On Wed, Jul 24, 2024 at 7:08 AM Tom Isaacson via lists.yoctoproject.org <thomas.isaacson=motorolasolutions....@lists.yoctoproject.org> wrote:
> We're using Kirkstone and wanted to take advantage of the SPDX support > to use for dependency checking. The two apps we have access to are: > 1. Github Dependabot > ( > https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide > ) > 2. Mend (https://www.mend.io/) > > We generate the SPDX in a Github Action then tried uploading it using: > * https://github.com/marketplace/actions/spdx-dependency-submission-action > * https://pypi.org/project/mend-import-sbom/ > but so far we haven't been able to get it to work. Has anyone else tried > this? > > It will work if you submit individual SPDX files for packages (in most cases). The aggregation done by the YP is non-standard and tools have difficulties parsing it. Should be also better with SPDX3, but it looks like (from the documentation) that those two tools do not support 3.0 yet. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63566): https://lists.yoctoproject.org/g/yocto/message/63566 Mute This Topic: https://lists.yoctoproject.org/mt/107518802/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
