Skip to content

A Yocto meta-layer for generating CycloneDX SBOMs and automatically uploading them to Dependency Track.

License

Notifications You must be signed in to change notification settings

neeohw/meta-dependencytrack

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

meta-dependencytrack

meta-dependencytrack is a Yocto meta-layer which produces a CycloneDX Software Bill of Materials (aka SBOM) from your root filesystem, as well as a Vulnerability Exploitability eXchange document (aka VEX) containing patched CVEs from component recipes and then uploads them to a Dependency-Track server against the project of your choice.

Installation

To install this meta-layer simply clone the repository into the sources directory and add it to your build/conf/bblayers.conf file:

$ cd sources
$ git clone https://github.com/bgnetworks/meta-dependencytrack.git

and in your bblayers.conf file:

BBLAYERS += "${BSPDIR}/sources/meta-dependencytrack"

Configuration

To enable and configure the layer simply inherit the dependency-track class in your local.conf file and then set the following variables:

  • DEPENDENCYTRACK_PROJECT - The ID of the project in Dependency-Track
  • DEPENDENCYTRACK_API_URL - The URL of the Dependency-Track API server. (Note: this is usually different from the URL of the web server you use in your browser)
  • DEPENDENCYTRACK_API_KEY - An authentication key for the server. You can find these in the Teams section of the Adminitration page in Dependency-Track.

Example

DEPENDENCYTRACK_PROJECT = "41990900-1b3c-4ccd-8b55-57dd0ddc32d9"
DEPENDENCYTRACK_API_URL = "http://localhost:8081/api"
DEPENDENCYTRACK_API_KEY = "mkj6wn4dziQm7UmrBJcym5f6hOKBDxGB"
INHERIT += "dependency-track"

Finding your Project ID

Project ID

Finding your API Key

API Key

Add required API permissions

For uploading the VEX document containing the Yocto patches, the additional VULNERABILITY_ANALYSIS permission is required.

API_PERMISSIONS

Building and Uploading

Once everything is configured simply build your image as you normally would. The final CycloneDX SBOM and VEX are saved as tmp/deploy/dependency-track/bom.json and tmp/deploy/dependency-track/bom.json respectively and, after building is complete, you should be able to simply refresh the project in Dependency Track to see the results of the scan.

About

A Yocto meta-layer for generating CycloneDX SBOMs and automatically uploading them to Dependency Track.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published