Re: [Buildroot] [PATCH v2 1/5] support/scripts/cve-check: fix vulnerability timestamp to RFC 3339

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

On Fri, May 29, 2026 at 05:06:27PM +0200, Thomas Perale via buildroot wrote:
> Normalize vulnerability timestamps to RFC 3339 format with explicit UTC
> timezone suffix for CycloneDX 1.6 compliance.
> This fixes validation errors in sbom-utility and makes the generated
> SBOM with vulnerabilities compatible with DependencyTrack VEX parsers.
> 
> The NVD JSON data feeds provide timestamps in ISO 8601 format without timezone
> information (e.g., "1999-01-01T05:00:00.000"), but CycloneDX 1.6 requires
> RFC 3339 format with explicit timezone designation (e.g.,
> "1999-01-01T05:00:00.000Z").
> 
> Add nvd_datetime_to_rfc3339() helper function to convert timestamps before
> serialization.
> 
> Validation results:
> 
> Before fix:
>   $ sbom-utility validate -i cve/cve_report_current.json
>   [INFO] BOM valid against JSON schema: 'false'
>   [INFO] (234) schema errors detected.
> 
>   Error example:
>   {
>     "type": "format",
>     "field": "vulnerabilities.0.updated",
>     "context": "(root).vulnerabilities.0.updated",
>     "description": "Does not match format 'date-time'",
>     "value": "2025-04-03T01:03:51.193"
>   }
> 
> After fix:
>   $ sbom-utility validate -i cve/cve_report_update.json
>   [INFO] BOM valid against JSON schema: 'true'
> 
> Tested-with: sbom-utility v0.18.1
> Co-authored-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Thanks, applied to master!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot