meta-dependencytrack icon indicating copy to clipboard operation
meta-dependencytrack copied to clipboard
verified publisher icon bgnetworks

Add license info

Open vasba opened this issue 3 years ago • 8 comments

vasba avatar Jun 13 '22 07:06 vasba

The licenses are in the sbom now but if I upload it to dependencytrack it's still missing. Does yours work?

xRate1337 avatar Jun 30 '22 11:06 xRate1337

Try to build now. The correct license structure was not reflected in the code and I fixed it with force push.

Great catch!

Heads up: The license is per recipe and we plan that in time maybe change the code to collect them per package. There are some recipes in new version of yocto/oe containing packages with banned licenses. It is good to enlight the user in order to skip only packages from a recipe and not the entire recipe.

vasba avatar Jun 30 '22 12:06 vasba

Dependency-Track still doesn't show the licenses. Maybe it'll with the planned changed u mentioned.

xRate1337 avatar Jul 01 '22 13:07 xRate1337

I have added a comment in this pullrequest

https://github.com/bgnetworks/meta-dependencytrack/pull/3/files#r912663994

Can you please check the resulting SBOM as per comment?

vasba avatar Jul 04 '22 06:07 vasba

in the Sbom it looks like this: { "name": "libevdev", "version": "1.12.1", "cpe": "cpe:2.3:a::libevdev:1.12.1:::::::", "licenses": [ { "license": { "name": "MIT", "text": { "contentType": "text/plain", "content": "\nMIT License\n\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the "Software"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n" } } }, { "expression": "MIT" } ] },

xRate1337 avatar Jul 05 '22 11:07 xRate1337

Hi!

Sorry for late response. It seems an issue when both license id and license expression show up in SBOM.

One temporary solution is to exclude expression.

This was reported here: DependencyTrack/dependency-track#2226

vasba avatar Dec 13 '22 13:12 vasba

Hi vasba, thank you for your response. When u comment the expression line out it works fine. But I have an other problem now. Do you know how I can get the status information about which cve is already patched in the yocto build prozess into Dependency-Track?

xRate1337 avatar Dec 15 '22 16:12 xRate1337

@xRate1337 I assume that you mean that you patched the recipe yourself but the CVE still shows up.

In this case the version will be the same so you will just have to audit the CVE in DependencyTrack. I am not aware about any standard that programatically informes you that the applied patched fixes the CVE.

vasba avatar Dec 20 '22 11:12 vasba