dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

CBOM: Add CycloneDX v1.6 support for cryptographic assets

Open stevespringett opened this issue 2 years ago • 1 comments

Current Behavior

Currently, Dependency-Track does not support cryptographic assets.

Proposed Behavior

Add support for cryptographic assets and their dependencies once CycloneDX v1.6 is released.

  • Display cryptographic assets in inventory
  • Display cryptographic assets in dependency graph
  • Display cryptographic-specific fields in component view and modal dialogs
  • Add support for dependency types (display on dependency graph)

NOTE: May be able to reach out to IBM Quantum for a git patch or PR, as they've performed an internal fork of DT that adds support for some of these things already.

Checklist

stevespringett avatar Oct 26 '23 18:10 stevespringett

@stevespringett @VinodAnandan could you assign this issue to me, would like to work on it.

FYI @san-zrl

n1ckl0sk0rtge avatar Jun 11 '24 06:06 n1ckl0sk0rtge

@n1ckl0sk0rtge do you have any ETA on that feature being implemented ?

dshafranskiy-r7 avatar Jan 22 '25 09:01 dshafranskiy-r7

Hi @dshafranskiy-r7, not yet, but we are working on it, see

Together with the Dependency Track maintainers, we decided to implement this feature for Dependency Track 5.x.

n1ckl0sk0rtge avatar Jan 23 '25 08:01 n1ckl0sk0rtge

Will this make it into Track 5 or do you think it will be pushed out.

dstuart avatar Oct 08 '25 09:10 dstuart

@dstuart - Without additional work they will probably be pushed out. When we submitted the PRs two issues were criticised.

  1. CBOM UI: Cryptographic properties should be read-only. DT is a tool for authoring SBOMs and thus all SBOM properties (licenses etc.) can be modified via the UI. Since we extended the UI based on the existing widgets CBOM data is also editable. This is error-prone, and it should not be possible to manually change the cryptographic posture of packages.
  2. Backend: Cyclone DX CBOMs may contain many properties of type bom-ref. These are unique identifiers that represent references to other components of the BOM. Examples for such bom-refs are the links to the signature algorithm and the subject’s public key in certificate properties. The internal data model keeps them in their UUID-based raw form and does not resolve them to pointers to the CBOM object they refer to. This also shines through in the UI.

san-zrl avatar Oct 08 '25 10:10 san-zrl

Thanks @san-zrl,

Ok, I might apply the patches to a 5 instance and have a play as neither of the two items above seem like blockers for my use case and might be able to help out in some way (even if its just testing).

Thanks for your (and others) work on this very valuable in supporting our Y2Q efforts

dstuart avatar Oct 08 '25 10:10 dstuart