Axis Software Bill of Materials (SBOM) Examined

bm
bashis mcw
Published Jan 18, 2023 15:14 PM

While Hikvision advocated for SBOMs but did not release its own, Axis has now released its own SBOM, the first we have seen among video surveillance manufacturers.

IPVM Image

In this report, IPVM examines what Axis is doing with SBOMs, the benefits of SBOMs, and the limitations of this approach.

Executive *******

**** *** **** **** *** ******** in *** ****** ************ ** ***+ **** *******, *********** *** ************* *** ******* the *****, ********, *** ************ *** ~90% (*** **** ********) ** *** open ****** *** *********** ********* **** Axis ****. ******** **** **** **** not ******* *** ****** ****, ** provides ********* *********** **** ***** ******** researchers ** ***** ******** ****, ** well ** ******** *** ********* ***** to ******** *** ****** ** *** software ***** *** ********* ** ***** identified ****.

Press *******

***** ******* **** ****** ******* ****:

********* **** *** ******* **** ******* of **** ** **.*, ***** **** OS ******* **** ** ************ ** an **** ***********-******. **** **** **** ************* **** all ********** *** ****-*********** ******** ********** that ******** *** **** ** *******. Initially, *** ** ******* ********* *** technical ***********, ***-******** *******, *****-***** *********** components, *** ****-*********** ********** **** ************ will ** ********. **** **** **** to ******* ***** ********** ** ****** releases.

**** ***** *** ********* ** ********** in *** **** *** ***** *** clarification ** **** ** ********, ****' response:

*** ******** **** ** ******** **** include *** ****-****** ********** *** **** OS. ** ******* *** **** ******* of ** **** ** ******* *********** about ****-****** ******** **********. ** ******** to ****, ** **** ******* *** majority ** ****-*********** **********, ******** ********** almost **** ******** ********** *********. ** are ******* ** ********* *** ********* obstacles ** **** ** *** ********** the **** **** *** ******* *********** but ** *** *** **** ** wait *** **** **** *********** *** rather ** ****** ***** *** **** in ******** *** ***** *********** *** benefits ** **** ** *********** *** our ********.

**** **** ***** **** *** **** is **** *** ***** *******, *** company *********:

****** **% ** *** ********* ******** packages *** ***** *** *** ******** in *** ******* ******** **** ** Material *** *** ********* *******, ***** we **** ******* ******** **** ** these ***** *******.

Axis **** ***** *********

**** **** ******* *** *********** ******** ******* (*****) CycloneDX*** *** ****, ***** ** * component ******** ******** **** ********** ***** in *** ******** ****** *****, **** as ************* **************, ******* **********, ******** component ********, *** ****, ************* **** information ** ******* **** ****** ******** data *******, *.*. ****, ***.

Automatic **** **********

**** ** ********* ******** ********* *** automated **** **********, ** ** *** into * ******* ********* ****** ****** the ************, ***** *** **** ****** be ****** *** ****** ****** ******** from ******** ********** *****. *** *******, to ******** ********/****** ******* **** ********* of ***** ********** ****, ** **** by ************* ******** ** ****** ***** positive ****** *** ******* ***** ********.

Manual ******

******** ********* *** ******** *** ********* in **** ** ***** ******, ** JSON ***** *** ****-*****, ** **** can ** ****** **** **** ******** text ******. *** ***********, **** ******** an ******* **** ********** **** **** *** *** *****-*** using *** ****** **** ******.

Examining **** **** *******

** *** ******* *****, ** **** how ** *** **** **** **** a ****** ****** ******* ** ***** what's ****** *** ******** *** **** risks *** ********** *** ** *** not ****.

**** ******** ***** ******* *** **** specific ******* "********-***", ** ********* **** kind ** *********** ** ***** *** how ** ** ******** ** ****** the *********** ****** ****.

IPVM Image

"********-***" ******* ** ******* *********, *** of ***** ** ****** "****-*****-****".

IPVM Image

********* "****-*****-****" ** *** **** **** library ******* ** ******* ******* *******. The ***** ** **** *** ******* is **** ******, *** ******* ******* is ******** ** *.**.* *** *** backported *** ***** *** *** ************* CVE-2022-1664.

********'* ******** *******, ***-****-**** ** **** to ** ***** ** *.**.*, *** ******* **** *********** **** SBOM, ** ***** **** **** **** to ***** **** *** ******* ** vulnerable ****, ** ****, ** ** not.

IPVM Image

** *** *** **** "****-*****-****" *** two ************.

IPVM Image

"*****" ******* **** ********* ***********, **** as ******* *.**.

IPVM Image

** *** *** **** "*****" *** 0 ************.

IPVM Image

*******

******* **** ********** ***** (******) *******, we *** **** **** *** "****-*****-****" is *** ********** ** ***-****-****, ******* version *.**.*. *** **** "*****" ** version *.**, ***** ** *** *** latest ******* ** "*****,"********* ** *** *** ********* ** SBOM, ************ ** *** ******* ***** *** no ***** *************** *** ******* *.**.

***** *** ** **** *** ** know **** *********** ******, ***** ****** to **** *** ******* ** ******* out ***** ******** **** ***** *** were ********** ** ***-****-*****, ********* ******* release ***** *** ********** ******** **** products.

Comments