1cae2a0f94e6a4bd706b98b210cf8063 This reverts commit 6c3eff9dd8bb8d0f268e8a0dbedbc6a33bdac796. This appears to cause some regressions in generated config. Will be replaced with a fixed version later Signed-off-by: Felix Fietkau <nbd@nbd.name> 2023-09-01T16:34:20Z Felix Fietkau 2023-09-01T16:15:30Z urn:sha1:33303b5cece071b13aafb689eed9faa7ca79efcd This makes it easier to keep track of changes in the generated output, when the script is modified Signed-off-by: Felix Fietkau <nbd@nbd.name> 2023-09-01T10:18:13Z Felix Fietkau 2023-09-01T10:14:26Z urn:sha1:6c3eff9dd8bb8d0f268e8a0dbedbc6a33bdac796 When a package foo depends on PACKAGE_foo:bar (in order to make build dependencies conditional), tracking transitive dependencies can fail because the internal seen flag is checked/set before eliminating the fake conditional dependency. This can show up as a depends on not properly turned into a select further down in the dependency chain Signed-off-by: Felix Fietkau <nbd@nbd.name>