Thanks for the hint about the timing. My script worked, but because of the required wait before VEX upload it showed bad and inconsistent results.
Here is the new version. Regards, Jörg -- Navimatix GmbH Tatzendpromenade 2 07745 Jena T: 03641 - 327 99 0 F: 03641 - 526 306 M: joerg.som...@navimatix.de www.navimatix.de<http://www.navimatix.de/> Geschäftsführer: Steffen Späthe, Jan Rommeley Registergericht: Amtsgericht Jena, HRB 501480 ________________________________ From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> on behalf of Luiz Balloti via lists.yoctoproject.org <luiz.balloti=timpelmedical....@lists.yoctoproject.org> Sent: Monday, 4 March 2024 15:08 To: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> Subject: Re: [yocto] Using SBOM/spdx with DependencyTrack/CyclonDX Jörg, fixed CVEs should be encoded in a "vulnerabilities" section in a CycloneDX SBOM, or in an ancillary VEX document which references SBOM components. Unfortunately, Dependency-Track currently ignores the vulnerabilities section of uploaded SBOMs, so the only way is to upload the SBOM, wait until it is processed by the Dependency-Track instance and then upload the VEX document. Regards, Luiz Em seg., 4 de mar. de 2024 às 06:59, Ross Burton <ross.bur...@arm.com<mailto:ross.bur...@arm.com>> escreveu: On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org<http://lists.yoctoproject.org> <joerg.sommer=navimatix...@lists.yoctoproject.org<mailto:navimatix...@lists.yoctoproject.org>> wrote: > does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE > vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem > that CVEs fixed in Yocto by patches are not reflected in the spdx. There is > the sourceInfo field that lists fixed CVEs, but I don't know how to encode > this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis > with SPDX? This is something that’s being actively worked on. In the mean time, if you’re transforming the SPDX into CycloneDX then I suggest that you also read the cve-checker JSON output too, that contains information about what CVEs have been resolved via patches. Ross
deptrack-spdx-upload.sh
Description: deptrack-spdx-upload.sh
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62675): https://lists.yoctoproject.org/g/yocto/message/62675 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-