esp-idf/components/newlib/sbom.yml

name: 'newlib'
version: '4.3.0'
cpe: cpe:2.3:a:newlib_project:newlib:{}:*:*:*:*:*:*:*
supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'
originator: 'Organization: Red Hat Incorporated'
description: An open-source C standard library implementation with additional features and patches from Espressif.
cve-exclude-list:
  - cve: CVE-2024-30949
    reason: A vulnerability was discovered in the gettimeofday system call implementation within the RISC-V libgloss component of Newlib. ESP-IDF does not link against libgloss for RISC-V, hence the issue is not directly applicable. Still, the relevant fix has been patched through https://github.com/espressif/newlib-esp32/commit/047ba47013c2656a1e7838dc86cbc75aeeaa67a7
feat(newlib): Add sbom manifest file 2023-10-11 13:25:59 +04:00			`name: 'newlib'`
			`version: '4.3.0'`
			`cpe: cpe:2.3:a:newlib_project:newlib:{}:::::::*`
			`supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'`
			`originator: 'Organization: Red Hat Incorporated'`
			`description: An open-source C standard library implementation with additional features and patches from Espressif.`
fix(newlib): sbom: add CVE-2024-30949 to cve-exclude-list 2024-09-06 18:27:09 +07:00			`cve-exclude-list:`
			`- cve: CVE-2024-30949`
			`reason: A vulnerability was discovered in the gettimeofday system call implementation within the RISC-V libgloss component of Newlib. ESP-IDF does not link against libgloss for RISC-V, hence the issue is not directly applicable. Still, the relevant fix has been patched through https://github.com/espressif/newlib-esp32/commit/047ba47013c2656a1e7838dc86cbc75aeeaa67a7`