We use dependency-check for build-time dependency checks, and then use the cyclone-dx maven plugin to produce SBOMs that go to dependency track for ongoing dependency checks.
Unfortunately this results in a duplication of work to suppress false positives (typically "Not Affected" analyses in cyclone-dx terminology) - both in the suppressions file for dependency check and in the UI for DTrack.
I don't think there is currently any way around this, so my question really is whether there has been any thought about connecting the cyclone-dx SBOMs with the work done by the dependency checker?
At one extreme this could be a single plugin that does the work of both, or it could be either plugin reading the suppression file and writing it to the SBOM.
marcelstoer
commented
2 months ago
Hi,
We use dependency-check for build-time dependency checks, and then use the cyclone-dx maven plugin to produce SBOMs that go to dependency track for ongoing dependency checks. Unfortunately this results in a duplication of work to suppress false positives (typically "Not Affected" analyses in cyclone-dx terminology) - both in the suppressions file for dependency check and in the UI for DTrack.
I don't think there is currently any way around this, so my question really is whether there has been any thought about connecting the cyclone-dx SBOMs with the work done by the dependency checker? At one extreme this could be a single plugin that does the work of both, or it could be either plugin reading the suppression file and writing it to the SBOM.
Thanks
Jim