feat: add --include-otp flag to include OTP/ERTS runtime components#45
Open
Taure wants to merge 7 commits intoerlef:mainfrom
Open
feat: add --include-otp flag to include OTP/ERTS runtime components#45Taure wants to merge 7 commits intoerlef:mainfrom
Taure wants to merge 7 commits intoerlef:mainfrom
Conversation
…n SBoM
When enabled via `--include-otp` CLI flag or `{include_otp, true}` in
rebar.config, the generated SBoM includes Erlang/OTP, ERTS, and all
loaded OTP applications (kernel, stdlib, crypto, ssl, etc.) as
components with proper PURL, CPE, and license metadata.
This addresses a significant vulnerability scanning blind spot: OTP
itself has CVEs that are invisible without these components in the SBoM.
list_to_binary/1 crashes on codepoints > 255 (e.g. em dash in app descriptions). Use unicode:characters_to_binary/1 instead.
Author
|
Taure/kura#44 I am testing this with this PR. |
binary:bin_to_list/1 produces raw byte lists from UTF-8 binaries, which causes badarg in xmerl export and list_to_binary in JSON encoding. Use unicode:characters_to_list/1 to preserve codepoints.
Taure
force-pushed
the
feat/include-otp-components
branch
from
6d5bafc to
c7675ba
Compare
Replace all list_to_binary, binary_to_list, and binary:bin_to_list calls with unicode:characters_to_binary/1 and unicode:characters_to_list/1 where input data may contain Unicode codepoints > 255 (e.g. em dash in app descriptions). Also handle non-GitHub URLs gracefully in CPE generation instead of crashing with function_clause.
Taure
force-pushed
the
feat/include-otp-components
branch
from
c7675ba to
9d9b1a8
Compare
Taure
force-pushed
the
feat/include-otp-components
branch
from
9b8edbc to
f653782
Compare
maennchen
reviewed
Mar 15, 2026
src/rebar3_sbom_purl.erl
Outdated
| local(Name, Version) -> | ||
| purl(["generic", string:lowercase(Name)], Version). | ||
|
|
||
| otp_runtime(Name, Version) -> |
Member
There was a problem hiding this comment.
Use the otp purl type here:
We also use this in CVEs: https://cna.erlef.org/cves/CVE-2026-23941.json
Member
There was a problem hiding this comment.
Sorry for the wait @Taure.
There's two things we need to be careful of:
- When running the tool standalone (https://github.com/erlef/bombom), we are not aware of the versions. In
mix_sbomI do this by detecting the burrito runtime: https://github.com/erlef/mix_sbom/blob/58f5cb57aeff28030ead6295eeddc530787e4c9b/lib/sbom/fetcher/mix_runtime.ex#L139 - An
otppurl requires therepository_urlto be present. Otherwise we would not be able to discern BEAM vs AtomVM etc.
Author
There was a problem hiding this comment.
Ok, will try to see if I can make it better and see that these tools also work
Switch from pkg:generic/erlang-{name} to pkg:otp/{name} per the merged
purl-spec PR#472. This aligns with the PURL format used in ERLEF CVE
disclosures (e.g. CVE-2026-23941) so that vulnerability scanners can
correctly match OTP components against known CVEs.
The otp purl type requires repository_url to distinguish BEAM runtimes (Erlang/OTP) from others (AtomVM). Update otp_runtime to accept a repository URL and emit qualifiers per purl-spec. Output format now matches ERLEF CVE data: pkg:otp/erts@16.3?repository_url=https%3A%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Ferlang%2Fotp.git - otp_runtime/2 -> otp_runtime/3 (added RepositoryUrl parameter) - New purl_with_qualifiers/3 helper for appending query string - Updated tests to verify qualifier presence
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--include-otpCLI flag and{include_otp, true}rebar.config option to include Erlang/OTP runtime components in the generated SBoMerlang/otp,erts, and all loaded OTP applications (kernel,stdlib,crypto,ssl, etc.) as components with proper PURL, CPE, and license metadataUsage
Or in
rebar.config:{rebar3_sbom, [{include_otp, true}]}.New files
src/rebar3_sbom_otp.erl— Collects OTP runtime info and produces component proplists with PURL, CPE, licenses, and external referencestest/rebar3_sbom_otp_SUITE.erl— 19 tests (16 unit + 3 integration)Modified files
src/rebar3_sbom_prv.erl— Added--include-otpCLI flag + config optionsrc/rebar3_sbom_purl.erl— Addedotp_runtime/2forpkg:generic/erlang-*PURLstest/rebar3_sbom_purl_SUITE.erl— Addedotp_runtime_purl_testTest plan
rebar3 fmt --checkcleanrebar3 dialyzercleanrebar3 xref— no new warnings (only pre-existing rebar3 API warnings)