Date
1 - 1 of 1
EDK II OSS inventory
Brian Mullen <BrianM@...>
Where can a comprehensive list of OSS (package and version numbers) included in EDK II be found? This is needed for
1. Vulnerability management
2. SBOM (when generated by downstream vendor)
The following is found in the release notes but is insufficient:
-------------------------------------------------------------------------------------------------------------------------------------------
The majority of the content in the EDK II open source project uses a BSD-2-Clause Plus Patent License<https://github.com/tianocore/edk2/blob/master/License.txt>. The EDK II open source project contains the following components that are covered by additional licenses:
* BaseTools/Source/C/LzmaCompress<https://github.com/tianocore/edk2/blob/master/BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>
* BaseTools/Source/C/VfrCompile/Pccts<https://github.com/tianocore/edk2/blob/master/BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>
* CryptoPkgLibraryBaseCryptLibSysCallinet_pton.c<https://github.com/tianocore/edk2/blob/master/CryptoPkgLibraryBaseCryptLibSysCallinet_pton.c>
* CryptoPkgLibraryIncludecryptodso_conf.h<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* CryptoPkgLibraryIncludeopensslopensslconf.h<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* EmbeddedPkg/Library/FdtLib<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Library/FdtLib/fdt.c>. (EDK II uses BSD License)
* EmbeddedPkg/Include/fdt.h<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Include/fdt.h>. (EDK II uses BSD Licence)
* EmbeddedPkg/Include/libfdt.h<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Include/libfdt.h>. (EDK II uses BSD License)
* MdeModulePkg/Library/LzmaCustomDecompressLib<https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/LzmaCustomDecompressLib/LZMA-SDK-README.txt>
* OvmfPkg<https://github.com/tianocore/edk2/blob/master/OvmfPkg/License.txt>
The EDK II open source project uses content from upstream projects as git submodules that are covered by additional licenses.
* ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3<https://github.com/ucb-bar/berkeley-softfloat-3/blob/b64af41c3276f97f0e181920400ee056b9c88037/COPYING.txt>
* BaseTools/Source/C/BrotliCompress/brotli<https://github.com/google/brotli/blob/666c3280cc11dc433c303d79a83d4ffbdd12cc8d/LICENSE>
* CryptoPkg/Library/OpensslLib/openssl<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* MdeModulePkg/Library/BrotliCustomDecompressLib/brotli<https://github.com/google/brotli/blob/666c3280cc11dc433c303d79a83d4ffbdd12cc8d/LICENSE>
* MdeModulePkg/Universal/RegularExpressionDxe/oniguruma<https://github.com/kkos/oniguruma/blob/abfc8ff81df4067f309032467785e06975678f0d/COPYING>
* UnitTestFrameworkPkg/Library/CmockaLib/cmocka<https://github.com/tianocore/edk2-cmocka/blob/f5e2cd77c88d9f792562888d2b70c5a396bfbf7a/COPYING>
* UnitTestFrameworkPkg/Library/GoogleTestLib/googletest<https://github.com/google/googletest/blob/86add13493e5c881d7e4ba77fb91c1f57752b3a4/LICENSE>
* RedfishPkg/Library/JsonLib/jansson<https://github.com/akheron/jansson/blob/2882ead5bb90cf12a01b07b2c2361e24960fae02/LICENSE>
Thank You,
Brian
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
1. Vulnerability management
2. SBOM (when generated by downstream vendor)
The following is found in the release notes but is insufficient:
-------------------------------------------------------------------------------------------------------------------------------------------
The majority of the content in the EDK II open source project uses a BSD-2-Clause Plus Patent License<https://github.com/tianocore/edk2/blob/master/License.txt>. The EDK II open source project contains the following components that are covered by additional licenses:
* BaseTools/Source/C/LzmaCompress<https://github.com/tianocore/edk2/blob/master/BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>
* BaseTools/Source/C/VfrCompile/Pccts<https://github.com/tianocore/edk2/blob/master/BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>
* CryptoPkgLibraryBaseCryptLibSysCallinet_pton.c<https://github.com/tianocore/edk2/blob/master/CryptoPkgLibraryBaseCryptLibSysCallinet_pton.c>
* CryptoPkgLibraryIncludecryptodso_conf.h<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* CryptoPkgLibraryIncludeopensslopensslconf.h<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* EmbeddedPkg/Library/FdtLib<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Library/FdtLib/fdt.c>. (EDK II uses BSD License)
* EmbeddedPkg/Include/fdt.h<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Include/fdt.h>. (EDK II uses BSD Licence)
* EmbeddedPkg/Include/libfdt.h<https://github.com/tianocore/edk2/blob/master/EmbeddedPkg/Include/libfdt.h>. (EDK II uses BSD License)
* MdeModulePkg/Library/LzmaCustomDecompressLib<https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/LzmaCustomDecompressLib/LZMA-SDK-README.txt>
* OvmfPkg<https://github.com/tianocore/edk2/blob/master/OvmfPkg/License.txt>
The EDK II open source project uses content from upstream projects as git submodules that are covered by additional licenses.
* ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3<https://github.com/ucb-bar/berkeley-softfloat-3/blob/b64af41c3276f97f0e181920400ee056b9c88037/COPYING.txt>
* BaseTools/Source/C/BrotliCompress/brotli<https://github.com/google/brotli/blob/666c3280cc11dc433c303d79a83d4ffbdd12cc8d/LICENSE>
* CryptoPkg/Library/OpensslLib/openssl<https://github.com/openssl/openssl/blob/e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72/LICENSE>
* MdeModulePkg/Library/BrotliCustomDecompressLib/brotli<https://github.com/google/brotli/blob/666c3280cc11dc433c303d79a83d4ffbdd12cc8d/LICENSE>
* MdeModulePkg/Universal/RegularExpressionDxe/oniguruma<https://github.com/kkos/oniguruma/blob/abfc8ff81df4067f309032467785e06975678f0d/COPYING>
* UnitTestFrameworkPkg/Library/CmockaLib/cmocka<https://github.com/tianocore/edk2-cmocka/blob/f5e2cd77c88d9f792562888d2b70c5a396bfbf7a/COPYING>
* UnitTestFrameworkPkg/Library/GoogleTestLib/googletest<https://github.com/google/googletest/blob/86add13493e5c881d7e4ba77fb91c1f57752b3a4/LICENSE>
* RedfishPkg/Library/JsonLib/jansson<https://github.com/akheron/jansson/blob/2882ead5bb90cf12a01b07b2c2361e24960fae02/LICENSE>
Thank You,
Brian
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.