You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The **target branch** for this Pull Request **must be the default branch** of the project (`master`).
If you would like to add this feature to a different branch, please state this in the PR description and we will consider it.
👋 Hello YanKE01, we appreciate your contribution to this project!
Click to see more instructions ...
This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.
DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.
Please consider the following: - Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes. - Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues. - Resolve all warnings (⚠️ ) before requesting a review from human reviewers - they will appreciate it. - To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.
Review and merge process you can expect ...
We do welcome contributions in the form of bug reports, feature requests and pull requests.
1. An internal issue has been created for the PR, we assign it to the relevant engineer. 2. They review the PR and either approve it or ask you for changes or clarifications. 3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing. - At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation. 4. If the change is approved and passes the tests it is merged into the default branch.
github-actionsbot
changed the title
feat: components support software bill of materials
feat: components support software bill of materials (AEGHB-869)
Nov 7, 2024
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
changed the title
Description
esp iot solution components support software bill of materials
Related
N/A
Testing
Enter any example directory and execute the following command:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 44/44 0:00:23 Report summary ┌───────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────┐ │ Date: │ 2024-11-07T06:35:42Z │ │ Project name: │ project-lightbulb_example │ │ Project version: │ f3481c35 │ │ Vulnerability database: │ NATIONAL VULNERABILITY DATABASE REST API (https://nvd.nist.gov) │ │ Generated by tool: │ esp-idf-sbom (0.19.1) │ │ Generated with command: │ /home/yanke/.espressif/python_env/idf5.5_py3.10_env/bin/esp-idf-sbom check lightbulb.spdx │ │ Number of scanned packages: │ 44 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ CRITICAL CVEs found: │ │ │ Packages affect by CRITICAL CVEs: │ │ │ Number of CRITICAL CVEs: │ 0 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ HIGH CVEs found: │ │ │ Packages affect by HIGH CVEs: │ │ │ Number of HIGH CVEs: │ 0 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ MEDIUM CVEs found: │ │ │ Packages affect by MEDIUM CVEs: │ │ │ Number of MEDIUM CVEs: │ 0 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ LOW CVEs found: │ │ │ Packages affect by LOW CVEs: │ │ │ Number of LOW CVEs: │ 0 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ UNKNOWN CVEs found: │ │ │ Packages affect by UNKNOWN CVEs: │ │ │ Number of UNKNOWN CVEs: │ 0 │ ├───────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┤ │ All CVEs found: │ │ │ All packages affect by CVEs: │ │ │ Total number of CVEs: │ 0 │ └───────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────┘ Packages with Excluded Vulnerabilities ┏━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Package ┃ Version ┃ CVE ID ┃ Base Score ┃ Base Severity ┃ Information ┃ ┡━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ │ │ │ │ │ CVSS 3.1 │ │ │ │ │ │ │ Vec. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H │ │ │ │ │ │ │ CPE cpe:2.3:a:newlib_project:newlib:4.3.0:*:*:*:*:*:*:* │ │ newlib │ 4.3.0 │ CVE-2024-30949 │ 9.8 │ CRITICAL │ Link https://nvd.nist.gov/vuln/detail/CVE-2024-30949 │ │ │ │ │ │ │ Desc. An issue in newlib v.4.3.0 allows an attacker to execute arbitrary code via the time unit scaling in the _gettimeofday function. │ │ │ │ │ │ │ Reason A vulnerability was discovered in the gettimeofday system call implementation within the RISC-V libgloss component of Newlib. │ │ │ │ │ │ │ ESP-IDF does not link against libgloss for RISC-V, hence the issue is not directly applicable. Still, the relevant fix has been │ │ │ │ │ │ │ patched through https://github.com/espressif/newlib-esp32/commit/047ba47013c2656a1e7838dc86cbc75aeeaa67a7 │ ├──────────┼─────────┼────────────────┼────────────┼───────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ │ │ CVSS 3.1 │ │ │ │ │ │ │ Vec. CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H │ │ │ │ │ │ │ CPE cpe:2.3:o:amazon:freertos:10.5.1:*:*:*:*:*:*:* │ │ │ │ │ │ │ Link https://nvd.nist.gov/vuln/detail/CVE-2024-28115 │ │ freertos │ 10.5.1 │ CVE-2024-28115 │ 7.8 │ HIGH │ Desc. FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently │ │ │ │ │ │ │ protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows │ │ │ │ │ │ │ code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support │ │ │ │ │ │ │ enabled (i.e. `configENABLE_MPU` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper. │ │ │ │ │ │ │ Reason Affects only ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled │ └──────────┴─────────┴────────────────┴────────────┴───────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ Already assessed vulnerabilities that do not apply to packages. Packages with No Identified Vulnerabilities ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Package ┃ Version ┃ CPE ┃ ┡━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ project-lightbulb_example │ f3481c35 │ cpe:2.3:a:espressif:esp-idf:5.5-dev-183-g6fdd380812:*:*:*:*:*:*:* │ └───────────────────────────┴──────────┴───────────────────────────────────────────────────────────────────┘ Packages checked against NVD with no vulnerabilities found. Packages without CPE and Keyword Information ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Package ┃ Version ┃ ┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ toolchain-xtensa-esp-elf │ esp-14.2.0_20240906 │ ├──────────────────────────────┼──────────────────────────┤ │ component-console │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-cxx │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_common │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_phy │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-log │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-main │ f3481c35 │ ├──────────────────────────────┼──────────────────────────┤ │ component-nvs_sec_provider │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-xtensa │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ argtable3 │ 3.2.2 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_driver_uart │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_vfs_console │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-vfs │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-pthread │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_system │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ submodule-esp_phy-lib │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-driver │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-efuse │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-nvs_flash │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_timer │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-hal │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-soc │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_hw_support │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-lightbulb_driver │ 1.3.2 │ ├──────────────────────────────┼──────────────────────────┤ │ component-bootloader_support │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_partition │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_driver_gpio │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_ringbuf │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_pm │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-spi_flash │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_mm │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_driver_gptimer │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_driver_ledc │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_driver_spi │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-freertos │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_app_format │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_rom │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-esp_security │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-heap │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ component-app_update │ v5.5-dev-183-g6fdd380812 │ ├──────────────────────────────┼──────────────────────────┤ │ submodule-heap-tlsf │ v5.5-dev-183-g6fdd380812 │ └──────────────────────────────┴──────────────────────────┘ Packages were not checked against the NVD due to the absence of CPE or keywords.Checklist
Before submitting a Pull Request, please ensure the following: