Axis Software Bill of Materials (SBOM) Examined

By bashis mcw, Published Jan 18, 2023, 10:14am EST (Info+)

While Hikvision advocated for SBOMs but did not release its own, Axis has now released its own SBOM, the first we have seen among video surveillance manufacturers.

IPVM Image

In this report, IPVM examines what Axis is doing with SBOMs, the benefits of SBOMs, and the limitations of this approach.

Executive *******

**** *** **** **** *** ******** in *** ****** ************ ** ***+ **** *******, *********** *** ************* *** ******* the *****, ********, *** ************ *** ~90% (*** **** ********) ** *** open ****** *** *********** ********* **** Axis ****. ******** **** **** **** not ******* *** ****** ****, ** provides ********* *********** **** ***** ******** researchers ** ***** ******** ****, ** well ** ******** *** ********* ***** to ******** *** ****** ** *** software ***** *** ********* ** ***** identified ****.

Press *******

***** ******* **** ****** ******* ****:

********* **** *** ******* **** ******* of **** ** **.*, ***** **** OS ******* **** ** ************ ** an **** ***********-******. **** **** **** ************* **** all ********** *** ****-*********** ******** ********** that ******** *** **** ** *******. Initially, *** ** ******* ********* *** technical ***********, ***-******** *******, *****-***** *********** components, *** ****-*********** ********** **** ************ will ** ********. **** **** **** to ******* ***** ********** ** ****** releases.

**** ***** *** ********* ** ********** in *** **** *** ***** *** clarification ** **** ** ********, ****' response:

*** ******** **** ** ******** **** include *** ****-****** ********** *** **** OS. ** ******* *** **** ******* of ** **** ** ******* *********** about ****-****** ******** **********. ** ******** to ****, ** **** ******* *** majority ** ****-*********** **********, ******** ********** almost **** ******** ********** *********. ** are ******* ** ********* *** ********* obstacles ** **** ** *** ********** the **** **** *** ******* *********** but ** *** *** **** ** wait *** **** **** *********** *** rather ** ****** ***** *** **** in ******** *** ***** *********** *** benefits ** **** ** *********** *** our ********.

**** **** ***** **** *** **** is **** *** ***** *******, *** company *********:

****** **% ** *** ********* ******** packages *** ***** *** *** ******** in *** ******* ******** **** ** Material *** *** ********* *******, ***** we **** ******* ******** **** ** these ***** *******.

Axis **** ***** *********

**** **** ******* *** *********** ******** ******* (*****) CycloneDX*** *** ****, ***** ** * component ******** ******** **** ********** ***** in *** ******** ****** *****, **** as ************* **************, ******* **********, ******** component ********, *** ****, ************* **** information ** ******* **** ****** ******** data *******, *.*. ****, ***.

Automatic **** **********

**** ** ********* ******** ********* *** automated **** **********, ** ** *** into * ******* ********* ****** ****** the ************, ***** *** **** ****** be ****** *** ****** ****** ******** from ******** ********** *****. *** *******, to ******** ********/****** ******* **** ********* of ***** ********** ****, ** **** by ************* ******** ** ****** ***** positive ****** *** ******* ***** ********.

Manual ******

******** ********* *** ******** *** ********* in **** ** ***** ******, ** JSON ***** *** ****-*****, ** **** can ** ****** **** **** ******** text ******. *** ***********, **** ******** an ******* **** ********** **** **** *** *** *****-*** using *** ****** **** ******.

Examining **** **** *******

** *** ******* *****, ** **** how ** *** **** **** **** a ****** ****** ******* ** ***** what's ****** *** ******** *** **** risks *** ********** *** ** *** not ****.

**** ******** ***** ******* *** **** specific ******* "********-***", ** ********* **** kind ** *********** ** ***** *** how ** ** ******** ** ****** the *********** ****** ****.

IPVM Image

"********-***" ******* ** ******* *********, *** of ***** ** ****** "****-*****-****".

IPVM Image

********* "****-*****-****" ** *** **** **** library ******* ** ******* ******* *******. The ***** ** **** *** ******* is **** ******, *** ******* ******* is ******** ** *.**.* *** *** backported *** ***** *** *** ************* CVE-2022-1664.

********'* ******** *******, ***-****-**** ** **** to ** ***** ** *.**.*, *** ******* **** *********** **** SBOM, ** ***** **** **** **** to ***** **** *** ******* ** vulnerable ****, ** ****, ** ** not.

IPVM Image

** *** *** **** "****-*****-****" *** two ************.

IPVM Image

"*****" ******* **** ********* ***********, **** as ******* *.**.

IPVM Image

** *** *** **** "*****" *** 0 ************.

IPVM Image

*******

******* **** ********** ***** (******) *******, we *** **** **** *** "****-*****-****" is *** ********** ** ***-****-****, ******* version *.**.*. *** **** "*****" ** version *.**, ***** ** *** *** latest ******* ** "*****,"********* ** *** *** ********* ** SBOM, ************ ** *** ******* ***** *** no ***** *************** *** ******* *.**.

***** *** ** **** *** ** know **** *********** ******, ***** ****** to **** *** ******* ** ******* out ***** ******** **** ***** *** were ********** ** ***-****-*****, ********* ******* release ***** *** ********** ******** **** products.

Comments (0)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports