Open vasba opened 2 years ago
Try to build now. The correct license structure was not reflected in the code and I fixed it with force push.
Great catch!
Heads up: The license is per recipe and we plan that in time maybe change the code to collect them per package. There are some recipes in new version of yocto/oe containing packages with banned licenses. It is good to enlight the user in order to skip only packages from a recipe and not the entire recipe.
Dependency-Track still doesn't show the licenses. Maybe it'll with the planned changed u mentioned.
I have added a comment in this pullrequest
https://github.com/bgnetworks/meta-dependencytrack/pull/3/files#r912663994
Can you please check the resulting SBOM as per comment?
in the Sbom it looks like this:
{
"name": "libevdev",
"version": "1.12.1",
"cpe": "cpe:2.3:a::libevdev:1.12.1:::::::",
"licenses": [
{
"license": {
"name": "MIT",
"text": {
"contentType": "text/plain",
"content": "\nMIT License\n\nCopyright (c)
Hi!
Sorry for late response. It seems an issue when both license id and license expression show up in SBOM.
One temporary solution is to exclude expression.
This was reported here: DependencyTrack/dependency-track#2226
Hi vasba, thank you for your response. When u comment the expression line out it works fine. But I have an other problem now. Do you know how I can get the status information about which cve is already patched in the yocto build prozess into Dependency-Track?
@xRate1337 I assume that you mean that you patched the recipe yourself but the CVE still shows up.
In this case the version will be the same so you will just have to audit the CVE in DependencyTrack. I am not aware about any standard that programatically informes you that the applied patched fixes the CVE.
The licenses are in the sbom now but if I upload it to dependencytrack it's still missing. Does yours work?