Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add license info #3

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add license info #3

wants to merge 2 commits into from

Conversation

vasba
Copy link

@vasba vasba commented Jun 13, 2022

No description provided.

@xRate1337
Copy link

The licenses are in the sbom now but if I upload it to dependencytrack it's still missing. Does yours work?

@vasba vasba force-pushed the add-license-info branch from e96e0dc to b8568a0 Compare June 30, 2022 12:16
@vasba
Copy link
Author

vasba commented Jun 30, 2022

Try to build now. The correct license structure was not reflected in the code and I fixed it with force push.

Great catch!

Heads up: The license is per recipe and we plan that in time maybe change the code to collect them per package. There are some recipes in new version of yocto/oe containing packages with banned licenses. It is good to enlight the user in order to skip only packages from a recipe and not the entire recipe.

@xRate1337
Copy link

Dependency-Track still doesn't show the licenses. Maybe it'll with the planned changed u mentioned.

}
license_json = get_licenses(d)
if license_json:
component_json["licenses"] = license_json
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line gives a structure like
"licenses": [
{
"license": {

according to

https://cyclonedx.org/use-cases/#license-compliance

Can you check if you have this structure in the SBOM?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's in the right structure, or I don't see the failure myself. But dependency-track still don't show the licenses if I upload the sbom to the api.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried this:
# update it with the new package info
names = name.split()
for index, cpe in enumerate(oe.cve_check.get_cpe_ids(name, version)):
bb.debug(2, f"Collecting pagkage {name}@{version} ({cpe})")
if not next((c for c in sbom["components"] if c["cpe"] == cpe), None):
sbom["components"].append({
"name": names[index],
"version": version,
"cpe": cpe,
"licenses" : [
{
"license" : {
"id" : license
}
}]
})

before your last update and it shows like 50% of the licenses.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the missing licenses are the ones which has more then one license.

@vasba
Copy link
Author

vasba commented Jul 4, 2022

I have added a comment in this pullrequest

https://github.com/bgnetworks/meta-dependencytrack/pull/3/files#r912663994

Can you please check the resulting SBOM as per comment?

@xRate1337
Copy link

in the Sbom it looks like this:
{
"name": "libevdev",
"version": "1.12.1",
"cpe": "cpe:2.3:a::libevdev:1.12.1:::::::",
"licenses": [
{
"license": {
"name": "MIT",
"text": {
"contentType": "text/plain",
"content": "\nMIT License\n\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the "Software"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n"
}
}
},
{
"expression": "MIT"
}
]
},

@vasba
Copy link
Author

vasba commented Dec 13, 2022

Hi!

Sorry for late response. It seems an issue when both license id and license expression show up in SBOM.

One temporary solution is to exclude expression.

This was reported here: DependencyTrack/dependency-track#2226

@xRate1337
Copy link

Hi vasba, thank you for your response. When u comment the expression line out it works fine. But I have an other problem now. Do you know how I can get the status information about which cve is already patched in the yocto build prozess into Dependency-Track?

@vasba
Copy link
Author

vasba commented Dec 20, 2022

@xRate1337
I assume that you mean that you patched the recipe yourself but the CVE still shows up.

In this case the version will be the same so you will just have to audit the CVE in DependencyTrack. I am not aware about any standard that programatically informes you that the applied patched fixes the CVE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants