gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
secubox-openwrt/Makefile
CyberMind-FR 8769a60275 feat(sbom): Add CRA Annex I compliant SBOM pipeline 
Implements comprehensive Software Bill of Materials generation for
EU Cyber Resilience Act compliance with ANSSI CSPN certification path.

SBOM Pipeline:
- scripts/check-sbom-prereqs.sh: Prerequisites validation (OpenWrt, tools, Kconfig)
- scripts/sbom-generate.sh: Multi-source SBOM generation (native, feed, rootfs, firmware)
- scripts/sbom-audit-feed.sh: PKG_HASH/PKG_LICENSE feed audit with MANIFEST.md
- Makefile: SBOM targets (sbom, sbom-quick, sbom-validate, sbom-scan, sbom-audit)
- .github/workflows/sbom-release.yml: CI with CVE gating and auto-security issues

Documentation:
- SECURITY.md: CRA Art. 13 §6 compliant vulnerability disclosure policy
- docs/sbom-pipeline.md: Architecture, CRA mapping, ANSSI CSPN guidance

AI Gateway (bonus feed):
- secubox-ai-gateway: 3-tier data classification (LOCAL_ONLY/SANITIZED/CLOUD_DIRECT)
- luci-app-ai-gateway: LuCI dashboard with provider management and audit logging

Output formats: CycloneDX 1.6 (primary) + SPDX 2.3 (secondary)
Tools: syft, grype, cyclonedx-cli (auto-installed if missing)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-04 08:01:00 +01:00

84 lines
2.9 KiB
Makefile
Raw Permalink Blame History

# SecuBox SBOM Pipeline Makefile
# Convenience targets for CRA Annex I compliance
#
# Usage:
# make sbom - Generate full SBOM (all sources)
# make sbom-quick - Generate SBOM without rebuilding
# make sbom-validate - Validate existing SBOM
# make sbom-scan - CVE scan only
# make sbom-audit - Audit feed packages for metadata
# make sbom-prereqs - Check prerequisites
# make sbom-clean - Clean SBOM outputs
# make sbom-help - Show this help
.PHONY: sbom sbom-quick sbom-validate sbom-scan sbom-audit sbom-prereqs sbom-clean sbom-help
# Default version (can be overridden: make sbom VERSION=0.20)
VERSION ?= $(shell cat version 2>/dev/null || git describe --tags --always 2>/dev/null || echo "dev")
ARCH ?= aarch64_cortex-a53
SBOM_DIR ?= dist/sbom
sbom: sbom-prereqs
@echo "=== Generating Full SBOM ==="
./scripts/sbom-generate.sh --version "$(VERSION)" --arch "$(ARCH)"
sbom-quick:
@echo "=== Generating Quick SBOM (no rebuild) ==="
./scripts/sbom-generate.sh --version "$(VERSION)" --arch "$(ARCH)"
sbom-validate:
@echo "=== Validating SBOM ==="
@if command -v cyclonedx-cli >/dev/null 2>&1; then \
cyclonedx-cli validate --input-file "$(SBOM_DIR)/secubox-$(VERSION).cdx.json" \
--input-format json --input-version v1_6 || true; \
else \
echo "cyclonedx-cli not found. Install with:"; \
echo " curl -sSfL -o ~/.local/bin/cyclonedx-cli https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64"; \
echo " chmod +x ~/.local/bin/cyclonedx-cli"; \
fi
sbom-scan:
@echo "=== Running CVE Scan ==="
@if command -v grype >/dev/null 2>&1; then \
grype sbom:"$(SBOM_DIR)/secubox-$(VERSION).cdx.json" \
--output table \
--output json="$(SBOM_DIR)/secubox-$(VERSION)-cve-report.json"; \
else \
echo "grype not found. Install with:"; \
echo " curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/.local/bin"; \
fi
sbom-audit:
@echo "=== Auditing Feed Packages ==="
./scripts/sbom-audit-feed.sh
sbom-prereqs:
@echo "=== Checking Prerequisites ==="
./scripts/check-sbom-prereqs.sh
sbom-clean:
@echo "=== Cleaning SBOM Outputs ==="
rm -rf "$(SBOM_DIR)"
@echo "Cleaned: $(SBOM_DIR)"
sbom-help:
@echo "SecuBox SBOM Pipeline Targets"
@echo "=============================="
@echo ""
@echo " make sbom - Generate full SBOM (all sources)"
@echo " make sbom-quick - Generate SBOM without rebuilding"
@echo " make sbom-validate - Validate existing SBOM"
@echo " make sbom-scan - CVE scan only"
@echo " make sbom-audit - Audit feed packages for metadata"
@echo " make sbom-prereqs - Check prerequisites"
@echo " make sbom-clean - Clean SBOM outputs"
@echo ""
@echo "Variables:"
@echo " VERSION=$(VERSION)"
@echo " ARCH=$(ARCH)"
@echo " SBOM_DIR=$(SBOM_DIR)"
@echo ""
@echo "Examples:"
@echo " make sbom VERSION=0.20"
@echo " make sbom-scan VERSION=0.20"
Reference in New Issue View Git Blame Copy Permalink