Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test DependencyTrack can utilize the CycloneDX report #142

Closed
wagoodman opened this issue Aug 27, 2020 · 2 comments
Closed

Test DependencyTrack can utilize the CycloneDX report #142

wagoodman opened this issue Aug 27, 2020 · 2 comments
Milestone
v0.1

Comments

@wagoodman
Copy link
Contributor

We should be able to use the CycloneDX report with https://dependencytrack.org/ , seeing vulnerabilities for all dependencies
@wagoodman wagoodman added this to the v0.1 milestone Sep 9, 2020
@alfredodeza
Copy link
Contributor

I don't think that Dependency Track is a good candidate to consume the CycloneDX report from grype because there doesn't seem to be support for vulnerabilities.

Syft, however, will benefit from supporting compatibility with Dependency Track because it will produce a BOM (vs. a BOM + Vulnerabilities like Grype).

The one requirement will be to use PURLs. I've opened a documentation issue in Dependency Track to update the documentation on what appears a strict dependency on PURLs and the non-support of the vulnerability extension

@wagoodman
Copy link
Contributor Author

When Dependency Track supports the CycloneDX vulnerabilities extension we'll try it out, for now I'll close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.1
Development

No branches or pull requests
2 participants
@alfredodeza @wagoodman