Skip to content

Commit

Permalink
Support the SWID activationStatus property
Browse files Browse the repository at this point in the history
This allows us to set the status as `DO NOT TRUST` or `DO NOT SHIP`, which is
handily also the tokens that security scanners look for.

See open-quantum-safe/oqs-provider#585 for discussion.
  • Loading branch information
hughsie committed Dec 10, 2024
1 parent 68f0617 commit c51727f
Show file tree
Hide file tree
Showing 8 changed files with 38 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ check: $(PYTEST) $(MYPY)
install:
$(VENV)/bin/pip install .

roundtrip:
PYTHONPATH=. $(VENV)/bin/python ./uswid/cli.py --roundtrip \
--load ./examples/sample.ini \
--save ./roundtrip.cdx.json \
--verbose

blacken: $(BLACK)
find uswid -name '*.py' -exec $(BLACK) {} \;

Expand Down
1 change: 1 addition & 0 deletions examples/sample.ini
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ edition = v2024.07-rc1-246-gff97d147677b
revision = 2.redhat
persistent-id = org.hughsie.colorhug2.firmware
cpe = cpe:2.3:a:hughski:colorhug:1.2.3:*:*:*:*:*:*:*
activation-status = DO NOT TRUST

[uSWID-Entity:TagCreator]
name = Richard Hughes
Expand Down
1 change: 1 addition & 0 deletions uswid/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -408,6 +408,7 @@ def _roundtrip(container: uSwidContainer, verbose: bool = False) -> None:
"revision",
"edition",
"persistent_id",
"activation_status",
"cpe",
]:
if getattr(component, key) != getattr(component_new, key):
Expand Down
10 changes: 10 additions & 0 deletions uswid/component.py
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,8 @@ def __init__(
self.source_filenames: List[str] = []
"""Top-level source directory for the project"""
self.source_dir: Optional[str] = None
"""Status, with specific terms and conditions for its use, e.g. 'DO NOT SHIP'"""
self.activation_status: Optional[str] = None

def add_source_filename(self, source_file: str):
"""Adds a source filename, i.e. what file helped created this component"""
Expand Down Expand Up @@ -204,6 +206,14 @@ def problems(self) -> List[uSwidProblem]:
]
if not self.version_scheme:
problems += [uSwidProblem("component", "No version scheme", since="0.4.7")]
if self.activation_status in ["DO NOT TRUST", "DO NOT SHIP"]:
problems += [
uSwidProblem(
"component",
"Software should not be used in production",
since="0.5.1",
)
]

if _is_redacted(self.summary):
problems += [uSwidProblem("component", "Redacted summary", since="0.4.8")]
Expand Down
4 changes: 4 additions & 0 deletions uswid/format_coswid.py
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,8 @@ def _save_component(self, component: uSwidComponent) -> bytes:
metadata[uSwidGlobalMap.REVISION] = component.revision
if component.product:
metadata[uSwidGlobalMap.PRODUCT] = component.product
if component.activation_status:
metadata[uSwidGlobalMap.ACTIVATION_STATUS] = component.activation_status
if component.edition:
metadata[uSwidGlobalMap.EDITION] = _to_perhaps_hex_bytes(component.edition)
if component.colloquial_version:
Expand Down Expand Up @@ -421,6 +423,8 @@ def _load_component(
component.revision = value
elif key == uSwidGlobalMap.PRODUCT:
component.product = value
elif key == uSwidGlobalMap.ACTIVATION_STATUS:
component.activation_status = value
elif key == uSwidGlobalMap.EDITION:
component.edition = _from_perhaps_hex_bytes(value)
elif key == uSwidGlobalMap.COLLOQUIAL_VERSION:
Expand Down
8 changes: 8 additions & 0 deletions uswid/format_cyclonedx.py
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,11 @@ def _load_component_internal(
meta.get("value")
)

try:
component.activation_status = data["pedigree"]["notes"]
except KeyError:
pass

for hash_data in data.get("hashes", []):
payload = uSwidPayload()
payload.add_hash(
Expand Down Expand Up @@ -376,6 +381,9 @@ def _save_component(self, component: uSwidComponent) -> Dict[str, Any]:
if component.version_scheme:
metadata["versionScheme"] = str(component.version_scheme)

if component.activation_status:
root["pedigree"] = {"notes": component.activation_status}

licenses: List[Dict[str, Any]] = []
for link in component.links:
if not link.href:
Expand Down
4 changes: 4 additions & 0 deletions uswid/format_ini.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,8 @@ def _save_component(self, component: uSwidComponent) -> bytes:
main["colloquial-version"] = component.colloquial_version
if component.persistent_id:
main["persistent-id"] = component.persistent_id
if component.activation_status:
main["activation-status"] = component.activation_status
if component.cpe:
main["cpe"] = component.cpe
config["uSWID"] = main
Expand Down Expand Up @@ -306,6 +308,8 @@ def _load_component(
component.colloquial_version = value
elif key == "persistent-id":
component.persistent_id = value
elif key == "activation-status":
component.activation_status = value
elif key == "cpe":
component.cpe = value
else:
Expand Down
4 changes: 4 additions & 0 deletions uswid/format_swid.py
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ def _save_component(
or component.edition
or component.colloquial_version
or component.persistent_id
or component.activation_status
):
node = ET.SubElement(root, "Meta")
if component.summary:
Expand All @@ -194,6 +195,8 @@ def _save_component(
node.set("colloquialVersion", component.colloquial_version)
if component.persistent_id:
node.set("persistentId", component.persistent_id)
if component.activation_status:
node.set("activationStatus", component.activation_status)
if component.cpe:
node.set("cpe", component.cpe)
if component.type:
Expand Down Expand Up @@ -310,6 +313,7 @@ def _load_component(self, component: uSwidComponent, blob: bytes) -> None:
("edition", "edition"),
("colloquialVersion", "colloquial_version"),
("persistentId", "persistent_id"),
("activationStatus", "activation_status"),
("cpe", "cpe"),
]:
if attr_name in meta.attrib:
Expand Down

0 comments on commit c51727f

Please sign in to comment.