meta-dependencytrack
is a Yocto meta-layer which produces a CycloneDX Software Bill of Materials (aka SBOM) from your root filesystem, as well as a Vulnerability Exploitability eXchange document (aka VEX) containing patched CVEs from component recipes and then uploads them to a Dependency-Track server against the project of your choice.
To install this meta-layer simply clone the repository into the sources
directory and add it to your build/conf/bblayers.conf
file:
$ cd sources
$ git clone https://github.com/bgnetworks/meta-dependencytrack.git
and in your bblayers.conf
file:
BBLAYERS += "${BSPDIR}/sources/meta-dependencytrack"
To enable and configure the layer simply inherit the dependency-track
class in your local.conf
file and then set the following variables:
DEPENDENCYTRACK_PROJECT
- The ID of the project in Dependency-TrackDEPENDENCYTRACK_API_URL
- The URL of the Dependency-Track API server. (Note: this is usually different from the URL of the web server you use in your browser)DEPENDENCYTRACK_API_KEY
- An authentication key for the server. You can find these in theTeams
section of theAdminitration
page in Dependency-Track.
DEPENDENCYTRACK_PROJECT = "41990900-1b3c-4ccd-8b55-57dd0ddc32d9"
DEPENDENCYTRACK_API_URL = "http://localhost:8081/api"
DEPENDENCYTRACK_API_KEY = "mkj6wn4dziQm7UmrBJcym5f6hOKBDxGB"
INHERIT += "dependency-track"
For uploading the VEX document containing the Yocto patches, the additional VULNERABILITY_ANALYSIS
permission is required.
Once everything is configured simply build your image as you normally would. The final CycloneDX SBOM and VEX are saved as tmp/deploy/dependency-track/bom.json
and tmp/deploy/dependency-track/bom.json
respectively and, after building is complete, you should be able to simply refresh the project in Dependency Track to see the results of the scan.