From 90c1e93e40bdfe6718b97e2d95aabc2f0f609ce8 Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Thu, 14 Sep 2023 08:18:35 +0200
Subject: [PATCH] Add sbom descripton file for Software BOM

This file is used by the esp-idf-sbom tool to generate
an SBOM file in the SPDX format for esp-idf projects.
---
 sbom.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 sbom.yml

diff --git a/sbom.yml b/sbom.yml
new file mode 100644
index 000000000..bc1945789
--- /dev/null
+++ b/sbom.yml
@@ -0,0 +1,11 @@
+name: 'lwip'
+version: '2.1.2'
+cpe: cpe:2.3:a:lwip_project:lwip:{}:*:*:*:*:*:*:*
+supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'
+originator: 'Organization: non-GNU software and documentation, lwIP Project <lwip-members@nongnu.org>'
+description: A Lightweight TCP/IP stack with additional features and patches from Espressif.
+cve-exclude-list:
+  - cve: CVE-2020-22284
+    reason: The fix for this vulnerability has been incorporated from the lwIP project upstream as ecd6009a, 6ffe30d9 and 8f5a0aaa.
+  - cve: CVE-2020-22283
+    reason: The fix for this vulnerability has been incorporated from the lwIP project upstream as 379d5504, ba3b04e7 and 843a1161 (Note that this vulnerability is not listed in the NVD against lwip version 2.1.2, but version - N/A).