-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add license info #3
base: main
Are you sure you want to change the base?
Conversation
The licenses are in the sbom now but if I upload it to dependencytrack it's still missing. Does yours work? |
Try to build now. The correct license structure was not reflected in the code and I fixed it with force push. Great catch! Heads up: The license is per recipe and we plan that in time maybe change the code to collect them per package. There are some recipes in new version of yocto/oe containing packages with banned licenses. It is good to enlight the user in order to skip only packages from a recipe and not the entire recipe. |
Dependency-Track still doesn't show the licenses. Maybe it'll with the planned changed u mentioned. |
} | ||
license_json = get_licenses(d) | ||
if license_json: | ||
component_json["licenses"] = license_json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line gives a structure like
"licenses": [
{
"license": {
according to
https://cyclonedx.org/use-cases/#license-compliance
Can you check if you have this structure in the SBOM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's in the right structure, or I don't see the failure myself. But dependency-track still don't show the licenses if I upload the sbom to the api.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried this:
# update it with the new package info
names = name.split()
for index, cpe in enumerate(oe.cve_check.get_cpe_ids(name, version)):
bb.debug(2, f"Collecting pagkage {name}@{version} ({cpe})")
if not next((c for c in sbom["components"] if c["cpe"] == cpe), None):
sbom["components"].append({
"name": names[index],
"version": version,
"cpe": cpe,
"licenses" : [
{
"license" : {
"id" : license
}
}]
})
before your last update and it shows like 50% of the licenses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the missing licenses are the ones which has more then one license.
I have added a comment in this pullrequest https://github.com/bgnetworks/meta-dependencytrack/pull/3/files#r912663994 Can you please check the resulting SBOM as per comment? |
in the Sbom it looks like this: |
Hi! Sorry for late response. It seems an issue when both license id and license expression show up in SBOM. One temporary solution is to exclude expression. This was reported here: DependencyTrack/dependency-track#2226 |
Hi vasba, thank you for your response. When u comment the expression line out it works fine. But I have an other problem now. Do you know how I can get the status information about which cve is already patched in the yocto build prozess into Dependency-Track? |
@xRate1337 In this case the version will be the same so you will just have to audit the CVE in DependencyTrack. I am not aware about any standard that programatically informes you that the applied patched fixes the CVE. |
No description provided.