On 3 Mar 2024, at 10:09, Jörg Sommer via lists.yoctoproject.org <joerg.sommer=navimatix...@lists.yoctoproject.org> wrote: > does anyone use DependencyTrack https://dependencytrack.org/ to analyse CVE > vulnerabilities? I've created a script to convert the spdx.tar.zst to a > CycloneDX JSON and upload this to DependencyTrack. But I'm having the problem > that CVEs fixed in Yocto by patches are not reflected in the spdx. There is > the sourceInfo field that lists fixed CVEs, but I don't know how to encode > this in CycloneDX. How is this done with SDPX? Does anyone do CVE analysis > with SPDX?
This is something that’s being actively worked on. In the mean time, if you’re transforming the SPDX into CycloneDX then I suggest that you also read the cve-checker JSON output too, that contains information about what CVEs have been resolved via patches. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62661): https://lists.yoctoproject.org/g/yocto/message/62661 Mute This Topic: https://lists.yoctoproject.org/mt/104700370/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
