update SPDX SBOM to 2.3 and add openvex statements to SBOM

.github/scripts/otp-compliance.es

@@ -83,7 +83,7 @@
 -define(spdx_download_location, ~"https://github.com/erlang/otp/releases").
 -define(spdx_homepage, ~"https://www.erlang.org").
 -define(spdx_purl_meta_data, ~"?vcs_url=git+https://github.com/erlang/otp.git").
--define(spdx_version, ~"SPDX-2.2").
+-define(spdx_version, ~"SPDX-2.3").
 -define(otp_version, 'OTP_VERSION'). % file name of the OTP version
 -define(spdx_project_purl, #{ ~"comment" => ~"",
                               ~"referenceCategory" => ~"PACKAGE-MANAGER",
@@ -551,7 +551,8 @@ sbom_fixing_functions(ScanResults) ->
      {fun fix_project_package_version/2, 'OTP_VERSION'},
      {fun fix_has_extracted_license_info/2, extracted_license_info()},
      {fun fix_project_purl/2, ?spdx_project_purl},
-     {fun fix_beam_licenses/2, {Licenses, Copyrights}} ].
+     {fun fix_beam_licenses/2, {Licenses, Copyrights}}
+    ].
 
 fix_project_name(ProjectName, #{ ~"documentDescribes" := [ ProjectName0 ],
                                  ~"packages" := Packages}=Sbom) ->
@@ -1172,7 +1173,7 @@ create_spdx_package(Pkg) ->
     Supplier = Pkg#spdx_package.'supplier',
     Purl1 = case Pkg#spdx_package.'purl' of
                false -> [];
-               _ -> [Pkg#spdx_package.'purl']
+               _ -> Pkg#spdx_package.'purl'
            end,
     #{ ~"SPDXID" => SPDXID,
        ~"versionInfo" => VersionInfo,
@@ -1888,7 +1889,8 @@ create_spdx_package_record(PackageName, Vsn, Description, SpdxPackageFiles,
     VerificationCodeValue = generate_verification_code_value(SpdxPackageFiles),
     Purl1 = case Purl of
                 false -> false;
-                true -> create_externalRef_purl(Description, otp_purl(PackageName, Vsn))
+                true -> [create_externalRef_purl(Description, otp_purl(PackageName, Vsn)),
+                         fix_openvex_reference()]
             end,
     #spdx_package {
        'SPDXID' = SpdxPackageName,
@@ -1911,6 +1913,19 @@ create_spdx_package_record(PackageName, Vsn, Description, SpdxPackageFiles,
       }.
 
 
+fix_openvex_reference() ->
+    OTPMajorVersion = hd(string:split(get_otp_version(), ".")),
+    Reference = openvex_iri(OTPMajorVersion),
+    #{
+     ~"referenceCategory" => ~"SECURITY",
+     ~"referenceLocator" => Reference,
+     ~"referenceType" => ~"advisory"
+    }.
+
+%% Branch = ~"28" or similar. just the current version number.
+openvex_iri(Branch) when is_binary(Branch) ->
+    <<"https://erlang.org/download/vex/otp-", Branch/binary, ".openvex.json">>.
+
 otp_app_license_mapping(Name) ->
     case Name of
         ~"edoc" -> ~"Apache-2.0 OR LGPL-2.1-or-later";
@@ -2375,16 +2390,23 @@ test_project_purl(#{~"documentDescribes" := [ProjectName], ~"packages" := Packag
     ok.
 
 test_packages_purl(#{~"documentDescribes" := [ProjectName], ~"packages" := Packages}=_Sbom) ->
-    OTPPackages = lists:filter(fun (#{~"SPDXID" := Id, ~"name" := Name}) -> ProjectName =/= Id andalso lists:member(Name, minimum_otp_apps()) end, Packages),
-    true = lists:all(fun (#{~"name" := Name, ~"versionInfo" := Version, ~"externalRefs" := [#{~"referenceLocator":= RefLoc}=Ref]}) ->
+    OTPPackages = lists:filter(fun (#{~"SPDXID" := Id, ~"name" := Name}) ->
+                                       ProjectName =/= Id andalso lists:member(Name, minimum_otp_apps())
+                               end, Packages),
+    true = lists:all(fun (#{~"name" := Name, ~"versionInfo" := Version,
+                            ~"externalRefs" := [#{~"referenceLocator":= RefLoc}=Ref,
+                                                OpenVex]}) ->
                              ExternalRef = create_externalRef_purl(~"", otp_purl(Name, Version)),
                              ExternalRef1 = maps:remove(~"comment", ExternalRef),
                              Ref1 = maps:remove(~"comment", Ref),
 
+                             ExpectedVEX = fix_openvex_reference(),
+
                              %% check expected external ref
                              ExternalRef1 =:= Ref1  andalso
                                  %% check metadata is included in purl
-                                 nomatch =/= string:find(RefLoc, ?spdx_purl_meta_data)
+                                 nomatch =/= string:find(RefLoc, ?spdx_purl_meta_data) andalso
+                                 ExpectedVEX == OpenVex
                      end, OTPPackages),
     ok.
 
@@ -3202,12 +3224,13 @@ fetch_app_from_table(OTPVersion, App0) ->
 convert_range(Version) ->
     string:split(Version, ".", all).
 
-
+%% Branch = "otp-28"
 init_openvex_file(Branch) ->
     Ts = calendar:system_time_to_rfc3339(erlang:system_time(microsecond), [{unit, microsecond}]),
+    [~"otp", Version] = string:split(Branch, ~"-"),
     #{
       ~"@context"   => ~"https://openvex.dev/ns/v0.2.0",
-      ~"@id"        => <<"https://openvex.dev/docs/public/otp/vex-", Branch/binary>>,
+      ~"@id"        => openvex_iri(Version),
       ~"author"     => ~"vexctl",
       ~"timestamp"  => erlang:list_to_binary(Ts),
       ~"version"    => 1,

.github/workflows/main.yaml

@@ -745,7 +745,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: pack
     env:
-        ORT_VERSION: 58.0.1
+        ORT_VERSION: 72.0.0
         SCAN_RESULT_CACHE_PATH: .ort/scan-result.json
 
     steps:
@@ -807,7 +807,7 @@ jobs:
           FROM otp
           RUN echo 'export PATH="\$HOME/.local/bin:\$PATH"' >> /home/otptest/.profile
           RUN sudo apt-get install -y libicu-dev pip && \
-              pip install click==8.1.7 scancode-toolkit==${SCANCODE_VERSION} reuse && \
+              pip install click==8.3.1 scancode-toolkit==${SCANCODE_VERSION} reuse && \
               pip install -U ntia-conformance-checker
           EOF
 

.ort/config/config.yml

@@ -36,3 +36,9 @@ ort:
     enabledPackageManagers: [Unmanaged]
     # A flag to control whether excluded scopes and paths should be skipped during the analysis.
     skipExcluded: true
+
+  reporter:
+    reporters:
+      SpdxDocument:
+        options:
+          spdxVersion: "SPDX-2.3"

FILE-HEADERS/MPL-1.1.txt

@@ -0,0 +1,9 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS IS"
+basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+the License for the specific language governing rights and
+limitations under the License.

lib/dialyzer/test/opaque_SUITE_data/results/ewgi

@@ -1,4 +1,13 @@
 
-ewgi_api.erl:55:31: The call gb_trees:to_list({non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument
-ewgi_testapp.erl:35:91: The call ewgi_testapp:htmlise_data("request_data",{non_neg_integer(),'nil' | {_,_,_,_}}) does not have a term of type [{_,_}] | gb_trees:tree(_,_) (with opaque subterms) as 2nd argument
-ewgi_testapp.erl:43:27: The call gb_trees:to_list(T::{non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument
+ewgi_api.erl:47:31: The call gb_trees:to_list({non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument
+ewgi_testapp.erl:26:91: The call ewgi_testapp:htmlise_data("request_data",{non_neg_integer(),'nil' | {_,_,_,_}}) does not have a term of type [{_,_}] | gb_trees:tree(_,_) (with opaque subterms) as 2nd argument
+ewgi_testapp.erl:34:27: The call gb_trees:to_list(T::{non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument
+
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: MPL-1.1
+%%
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini <[email protected]>
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris <[email protected]>
+%%
+%% %CopyrightEnd%

lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_api.erl

@@ -1,21 +1,13 @@
-%%%-------------------------------------------------------------------
-%%% File    : ewgi_api.erl
-%%% Authors : Filippo Pacini <[email protected]>
-%%%           Hunter Morris <[email protected]>
-%%% License :
-%%% The contents of this file are subject to the Mozilla Public
-%%% License Version 1.1 (the "License"); you may not use this file
-%%% except in compliance with the License. You may obtain a copy of
-%%% the License at http://www.mozilla.org/MPL/
-%%%
-%%% Software distributed under the License is distributed on an "AS IS"
-%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%%% the License for the specific language governing rights and
-%%% limitations under the License.
-%%% The Initial Developer of the Original Code is S.G. Consulting
-%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C)
-%%% 2007 S.G. Consulting srl. All Rights Reserved.
-%%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: MPL-1.1
+%%
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini <[email protected]>
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris <[email protected]>
+%%
+%% %CopyrightEnd%
+
+%%% -------------------------------------------------------------------
 %%% @doc
 %%% <p>ewgi API. Defines a low level CGI like API.</p>
 %%%

lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_testapp.erl

@@ -1,20 +1,11 @@
-%%%-------------------------------------------------------------------
-%%% File    : ewgi_testapp.erl
-%%% Authors : Hunter Morris <[email protected]>
-%%% License :
-%%% The contents of this file are subject to the Mozilla Public
-%%% License Version 1.1 (the "License"); you may not use this file
-%%% except in compliance with the License. You may obtain a copy of
-%%% the License at http://www.mozilla.org/MPL/
-%%%
-%%% Software distributed under the License is distributed on an "AS IS"
-%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%%% the License for the specific language governing rights and
-%%% limitations under the License.
-%%% The Initial Developer of the Original Code is S.G. Consulting
-%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C)
-%%% 2007 S.G. Consulting srl. All Rights Reserved.
-%%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: MPL-1.1
+%%
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris <[email protected]>
+%%
+%% %CopyrightEnd%
+
 %%% @doc
 %%% <p>ewgi test applications</p>
 %%%

lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_api.erl

@@ -1,20 +1,12 @@
-%%%-------------------------------------------------------------------
-%%% File    : ewgi_api.erl
-%%% Authors : Filippo Pacini <[email protected]>
-%%%           Hunter Morris <[email protected]>
-%%% License :
-%%% The contents of this file are subject to the Mozilla Public
-%%% License Version 1.1 (the "License"); you may not use this file
-%%% except in compliance with the License. You may obtain a copy of
-%%% the License at http://www.mozilla.org/MPL/
-%%%
-%%% Software distributed under the License is distributed on an "AS IS"
-%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%%% the License for the specific language governing rights and
-%%% limitations under the License.
-%%% The Initial Developer of the Original Code is S.G. Consulting
-%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C)
-%%% 2007 S.G. Consulting srl. All Rights Reserved.
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: MPL-1.1
+%%
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini <[email protected]>
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris <[email protected]>
+%%
+%% %CopyrightEnd%
+
 %%%
 %%% @doc
 %%% <p>ewgi API. Defines a low level CGI like API.</p>

lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_testapp.erl

@@ -1,20 +1,11 @@
-%%%-------------------------------------------------------------------
-%%% File    : ewgi_testapp.erl
-%%% Authors : Hunter Morris <[email protected]>
-%%% License :
-%%% The contents of this file are subject to the Mozilla Public
-%%% License Version 1.1 (the "License"); you may not use this file
-%%% except in compliance with the License. You may obtain a copy of
-%%% the License at http://www.mozilla.org/MPL/
-%%%
-%%% Software distributed under the License is distributed on an "AS IS"
-%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%%% the License for the specific language governing rights and
-%%% limitations under the License.
-%%% The Initial Developer of the Original Code is S.G. Consulting
-%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C)
-%%% 2007 S.G. Consulting srl. All Rights Reserved.
-%%%
+%% %CopyrightBegin%
+%%
+%% SPDX-License-Identifier: MPL-1.1
+%%
+%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris <[email protected]>
+%%
+%% %CopyrightEnd%
+
 %%% @doc
 %%% <p>ewgi test applications</p>
 %%%

system/doc/README.md

@@ -44,3 +44,6 @@ to use Erlang/OTP and different aspects of working with Erlang/OTP. The guides a
   interoperability between Erlang and C.
 * [Embedded Systems User's Guide](embedded/embedded.md) -
   This section describes the issues that are specific for running Erlang on an embedded system.
+* [VEX Statements](vex/vulnerabilities.md) -
+  This section describes how Erlang/OTP reports OpenVex statements and their meaning
+  towards third parties.

system/doc/docs.exs

@@ -32,6 +32,7 @@
     "system_principles/versions.md": [],
     "system_principles/misc.md": [],
     "sbom/sbom.md": [],
+    "vulnerabilities/vulnerabilities.md": [],
     "embedded/embedded.md": [],
     "getting_started/getting_started.md": [],
     "getting_started/seq_prog.md": [],

system/doc/guides

@@ -8,3 +8,4 @@ efficiency_guide:Efficiency Guide
 tutorial:Interoperability Tutorial
 embedded:Embedded Systems User's Guide
 sbom:Software Bill Of Materials
+vulnerabilities:VEX Statements