Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connecting dependency-check with cyclone-dx #6432

Closed
Yaytay opened this issue Jan 29, 2024 · 1 comment
Closed

Connecting dependency-check with cyclone-dx #6432

Yaytay opened this issue Jan 29, 2024 · 1 comment
Labels
enhancement question

Comments

@Yaytay
Copy link

Yaytay commented Jan 29, 2024

Hi,

We use dependency-check for build-time dependency checks, and then use the cyclone-dx maven plugin to produce SBOMs that go to dependency track for ongoing dependency checks.
Unfortunately this results in a duplication of work to suppress false positives (typically "Not Affected" analyses in cyclone-dx terminology) - both in the suppressions file for dependency check and in the UI for DTrack.

I don't think there is currently any way around this, so my question really is whether there has been any thought about connecting the cyclone-dx SBOMs with the work done by the dependency checker?
At one extreme this could be a single plugin that does the work of both, or it could be either plugin reading the suppression file and writing it to the SBOM.

Thanks

Jim
@marcelstoer
Copy link
Contributor

Related to #5947.

@marcelstoer marcelstoer mentioned this issue Dec 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marcelstoer @jeremylong @aikebah @Yaytay