search

advanced-security / spdx-dependency-submission-action

MIT License
12 stars 3 forks source link

Does Dependabot show if it's working? #32

Open parsley72 opened 7 months ago

parsley72 commented 7 months ago

I've added this to my Yocto build:

    - name: SBOM upload 
      uses: advanced-security/spdx-dependency-submission-action@v0.0.1
      with:
        filePath: "poky/build/tmp/deploy/images/oclea-cv25/"

and it seems to work:

Run advanced-security/spdx-dependency-submission-action@v0.0.1
  with:
    filePath: poky/build/tmp/deploy/images/oclea-cv25/
    token: ***
    filePattern: *.spdx.json

Notice: Submitting snapshot...
Notice: {
    "detector": {
        "name": "spdx-to-dependency-graph-action",
        "version": "0.0.1",
        "url": "https://github.com/advanced-security/spdx-dependency-submission-action"
    },
    "version": 0,
    "job": {
        "correlator": "build",
        "id": "8795676[3](https://github.com/myorg/myrepo/actions/runs/8795676367/job/24137153853#step:12:3)67"
    },
    "sha": "9e4e2051ed5882f2d5cfc876f974438bab7e2602",
    "ref": "refs/pull/56/merge",
    "scanned": "2024-04-23T08:01:55.978Z",
    "manifests": {
        "oclea-image-oclea-cv25-20240423061522": {
            "resolved": {
                "pkg:generic/oclea-image@undefined": {
                    "package_url": "pkg:generic/oclea-image@undefined",
                    "relationship": "direct",
                    "dependencies": []
                }
            },
            "name": "oclea-image-oclea-cv25-20240423061522",
            "file": {
                "source_location": "poky/build/tmp/deploy/images/oclea-cv25/oclea-image-oclea-cv25.spdx.json"
            }
        }
    }
}
Notice: Snapshot successfully created at 2024-04-23T0:01:56.190Z

But Dependabot doesn't show anything. Is there something else I need to do, or a log I can check? image

GeekMasher commented 5 months ago

@parsley72 This Action submits SPDX files to the Submission API, Dependabot Alerts will only show if the ecosystem is supported. If you upload something like pkg:generic/oclea-image@undefined (generic manager), Dependabot won't be able to create an alert based on that PURL.

Try looking in the tab "Repository -> Insights -> Dependency graph" and see if your data is in there.