Re: [yocto] Using SBOM/spdx with DependencyTrack/CyclonDX
Thanks for the hint about the timing. My script worked, but because of the required wait before VEX upload it showed bad and inconsistent results. Here is the new version. Regards, Jörg -- Navimatix GmbH Tatzendpromenade 2 07745 Jena T: 03641 - 327 99 0 F: 03641 - 526 306 M: joerg.som...@navimatix.de www.navimatix.de<http://www.navimatix.de/> Geschäftsführer: Steffen Späthe, Jan Rommeley Registergericht: Amtsgericht Jena, HRB 501480 From: yocto@lists.yoctoproject.org on behalf of Luiz Balloti via lists.yoctoproject.org Sent: Monday, 4 March 2024 15:08 To: yocto@lists.yoctoproject.org Subject: Re: [yocto] Using SBOM/spdx with DependencyTrack/CyclonDX Jörg, fixed CVEs should be encoded in a "vulnerabilities" section in a CycloneDX SBOM, or in an ancillary VEX document which references SBOM components. Unfortunately, Dependency-Track currently ignores the vulnerabilities section of uploaded SBOMs, so the only way is to upload the SBOM, wait until it is processed by the Dependency-Track instance and then upload the VEX document. Regards, Luiz Em seg., 4 de mar. de 2024 às 06:59, Ross Burton mailto:ross.bur...@arm.com>> escreveu: On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org<http://lists.yoctoproject.org> mailto:navimatix...@lists.yoctoproject.org>> wrote: > does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE > vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem > that CVEs fixed in Yocto by patches are not reflected in the spdx. There is > the sourceInfo field that lists fixed CVEs, but I don't know how to encode > this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis > with SPDX? This is something that’s being actively worked on. In the mean time, if you’re transforming the SPDX into CycloneDX then I suggest that you also read the cve-checker JSON output too, that contains information about what CVEs have been resolved via patches. Ross deptrack-spdx-upload.sh Description: deptrack-spdx-upload.sh -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62675): https://lists.yoctoproject.org/g/yocto/message/62675 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] Using SBOM/spdx with DependencyTrack/CyclonDX
Jörg, fixed CVEs should be encoded in a "vulnerabilities" section in a CycloneDX SBOM, or in an ancillary VEX document which references SBOM components. Unfortunately, Dependency-Track currently ignores the vulnerabilities section of uploaded SBOMs, so the only way is to upload the SBOM, wait until it is processed by the Dependency-Track instance and then upload the VEX document. Regards, Luiz Em seg., 4 de mar. de 2024 às 06:59, Ross Burton escreveu: > On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org > wrote: > > does anyone use DependencyTrack https://dependencytrack.org/ to analyse > CVE vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the > problem that CVEs fixed in Yocto by patches are not reflected in the spdx. > There is the sourceInfo field that lists fixed CVEs, but I don't know how > to encode this in CycloneDX. How is this done with SDPX? Does anyone do CVE > analysis with SPDX? > > This is something that’s being actively worked on. In the mean time, if > you’re transforming the SPDX into CycloneDX then I suggest that you also > read the cve-checker JSON output too, that contains information about what > CVEs have been resolved via patches. > > Ross > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62664): https://lists.yoctoproject.org/g/yocto/message/62664 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] Using SBOM/spdx with DependencyTrack/CyclonDX
On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org wrote: > does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE > vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem > that CVEs fixed in Yocto by patches are not reflected in the spdx. There is > the sourceInfo field that lists fixed CVEs, but I don't know how to encode > this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis > with SPDX? This is something that’s being actively worked on. In the mean time, if you’re transforming the SPDX into CycloneDX then I suggest that you also read the cve-checker JSON output too, that contains information about what CVEs have been resolved via patches. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62661): https://lists.yoctoproject.org/g/yocto/message/62661 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[yocto] Using SBOM/spdx with DependencyTrack/CyclonDX
Hi, does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE vulnerabilities? I've created a script to convert the spdx.tar.zst to a CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem that CVEs fixed in Yocto by patches are not reflected in the spdx. There is the sourceInfo field that lists fixed CVEs, but I don't know how to encode this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis with SPDX? Regards Jörg deptrack-spdx-upoad Description: deptrack-spdx-upoad -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62652): https://lists.yoctoproject.org/g/yocto/message/62652 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-