SBOM Tool for OpenWRT to feed Dependency Track

[Petr Štetiar]

Pfendtner Steffen <S.Pfendtner at ads-tec.de> [2022-10-18 14:38:56]:

Hi,

> We decided to publish our internal fork of the Timesys SBOM Tool we found on
> github. You find our version at: https://github.com/ads-tec/sbom-openwrt

thanks for sharing!

BTW I took that output and drafted first version[1] by extending current
image/package metadata handling. Its not finished, not ideal, but looks
somehow usable already. Feedback welcome.

Hauke Mehrtens <hauke at hauke-m.de> [2022-10-25 00:32:21]:

> Nice tool, do you have some "demo" output for a recent OpenWrt release
> somewhere?

BTW its really quite easy to setup[2] for toying purposes:

 curl -LO https://dependencytrack.org/docker-compose.yml
 docker-compose up -d

then wait a bit for init and head to http://localhost:8080
 
> One advantage of uscan from my point of view is that I just have to open a
> website to see the results for OpenWrt master and the maintained branches
> and do not have to run some scripts and install some tooling myself.

In the long term it would be perhaps nice to have DependencyTrack running at
sca.openwrt.org, feeded automatically from buildbot.


1. https://github.com/openwrt/openwrt/pull/13800
2. https://docs.dependencytrack.org/getting-started/deploy-docker/#quickstart-docker-compose


Cheers,

Petr