advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Espressif ESP-IDF framework dependency

Open peergum opened this issue 3 years ago • 3 comments

When developing embedded firmware in the Espressif ESP-IDF ecosystem, we need to refer to a specific (or minimal) version of the framework, which is actually installed independently from the firmware itself. Since the framework evolves - and may have both compatibility and security issues - it would be very useful to be able to refer to the framework used in a simple dependency file.

That file could also describe the components used in the framework.

The ESP-IDF framework is available on github (Espressif ESP-IDF).

Practically a basic json file would do, that could point to any github repository in general and add other information as required or optionally, something like:

{
  "framework": "https://github.com/espressif/esp-idf"
  "branch": "release/v5.0", 
  "commit": "75c3a69",
  "components": [
    "nvs_flash",
    "esp_wifi",
   ...
   ]
}

peergum avatar Dec 05 '22 15:12 peergum

Actually, this could even help setting up the framework if necessary (although not currently used by @espressif)

peergum avatar Dec 05 '22 15:12 peergum

Hi @peergum!

Thanks for reaching out with this. I think I need some clarification though. Are you proposing a generic solution for dependency management or a solution for specifically Espressif ESP-IDF?

KateCatlin avatar Jan 11 '23 21:01 KateCatlin

Hey Kate. The idea is mostly to somehow be able to get notifications when a dependency on a project or component needs to be upgraded. So it could be specific to Espressif if there’s a easy way to check when an internal component for a specific version of the IDF requires an update, or it could be generic and some existing process detecting vulnerabilities would have to be adapted to also check IDF ones. I’d say something proprietary would most likely be more suited…On Jan 11, 2023, at 4:07 PM, Kate Catlin @.***> wrote: Hi @peergum! Thanks for reaching out with this. I think I need some clarification though. Are you proposing a generic solution for dependency management or a solution for specifically Espressif ESP-IDF?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

peergum avatar Jan 11 '23 23:01 peergum