Dependency Track- License Details and Vulnerability Details are not coming

[apdst]

Hi Steve,

I am using dependency track v3.8.0 and creating bom.xml using CycloneDX module for .NET. However, I am not able to get the details regarding the license of third party libraries.

Also for modernizr, the vulnerabilities are not coming, however when I checked it manually, I found the vulnerabilities related to modernizr as https://snyk.io/test/npm/modernizr/3.3.1.

Also as suggested by you on the previous tickets, I have already enabled Sonatype OSS Index, NPM Audit & Internal and following the best practices mentioned in the documentation.

so can you please help on the above issues ?

[stevespringett]

Dependency-Track relies on information in the BOM. If the BOM contains license information, it will be displayed in DT. If the BOM doesn't have license information, DT will not display it. So check the BOM and endure license information is present.

For vulnerabilities, refer to https://docs.dependencytrack.org/FAQ/

[apdst]

As per the FAQ, I have already enabled the Sonatype OSS Index Analyzer and other analyzers, but still not able to find the vulnerabilities related to modernizr.

[msymons]

@apdst , as a next step I recommend taking the purl for your modernizr (copy it from the compenent's "view details" dialog) and querying the oss-index website directly. This will show you something like this (using a juicy example for jackson-databind)

So, if there are no vulns reported for modernizr then you should report the problem using the link on the screen.

If there are vulns reported then you'll want to login (it's free!) to see what they are and whether they are what you expect to see.

Sonatype are pretty good at responding to reports of missing or incorrect data.

If the above helps, then let me know... I'll do a PR to update the FAQ.

[apdst]

Thanks Mark. I will try the above the mentioned steps and will see if it resolves the issue. I will let you know for the same.

[apdst]

Thanks @msymons Mark. Using the purl, the details are coming correct.

@stevespringett- Can you please help me how the cyclone dx creates the bom file and how it fetched the license details.

are License details based on purl ?

[stevespringett]

As stated previously, "if the BOM doesn't have license information, DT will not display it".

Please refer to https://cyclonedx.org/use-cases/#license-compliance

[apdst]

@stevespringett - Yes Licensing part is working now. However can you please help me is DT supports the license type MS-EULA or not, as I am not able to see the license name in the DT ?

is there any way to mention the license type as MS-EULA ?

[stevespringett]

@apdst MS-EULA is not a valid SPDX license ID. So you won't be able to create policies around it. But DT does support unresolved license names. As long as the name of the license is included in the SBOM, DT will display it.

[apdst]

Thanks @stevespringett. However, I am mentioning the license names like MS-EULA, MICROSOFT .NET LIBRARY etc. in bom file , but still these license details are not visible in the DT.

Please see the attached screenshot of BOM File and DT for Aspose.CAD.

Can you please help me for the same

[stevespringett]

As stated previously, the license id in the BoM is not a valid spdx license id. The BoM will fail validation.

Please use the name element rather than id.

Refer to https://cyclonedx.org/use-cases/#license-compliance

[apdst]

@stevespringett Yes it is working now for the license as well. Hence closing this ticket as well.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.