The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Per the CycloneDX 1.4 spec, the `metadata.timestamp` field contains
the date/time when the BOM was created [1].
Before the change, the value generated by the package-metadata.pl
script would look like this:
2024-06-03T15:51:10
CycloneDX 1.4 relies on the JSON Schema specification version draft-07,
which defines the `date-time` format [2] as derived from RFC 3339,
section 5.6 [3]. In this format, the `time-offset` component is required,
however in the original version of package-metadata.pl it is omitted.
This is causing problems with OWASP Dependency-Track version 4.11.0 or
newer, where it now validates submitted SBOMs against the JSON schema
by default [4]. SBOMs with incorrect timestamp values are rejected with
the following error:
{
"detail": "Schema validation failed",
"errors": [
"$.metadata.timestamp: 2024-06-03T15:51:10 is an invalid date-time"
],
"status": 400,
"title": "The uploaded BOM is invalid"
}
Add explicit `Z` (UTC) timezone offset in the `timestamp` field
to satisfy the CycloneDX schema.
[1]: https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.schema.json#L116-L121
[2]: https://json-schema.org/draft-07/draft-handrews-json-schema-validation-01#rfc.section.7.3.1
[3]: https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
[4]: https://github.com/DependencyTrack/dependency-track/pull/3522
Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu>
(cherry picked from commit 2ded629864)
Link: https://github.com/openwrt/openwrt/pull/15693
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
As stated in the cycloneDX documentation, the field "type" is mandatory for all components.
More details here (https://cyclonedx.org/docs/1.5/json/#components_items_type)
Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
(cherry picked from commit 84331215e5)
When `log.showSignature` is set, it causes the `SOURCE_DATE_EPOCH` to
include a textual signature description on OpenPGP-signed commits,
because Git prints the description into stdout. This then causes some
scripts to fail because they cannot parse the date from the variable.
Adding an explicit `--no-show-signature` prevents the signatures from
being displayed even when one has Git configured to show them by
default, fixing the scripts.
Signed-off-by: Oto Šťáva <oto.stava@gmail.com>
(cherry picked from commit 1e93208bd2)
Add new function to dump-targer-info.pl to DUMP devices provided a
matching target/subtarget.
Example:
./scripts/dump-targer-info.pl devices ipq806x/generic
will produce the sorted list of devices defined in the following format:
device_id device_name
Devices may have alternative names, the script will dump each
alternative name in the same line of device_id.
Following the pattern:
device_id "PRIMARY DEVICE NAME" "ALT0 DEVICE NAME" "ALT1 DEVICE NAME" ...
Example:
tplink_ad7200 "TP-Link AD7200 v1/v2" "TP-Link Talon AD7200 v1/v2"
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 943c153cdd)
With the case of asking an invalid version that is too big, getver.sh
might return an invalid output in the form of HEAD~-2260475641.
This is caused by BASE_REV - GET_REV using a negative number.
Prevent this by checking if BASE_REV - GET_REV actually return 0 or a
positive number and set REV variable accordingly. With the following
change, invalid revision number will result in unknown printed instead
of the invalid HEAD~-NUMBERS output.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 9e49e0a6c4)
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit d604a07225)
There is no standard for ABI versioning, so its not possible to find out
from `libext2fs2`, `libiwinfo20230701` or `libss2` package names if
thats just package name or package name with ABI version included. To
help with the decision, lets make ABI version aviable in package index.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 649655f427)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
In order for the information to be processed further, it should also be
available in JSON package manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8562c65ff8)
The ide-drive option was renamed to ide-hd in qemu 6.0.
With this change qemu is starting again on Debian 12.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 497012ab4e)
U-Boot with enabled secure-boot will not boot images with the
@-character used for hash node-names.
Use the existing separation character configurable for each device.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2b133ab19c)
Hardware
--------
CPU: Mediatek MT7981
RAM: 512M DDR4
FLASH: 256M NAND
ETH: MaxLinear GPY211 (2.5GbE N Base-T)
WiFi: Mediatek MT7981 (2.4GHz 2T2R:2 5GHz 3T3R:2 802.11ax)
BTN: 1x Reset
LED: 1x Multi-Color
UART Console
------------
Available below the rubber cover next to the ethernet port.
Settings: 115200 8N1
Layout:
<12V> <LAN> GND-RX-TX-VCC
Logic-Level is 3V3. Don't connect VCC to your UART adapter!
Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.
As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.
In case this is not the case, OpenWrt will boot only one time, returning
to the ZyXEL firmware the second boot.
If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.
Installation TFTP / Recovery
----------------------------
This installation routine is especially useful in case of a bricked
device.
Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.
The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.
Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to nwa50axpro-openwrt-initramfs.bin.
$ atnf nwa50axpro-openwrt-initramfs.bin
$ atna 192.168.1.88
$ atns "192.168.1.66; tftpboot; setenv fdt_high 0xffffffffffffffff;
bootm"
Upon booting, set the booted image to the correct slot:
$ zyxel-bootconfig /dev/mtd9 get-status
$ zyxel-bootconfig /dev/mtd9 set-image-status 0 valid
$ zyxel-bootconfig /dev/mtd9 set-active-image 0
Copy the OpenWrt sysupgrade image to the device using scp.
Write the sysupgrade image to NAND using sysupgrade.
$ sysupgrade -n image.bin
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f0445746f6)
Instead of loading the whole image into the memory when generating the
sha256 sum, we load the file in chunks and update the hash incrementally
to avoid MemoryError in python. Also remove a stray empty line.
Fixes: #13056
Signed-off-by: Adones Pitogo <pitogo.adones@gmail.com>
(mention empty line removal, adds Fixes from PR)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit bdb4b78210)
DT overlays do not need relocation in order to be applied, so drop
defining the load address for dtbos.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit cff3786bd5)
These fields are used for EAX12 and EX6250v2 series, and perhaps other
devices. Compatibility is preserved with the WAX202 and WAX206.
In addition, adds the related vars to DEVICE_VARS so that the variables
work correctly with multiple devices.
References in GPL source:
https://www.downloads.netgear.com/files/GPL/EAX12_EAX11v2_EAX15v2_GPL_V1.0.3.34_src.tar.gz
* tools/imgencoder/src/gj_enc.c
Contains code that generates the encrypted image.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 0a1ebccc87)
This improves compatibility with the elder stock firmwares of the
following devices, which have not yet been merged into OpenWrt:
- Beeline SmartBox Pro
- Beeline SmartBox Turbo+
- WiFire S1500.NBN
Without this, OpenWrt factory image installation may fail.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
(cherry picked from commit 35a4418d39)
The armvirt target has been renamed to 'armsr' (Arm SystemReady)
after inclusion of EFI support.
Change references (including subtargets) accordingly.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
(cherry picked from commit 36bf9d8610)
The use case for this is to set the kernel partition as the
EFI system partition. Versions of U-Boot with the
EFI boot manager (eficonfig and efidebug commands) will
store their boot order data on the ESP.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
(cherry picked from commit 701d774f54)
Instead of generating full config nodes incl. kernel, generate minimal
config nodes for device tree overlays to be applied to the main config.
In this way, multiple device tree overlays can be applied more easily.
While at it change filenames to upstream style, ie. use dtso and dtbo
suffix for device tree overlays.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 6b01d40bfe)
Allow passing in an optional offset (PARTOFFSET) for the first partition.
If not specified this will default to 256K (512 blocks) as it has before.
For example if you want to start partition data at a 16M offset instead
of 256K, specify 'PARTOFFSET=16M'.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Apparently, Sercomm sets 2 padding bytes instead of 1 (ramips).
The HW version is a bit different than the one used for ramips.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Allow passing Sercomm PID from file.
Until now, Sercomm PID could only be passed as an array of hex bytes.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
There is no CONFIG_BINARY_DIR, it's CONFIG_BINARY_FOLDER.
While at it, don't parse the shell compatible .config, eval it.
Signed-off-by: Andre Heider <a.heider@gmail.com>
If CONFIG_BINARY_FOLDER is set in .config, use that instead of "bin" as
the bindir.
That allows to set that config and easily run e.g.
`./scripts/qemustart armvirt 32`.
Signed-off-by: Andre Heider <a.heider@gmail.com>
It's possible to have prebuilt tools already extracted. Add option to
just refresh the timestamps.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Host tools path may be a symbolic link. Use -H with find to follow path
links passed from command line to find command.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Allign dl_github_archieve.py to 8252511dc0
change. On supported system the sigid bit is applied to files and tar
archieve that on tar creation. This cause unreproducible tar for these
system and these bit should be dropped to produce reproducible tar.
Add the missing option following the command options used in other
scripts.
Fixes: 75ab064d2b ("build: download code from github using archive API")
Suggested-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The redundant character '0x0a' after the 192 bytes '0x00' padding broke
the factory image. We need to remove it to make things work again.
Fixes: e6769d11f3 scripts: fix missing character '0' issue in linksys image
Tested-by: Tony Butler <spudz76@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
The -w|--whitelist and -D|--download-dir arguments pass an additional value,
properly evaluate that.
Also allow to pass the download directory without -D|--download-dir, just as
the usage describes.
Finally fix spitting out the wrong error messages about those args.
Signed-off-by: Andre Heider <a.heider@gmail.com>
BSD wc can output more whitespaces, which breaks the cut usage.
Replace the cut invocation with awk, which is more portable.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Support defining a per-device loadaddress for the DTB. This is required
for devices which to not align the DTB from the bootloader correctly.
Signed-off-by: David Bauer <mail@david-bauer.net>
In the stock firmware of Linksys, there is a '0' after the crc checksum.
Validated on EA6350V3, EA7300 and EA7300V2's stock images.
Fixes: 892d741259 build: add a script for generating Linksys factory images
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
The aria2c command tries to load config from
${XDG_CONFIG_HOME:-${HOME}/.config}/aria2/aria2.conf by default,
which may result unexpected behavior.
As a replacement, people can use environment variable ARIA2C_OPTIONS
to custom arguments passed to aria2c like curl and wget below.
Including --conf-path=/path/to/config.conf in ARIA2C_OPTIONS can
also set a custom config file path easily if needed.
Signed-off-by: Zhang Hua <zhanghuadedn@gmail.com>
Introduce a new option in the "Advanced configuration options" to
configure a custom download tool.
By declaring a string in "Use custom download tool" an user can force
what command to use to download package. With the string empty the
default tool used is curl, with wget as a fallback if not available.
download.pl supports 3 tools officially aria2c, curl and wget.
If one of the tool is used in this config, download.pl will use the
default args to make use of them.
If the provided string is different than aria2c, curl or wget, the command
is used as is and the download url will be appended at the end of such command.
While at it also tweak the tool selection logic and chose the tool only
once when the script is called and move aria2c specific variables in the
relevant section.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add a simple script to make it easier to install a prebuilt tools tar.
Currently it will be used by our tools container and kernel workflow on
github.
Simple script that take a tar that contains prebuilt host tools, extract
them and refresh the timestamps to skip recompilation of such host
tools.
By default it refresh timestamps of build_dir/host and
staging_dir/host/stamp.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Generilize download tool check and skip other check if a download tool
has been found.
While at it also reintroduce c836ca84e8
that was previously dropped with aria2c support.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Currently we use /dev/shm to place aria2c tmp file. This is not present
on macos. Use the openwrt tmp directory instead of the linux-only
/dev/shm to save compatibility with more os.
Fixes: d391236269 ("download.pl: add aria2c support")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
With the introduction of aria2c support, curl and wget no longer try to
download the file from mirrors. Fix this regression by emptying the
remaining mirrors list only when aria2c is used.
Fixes: d391236269 ("download.pl: add aria2c support")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fix whitespace in mirror urls and replace for loop with join+map logic.
Fixes: d391236269 ("download.pl: add aria2c support")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Use aria2c download tool by default on package download if available in
the system.
aria2c permits to use multiple mirrors and may improve download speed on
special context where servers are hard to reach.
Co-authored-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Bradford Zhang <zyc@zyc.name>
[ fix wrong var in the script and improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Allow comparing subdirectories exactly like files.
Handle a corner case where the new subdirectory
has the same tarball inside of it
as the one that was downloaded
before a subdirectory for that package was established.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Improve dl_cleanup by adding an option to also clean the build directory
related to the downloaded package.
The script will check every directory in build_dir/ and check if any
old package is present there. If outdated package are found, the old
one are cleared leaving only the last one.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>