Handle components that have patches for CVE's

[hellbent]

Right now a Yocto component may have a patch included in its recipe which addresses a CVE yet Dependency Track has no way of knowing and will still list it as being vulnerable. We should use the pedigree feature in CycloneDX to forward this info to DT as part of the BOM.

[stevespringett]

Related to https://github.com/DependencyTrack/dependency-track/issues/919

[xRate1337]

What is the current status? Does it already work with the pedigree feature of CycloneDX? Or has someone already tried to pack it into a VEX file and attach it to the CycloneDX SBOM?

[olsensteffen]

What is the current status? Does it already work with the pedigree feature of CycloneDX? Or has someone already tried to pack it into a VEX file and attach it to the CycloneDX SBOM?

The current status is that the pedigree patches are not taken into account by DT. As a workaround I made a bbclass which generates both a sbom and a vex document, which are uploaded to DT by CI, and this works great

[svenschwermer]

What is the current status? Does it already work with the pedigree feature of CycloneDX? Or has someone already tried to pack it into a VEX file and attach it to the CycloneDX SBOM?

The current status is that the pedigree patches are not taken into account by DT. As a workaround I made a bbclass which generates both a sbom and a vex document, which are uploaded to DT by CI, and this works great

Would you be comfortable sharing that class?

[groetingc]

I just would like to ask, if You would be so kind and share the class with VEX generation also with me? Could You probably share an example of a generated VEX file?

[Jasper-Ben]

I have a working POC for this (using VEX), however currently blocked by https://github.com/bgnetworks/meta-dependencytrack/issues/4.