From 204d5fc255ed4e5c07baf626a4bb60630e6ea0e3 Mon Sep 17 00:00:00 2001 From: Frantisek Hrbata Date: Fri, 26 Jun 2026 08:42:17 +0200 Subject: [PATCH] fix(libjpeg-turbo): wire SBOM manifest and correct CPE sbom_libjpeg.yml was never referenced from idf_component.yml, so esp-idf-sbom never discovered it. The component was therefore left out of SBOM generation and CVE scanning, and the manifest was never validated. Add the sbom section so the manifest is picked up. With the manifest now validated, correct the CPE, which was both malformed (CPE-spec-version field "3.1.1" instead of "2.3") and pointed at the wrong product (libjpeg, i.e. IJG libjpeg). Replace it with the two products NVD assigns to libjpeg-turbo CVEs: libjpeg-turbo:libjpeg-turbo and d.r.commander:libjpeg-turbo. Bump the component revision accordingly. Signed-off-by: Frantisek Hrbata --- libjpeg-turbo/idf_component.yml | 6 +++++- libjpeg-turbo/sbom_libjpeg.yml | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libjpeg-turbo/idf_component.yml b/libjpeg-turbo/idf_component.yml index 54c5071cdd..dd0202c780 100644 --- a/libjpeg-turbo/idf_component.yml +++ b/libjpeg-turbo/idf_component.yml @@ -1,6 +1,10 @@ -version: "3.1.1~1" +version: "3.1.1~2" description: Jpeg-turbo port to ESP url: https://github.com/espressif/idf-extra-components/tree/master/libjpeg-turbo dependencies: idf: ">=5.0.0" +sbom: + manifests: + - path: sbom_libjpeg.yml + dest: libjpeg-turbo diff --git a/libjpeg-turbo/sbom_libjpeg.yml b/libjpeg-turbo/sbom_libjpeg.yml index 060ba8cf39..17dab97d9b 100644 --- a/libjpeg-turbo/sbom_libjpeg.yml +++ b/libjpeg-turbo/sbom_libjpeg.yml @@ -1,6 +1,8 @@ name: libjpeg-turbo version: 3.1.1 -cpe: cpe:3.1.1:a:libjpeg:libjpeg:{}:*:*:*:*:*:*:* +cpe: + - cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:{}:*:*:*:*:*:*:* + - cpe:2.3:a:d.r.commander:libjpeg-turbo:{}:*:*:*:*:*:*:* supplier: 'Organization: libjpeg-turbo' description: libjpeg-turbo is a JPEG image codec library url: https://github.com/libjpeg-turbo/libjpeg-turbo