Hi, does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE vulnerabilities? I've created a script to convert the spdx.tar.zst to a CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem that CVEs fixed in Yocto by patches are not reflected in the spdx. There is the sourceInfo field that lists fixed CVEs, but I don't know how to encode this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis with SPDX?
Regards Jörg
deptrack-spdx-upoad
Description: deptrack-spdx-upoad
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62652): https://lists.yoctoproject.org/g/yocto/message/62652 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
