Add license info

[vasba]

No description provided.

[xRate1337]

The licenses are in the sbom now but if I upload it to dependencytrack it's still missing. Does yours work?

[vasba]

Try to build now. The correct license structure was not reflected in the code and I fixed it with force push.

Great catch!

Heads up: The license is per recipe and we plan that in time maybe change the code to collect them per package. There are some recipes in new version of yocto/oe containing packages with banned licenses. It is good to enlight the user in order to skip only packages from a recipe and not the entire recipe.

[xRate1337]

Dependency-Track still doesn't show the licenses. Maybe it'll with the planned changed u mentioned.

[vasba]

This line gives a structure like
"licenses": [
{
"license": {

according to

https://cyclonedx.org/use-cases/#license-compliance

Can you check if you have this structure in the SBOM?

[xRate1337]

it's in the right structure, or I don't see the failure myself. But dependency-track still don't show the licenses if I upload the sbom to the api.

[xRate1337]

I tried this:
# update it with the new package info
names = name.split()
for index, cpe in enumerate(oe.cve_check.get_cpe_ids(name, version)):
bb.debug(2, f"Collecting pagkage {name}@{version} ({cpe})")
if not next((c for c in sbom["components"] if c["cpe"] == cpe), None):
sbom["components"].append({
"name": names[index],
"version": version,
"cpe": cpe,
"licenses" : [
{
"license" : {
"id" : license
}
}]
})

before your last update and it shows like 50% of the licenses.

[xRate1337]

I guess the missing licenses are the ones which has more then one license.

[vasba]

I have added a comment in this pullrequest

https://github.com/bgnetworks/meta-dependencytrack/pull/3/files#r912663994

Can you please check the resulting SBOM as per comment?

[xRate1337]

in the Sbom it looks like this:
{
"name": "libevdev",
"version": "1.12.1",
"cpe": "cpe:2.3:a::libevdev:1.12.1:::::::",
"licenses": [
{
"license": {
"name": "MIT",
"text": {
"contentType": "text/plain",
"content": "\nMIT License\n\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the "Software"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n"
}
}
},
{
"expression": "MIT"
}
]
},

[vasba]

Hi!

Sorry for late response. It seems an issue when both license id and license expression show up in SBOM.

One temporary solution is to exclude expression.

This was reported here: DependencyTrack/dependency-track#2226

[xRate1337]

Hi vasba, thank you for your response. When u comment the expression line out it works fine. But I have an other problem now. Do you know how I can get the status information about which cve is already patched in the yocto build prozess into Dependency-Track?

[vasba]

@xRate1337
I assume that you mean that you patched the recipe yourself but the CVE still shows up.

In this case the version will be the same so you will just have to audit the CVE in DependencyTrack. I am not aware about any standard that programatically informes you that the applied patched fixes the CVE.