Skip to content

fix(libjpeg-turbo): wire SBOM manifest and correct CPE#766

Open
fhrbata wants to merge 1 commit into
espressif:masterfrom
fhrbata:fix/libjpeg-turbo-sbom-manifest
Open

fix(libjpeg-turbo): wire SBOM manifest and correct CPE#766
fhrbata wants to merge 1 commit into
espressif:masterfrom
fhrbata:fix/libjpeg-turbo-sbom-manifest

Conversation

@fhrbata

@fhrbata fhrbata commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Checklist

  • Component contains License
  • Component contains README.md
  • Component contains idf_component.yml file with url field defined
  • Component was added to upload job
  • CI passing

Note: this is a fix to the existing libjpeg-turbo component, not a new component.

Change description

libjpeg-turbo/sbom_libjpeg.yml was never referenced from libjpeg-turbo/idf_component.yml. esp-idf-sbom only treats a file as a manifest if it is wired through one of its recognized entry points (sbom.yml, idf_component.yml, .gitmodules), so the unreferenced sbom_libjpeg.yml was invisible to it. As a result libjpeg-turbo was excluded from SBOM generation and CVE scanning, and its manifest was never validated by the test_sbom CI job.

This PR:

  • Wires in the manifest — adds the sbom: section to idf_component.yml (matching every other component here), so sbom_libjpeg.yml is discovered.
  • Fixes the CPE, which was both:
    • malformed — the CPE-spec-version field read 3.1.1 instead of 2.3, so the value was not a well-formed CPE 2.3 binding and never matched NVD; and
    • pointing at the wrong productlibjpeg:libjpeg is IJG libjpeg, not libjpeg-turbo. Replaced with the two products NVD assigns to libjpeg-turbo CVEs: libjpeg-turbo:libjpeg-turbo and d.r.commander:libjpeg-turbo (both, since NVD splits libjpeg-turbo CVEs across the two vendors).
  • Bumps the component revision to 3.1.1~2.

With the manifest wired in, esp-idf-sbom manifest validate discovers and validates it (exit 0).

@fhrbata
fix(libjpeg-turbo): wire SBOM manifest and correct CPE
204d5fc 
sbom_libjpeg.yml was never referenced from idf_component.yml, so
esp-idf-sbom never discovered it. The component was therefore left out
of SBOM generation and CVE scanning, and the manifest was never
validated. Add the sbom section so the manifest is picked up.

With the manifest now validated, correct the CPE, which was both
malformed (CPE-spec-version field "3.1.1" instead of "2.3") and pointed
at the wrong product (libjpeg, i.e. IJG libjpeg). Replace it with the
two products NVD assigns to libjpeg-turbo CVEs:
libjpeg-turbo:libjpeg-turbo and d.r.commander:libjpeg-turbo. Bump the
component revision accordingly.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
@fhrbata fhrbata requested a review from suda-morris June 26, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@suda-morris suda-morris Awaiting requested review from suda-morris

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fhrbata