Update CPE in sbom.cdx.json to current organisation #9982
Comments
|
The Mbed TLS project has under Trusted Firmware governance since 2020. Arm still does most of the maintenance, but when we press the button to make a release, we do so on behalf of Trusted Firmware. We discussed this internally when the SBOM was created, and concluded that We aren't SBOM experts though. If our understanding of the meaning of the field is flawed, please clarify. |
|
Hello, When I search on nvd.nist.gov it looks like that the CPE given by the NIST is named like: Comparing the two searchs: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=mbed_tls&status=FINAL&startIndex=140 If I am using the SBOM from this repo (with trustedfirmware as organisation) it will not match to the naming of the CPEs on NIST. So, from my point of view, it should be changed on NIST or here, so that the names match together. But I dont know how this should be done on NIST. Looks like it will be easier here to follow their naming. |
Hello,
in the file:
https://github.com/Mbed-TLS/mbedtls/blob/03e704018ad7e005648f5ca428bc095e4ce3b5a0/scripts/sbom.cdx.json#L16C8-L16C21
the CPE is pointing to the trustedfirmware
"cpe": "cpe:2.3:a:trustedfirmware:mbed_tls:@VCS_TAG@:*:*:*:*:*:*:*",When I did some search on:
https://nvd.nist.gov/products/cpe/search
for the given CPE I find nothing that matches with the mbedtls lib.
Searching for "mbed tls" I will find:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=mbed+tls
So I guess that the right CPE would be:
cpe:2.3:a:arm:mbed_tls:3.6.1:*:*:*:*:*:*:*and in the given file:
cpe:2.3:a:arm:mbed_tls:@VCS_TAG@:*:*:*:*:*:*:*"To match with the existing organisations on nvd.nist.gov , it should be
arminstead oftrustedfirmware.The text was updated successfully, but these errors were encountered: