You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently working on generating SBOM for a yocto based embedded distribution and I'd like to use dependency-track. I have a semi-working solution to get my SBOM into dependency track but it's not perfect and so I've been looking at generating validated cycloneDX formatted json with the new solution I'm working on.
Yocto has a lot of packages (over 100 just in the initramfs, never mind the root fs) that I need to cover and I can't find a way to easily extract a reasonable type for each package. Is there an explanation for why this is required when it doesn't appear to be used by applications like dependency track? Could the required status be dropped?
If there is a specific reason to keep this as a required field, could an extra type of 'unassigned' or similar be added to the spec?
The text was updated successfully, but these errors were encountered:
For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
So if you're unable to determine the type of component, simply use application.
But yes, we can revisit this requirement for the v1.7 release.
Oh that's great, thanks can't believe I missed that bit about using application as the default appropriate classification... Thanks for adding it to the 1.7 milestone for review though.
I'm currently working on generating SBOM for a yocto based embedded distribution and I'd like to use dependency-track. I have a semi-working solution to get my SBOM into dependency track but it's not perfect and so I've been looking at generating validated cycloneDX formatted json with the new solution I'm working on.
However after experimenting with cyclonedx-python-lib and it's validation functions I've discovered that component type is a required field:
https://cyclonedx.org/docs/1.6/json/#components_items_type
Yocto has a lot of packages (over 100 just in the initramfs, never mind the root fs) that I need to cover and I can't find a way to easily extract a reasonable type for each package. Is there an explanation for why this is required when it doesn't appear to be used by applications like dependency track? Could the required status be dropped?
If there is a specific reason to keep this as a required field, could an extra type of 'unassigned' or similar be added to the spec?
The text was updated successfully, but these errors were encountered: