SBOM Tool for OpenWRT to feed Dependency Track
Pfendtner Steffen
S.Pfendtner at ads-tec.de
Tue Oct 18 07:38:56 PDT 2022
Hi,
We decided to publish our internal fork of the Timesys SBOM Tool we found on
github. You find our version at: https://github.com/ads-tec/sbom-openwrt
It takes a complete OpenWRT build tree as input and will generate a SBOM
in CycloneDX JSON Format for the currently configured image.
This SBOM can be fed into your personal dependency track instance.
See https://dependencytrack.org/ if you don't know what this is.
In my opinion Dependency Track is much more usable compared to uscan.
However Dependency Tack currently heavily relies on valid CPE ID. Thus you will
need to fix the CPE IDs in the OpenWRT package Makefiles - some are missing.
I think it would be a great security benefit for the OpenWRT ecosystem if we
get a best possible coverage of CPE IDs in the available Makefiles.
I'll try to push our CPE ID additions upstream.
Best regards,
Steffen Pfendtner
ads-tec Engineering GmbH
Sitz: 72622 N?rtingen
Registergericht Stuttgart HRB 762860
Gesch?ftsf?hrer: Dipl.-Ing. Ali Natour, Dipl.-Ing. Thomas-M?gerle
More information about the openwrt-devel
mailing list