[PATCH] build: add explicit timezone in CycloneDX SBOM

Tue, 04 Jun 2024 09:04:12 -0700 

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
--- Begin Message --- 
Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
the date/time when the BOM was created [1].

Before the change, the value generated by the package-metadata.pl
script would look like this:

        2024-06-03T15:51:10

CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
which defines the `date-time` format [2] as derived from RFC 3339,
section 5.6 [3]. In this format, the `time-offset` component is required,
however in the original version of package-metadata.pl it is omitted.

This is causing problems with OWASP Dependency-Track version 4.11.0 or
newer, where it now validates submitted SBOMs against the JSON schema
by default [4]. SBOMs with incorrect timestamp values are rejected with
the following error:

        {
            "detail": "Schema validation failed",
            "errors": [
                "$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid 
date-time"
            ],
            "status": 400,
            "title": "The uploaded BOM is invalid"
        }

Add explicit `Z` (UTC) timezone offset in the `timestamp` field
to satisfy the CycloneDX schema.

[1]: 
https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
[2]: 
https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
[3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
[4]: https://github.com/DependencyTrack/dependency-track/pull/3522

Signed-off-by: Roman Azarenko <roman.azare...@iopsys.eu>
---
 scripts/package-metadata.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/package-metadata.pl b/scripts/package-metadata.pl
index 1e47052ba028..82bd4360f3bb 100755
--- a/scripts/package-metadata.pl
+++ b/scripts/package-metadata.pl
@@ -655,7 +655,7 @@ sub dump_cyclonedxsbom_json {
                serialNumber => "urn:uuid:$uuid",
                version => 1,
                metadata => {
-                       timestamp => gmtime->datetime,
+                       timestamp => gmtime->datetime . 'Z',
                },
                "components" => [@components],
        };
-- 
2.45.1

--- End Message ---
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to