dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Add Conan repository support for C++ projects

Open robertlagrant opened this issue 1 year ago • 2 comments

Current Behavior

Currently no apparent repository support for C++.

Proposed Behavior

Support for adding a Conan repository that links C++ SBOMs generated via Conan to live vulnerability and dependency staleness information.

Checklist

robertlagrant avatar Jul 30 '24 13:07 robertlagrant

I generated an sbom with https://github.com/conan-io/conan-extensions/blob/main/extensions/commands/sbom/cmd_cyclonedx.py and some example packages; it was fully compatible with the latest dependency track and showed me various vulnerabilities.

What exactly is not working for you? Can you provide an example SBOM which is not working as expected and point out what you would expect?

shoeffner avatar Aug 01 '24 11:08 shoeffner

Some notes:

  • The canonical repository for Conan appears to be ConanCenter: https://conan.io/center
  • Upon first look I haven't seen a public API of ConanCenter

@shoeffner This issue is primarily for the latest version check. While vulnerability analysis for Conan is supported via OSS Index, DT currently has no way to fetch package metadata, such as the latest available version.

nscuro avatar Aug 01 '24 11:08 nscuro