Closed svenschwermer closed 1 year ago
You could let your script wait for the BOM processing to be completed via the /token/{uuid}
endpoint. After that you can upload the VEX.
However when you upload a BOM without a VEX, vulnerabilities will be found and notifications will be triggered for those. This probably is unwanted for vulnerabilities that are marked as not applicable in the VEX that will be uploaded a little later.
So probablt DT should have some support for this scenario. Either by allowing upload of BOM and VEX together, or some "analysis only mode (skip notifications)". Or it should just store the VEX internally first and then process the BOM.
Duplicate of https://github.com/DependencyTrack/dependency-track/issues/1872 Atomical update is indeed not supported at the moment.
To answer your questions
CycloneDX has the pedigree field, but that doesn't seem to be supported by Dependency Track?
It is not.
There seems to be a way to embed the VEX into the SBOM file, but I couldn't make that work with Dependency Track either.
The vulnerabilities
node is ignored when uploading a BOM file through the /v1/bom
upload
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
I'm trying to automatically generate and upload a CycloneDX SBOM from Yocto builds to Dependency Track. The Yocto project has a concept of patching components' vulnerabilities through patches. I want to mark those vulnerabilities as resolved via a VEX file. However, uploading SBOM and VEX right after each other does not apply the VEX. The fixed vulnerabilities remain non-resolved. Only when I wait a few seconds can I upload the VEX and it actually has an effect.
Steps to Reproduce
SBOM:
VEX:
Upload via the following script:
Expected Behavior
I expect the VEX to apply even when I upload it right after uploading the SBOM. There may be other ways to achieve what I'm trying to do, but I'm struggling to make them work:
pedigree
field, but that doesn't seem to be supported by Dependency Track?Dependency-Track Version
4.7.0
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
14.x
Browser
N/A
Checklist