Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

License and vulnerability analysis not done Dependency Track

See original GitHub issue

Hi,

When I try to upload bom json or xml output to Dependency Track as given below. Eventhough the components are listed but the license and vulnerability analysis is not performed by Dependency Track.

cdxgen -r -o bom.json --server-url $DT_URL --api-key $DT_KEY

But the same json output license and vulnerability analysis are performed correctly If I upload it to the DT UI or via DT REST API.

The DT logs doesn’t show any errors and the logs are same when I run the above command and If I upload it via UI and REST API. I don’t have a clue why this is happening.

Dependency-Track v4.5.0

Thanks

Issue Analytics

State:
Created a year ago
Comments:20

Top GitHub Comments

1reaction

ghostcommented, Sep 16, 2022

@prabhu you are right using -t python worked. So it’s a bug. Also while running this command I got node error:

idna TypeError: Cannot read properties of null (reading 'indexOf')
    at getPyMetadata (/usr/local/lib/node_modules/@appthreat/cdxgen/utils.js:1125:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.parsePiplockData (/usr/local/lib/node_modules/@appthreat/cdxgen/utils.js:1217:10)
    at async createPythonBom (/usr/local/lib/node_modules/@appthreat/cdxgen/index.js:1384:19)
    at async exports.createBom (/usr/local/lib/node_modules/@appthreat/cdxgen/index.js:2703:14)
    at async /usr/local/lib/node_modules/@appthreat/cdxgen/bin/cdxgen:100:22

1reaction

giulio1979commented, Sep 10, 2022

as far as I see the cdxgen console output has license information;

{ “group”: “”, “name”: “react-i18next”, “version”: “11.18.5”, “description”: “Internationalization for react done right. Using the i18next i18n ecosystem.”, “scope”: “required”, “hashes”: [ { “alg”: “SHA-512”, “content”: “70a732baecc8bf461467897d58e45f95536e84848f02a41284e02cc7017262e268080ec794b9879bb5e7bceea17c01a61a90cd461247a015fc846e3d09bdb165” } ], “licenses”: [ { “license”: { “id”: “MIT”, “url”: “https://opensource.org/licenses/MIT” } } ], “purl”: “pkg:npm/react-i18next@11.18.5”, “externalReferences”: [ { “type”: “website”, “url”: “https://github.com/i18next/react-i18next” }, { “type”: “vcs”, “url”: “git+https://github.com/i18next/react-i18next.git” } ], “type”: “library”, “bom-ref”: “pkg:npm/react-i18next@11.18.5” },

but nothing reaches dependency-track. the file doesnt contain any license information when i add -o bom.xml.

I tried capturing the whole console output and uploading to dependency-track, it got processed without issues

Top Results From Across the Web

Frequently Asked Questions - Dependency-Track

Frequently asked questions about Dependency Track functionality that may not be covered by the documentation. If you don't find an answer here, try...

No vulnerabilities matched for sboms with vulnerable ... - GitHub

I have tried getting Dependency-Track to find the vulnerabilities we are already scanning with Dependency-Check.

OWASP Dependency-Track

This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Managing Vulnerabilities using Dependency-Track - InfraCloud

Can we manage to track vulnerabilities within the dependencies of our ... WhiteSource - it's an open-source component analysis, license and ...

owasp/dependency-track - Docker Image

Dependency -Track is an intelligent Component Analysis platform. ... with known vulnerabilities; Out-of-date components; Modified components; License risk ...