Goal: Create SBOM with correct version numbers, CPE search strings, PURLs, and licenses. Use that to scan and assess vulnerabilities.
Platform: NRF Connect SDK 2.9.1 or newer.
Problem: No simple solution appears to exists: No meaning full public list of out standing vulnerabilities (I understand this is per policy), The two SBOM tools (Nordics license finder in SBOM format, and Zyphers list of files in SBOM format) don't return anything any scanner I know of work with, I don't even know of a "nice" list of sub dependencies in the SDK.
The current approach:
Use "west list" to get a list of sub projects.
Use the Zyphers SBOM to sort what sub projects are used in my project.
User Zyphers or Nordics SBOM to find the licenses.
- This list has a few issues: 1. Note all sub projects have version numbers they have git hashes. 2. The sub project version numbers are for Nordic forks of projects like mbedtls.
Try to find the version number of the sub project based on the git hash to search the original project.
Try to find the version number of the sub project based on the documentation where the sdk pulls in the sub project.
- This is error pron and if Nordic changes the code in any meaningful way or fixes bugs using the actual projects is pointless. Note again Nordic does not release information that I could find that lets me know.
Use AI and manual searching to create CPE strings.
Based on if I am using the original source/project I have enough information to create PURLs for all of the entries.
Please tell me there is X that solves all of this, resolve some of my assumptions, improve the process, or let me know if it make sense to use the orginal projects to asses vulnerabilities.