Jörg, fixed CVEs should be encoded in a "vulnerabilities" section in a CycloneDX SBOM, or in an ancillary VEX document which references SBOM components. Unfortunately, Dependency-Track currently ignores the vulnerabilities section of uploaded SBOMs, so the only way is to upload the SBOM, wait until it is processed by the Dependency-Track instance and then upload the VEX document.
Regards, Luiz Em seg., 4 de mar. de 2024 às 06:59, Ross Burton <ross.bur...@arm.com> escreveu: > On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org > <joerg.sommer=navimatix...@lists.yoctoproject.org> wrote: > > does anyone use DependencyTrack https://dependencytrack.org/ to analyse > CVE vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the > problem that CVEs fixed in Yocto by patches are not reflected in the spdx. > There is the sourceInfo field that lists fixed CVEs, but I don't know how > to encode this in CycloneDX. How is this done with SDPX? Does anyone do CVE > analysis with SPDX? > > This is something that’s being actively worked on. In the mean time, if > you’re transforming the SPDX into CycloneDX then I suggest that you also > read the cve-checker JSON output too, that contains information about what > CVEs have been resolved via patches. > > Ross > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62664): https://lists.yoctoproject.org/g/yocto/message/62664 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-