Manual setup
76 views
Skip to first unread message
Tom Isaacson
Mar 18, 2021, 2:10:45 PM3/18/21
to Dependency Check
Is there a way of manually setting up a list of dependencies? Our builds are a mix of Yocto and CMake; it looks like the former is experimentally supported but no mention of the latter.
Thanks.
Jeremy Long
Mar 18, 2021, 5:56:29 PM3/18/21
to Tom Isaacson, Dependency Check
Look at dependency-track.
On Thu, Mar 18, 2021, 2:10 PM Tom Isaacson <pars...@gmail.com> wrote:
Is there a way of manually setting up a list of dependencies? Our builds are a mix of Yocto and CMake; it looks like the former is experimentally supported but no mention of the latter.Thanks.
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/432ca171-27cc-4a42-a7c6-e0650a2a8123n%40googlegroups.com.
Tom Isaacson
Mar 18, 2021, 6:02:05 PM3/18/21
to Dependency Check
I looked at https://docs.dependencytrack.org/odt-odc-comparison/ but Dependency Track only seems to pick up dependencies from builds which isn't going to work for us. Dependency Check has experimental support for CMake so I thought I'd setup a manual dependency first then investigate that for ongoing support.
Hans Aikema
Mar 18, 2021, 7:02:14 PM3/18/21
to Tom Isaacson, Dependency Check
Tom,
Think you're misreading that documentation. DependencyTrack is fully based on a 'software composition document' (Software bill of materials) that defines the components that the solution is composed of.
DependencyCheck is the tool that does a best-effort attempt to detect dependencies from builds.
While the most common way to compose the 'software bill of materials' (the list of dependencies) for DependencyTrack is by having it generated during a build (as many build tools are aware of the dependencies and thus capable of creating the bill-of-materials, usually with some plugin) there is nothing that would prevent you from manually creating the bill-of-material document (CycloneDX , SPDX tag and RDF format are supported for import - https://docs.dependencytrack.org/usage/cicd/)
Agree with Jeremy that for your usecase DependencyTrack appears to be a good candidate tool.
kind regards,
Hans
On 18 Mar 2021, at 23:02, Tom Isaacson <pars...@gmail.com> wrote:
I looked at https://docs.dependencytrack.org/odt-odc-comparison/ but Dependency Track only seems to pick up dependencies from builds which isn't going to work for us. Dependency Check has experimental support for CMake so I thought I'd setup a manual dependency first then investigate that for ongoing support.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/b9d2ca7f-d819-4a41-87d7-abfcc731eb8cn%40googlegroups.com.
Tom Isaacson
Mar 19, 2021, 1:12:19 PM3/19/21
to Dependency Check
We use CMake which is supported by Dependency Check. What am I misunderstanding?
Hans Aikema
Mar 19, 2021, 5:42:09 PM3/19/21
to Tom Isaacson, Dependency Check
On 19 Mar 2021, at 18:12, Tom Isaacson <pars...@gmail.com> wrote:
We use CMake which is supported by Dependency Check. What am I misunderstanding?
The misreading I'm referring to is your statement "Dependency Track only seems to pick up dependencies from builds which isn't going to work for us", as picking up dependencies from builds is precisely NOT what dependencyTrack is all about and *mostly* what dependencyCheck is all about.
For your stated use-case: "Is there a way of manually setting up a list of dependencies?" DependencyTrack is the perfect fit. When you code the 'manually setting up a list of dependencies' in the format of a CycloneDX bill-of-materials file you can feed that into DependencyTrack and it will allow you to both list and monitor over time the vulnerabilities in those dependencies.
For DependencyTrack there are various tools that can create the CycloneDX bill-of-materials for you as part of your build, but the core functionality of dependencyTrack is to consume a bill-of-materials from any source and then evaluate the composite for presence of vulnerable components.
The unfortunate part is that (according to google's results for me) there doesn't appear to be a tool to create CycloneDX or SPDX bill-of-materials from CMake (or Yocto), but a 'created by hand' list of dependencies in the CycloneDX or SPDX format will allow you to import it into DependencyTrack for evaluation and monitoring of vulnerable dependencies.
For integration into the build DependencyCheck is a great tool, assuming that there is support with a reasonable false-positive as well as false negative rate in DependencyCheck for all the tools you use.
regards,
Hans
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/a254c1f2-0d26-42c9-98d6-b651278e524dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages