Dependencycheck: Support generation of a cyclonedx bom

Created on 4 Oct 2019 · 3Comments · Source: jeremylong/DependencyCheck

(Lost my initial text :( )
Dependency Check finds dependencies of a project in a wider scope than cyclonedx-maven-plugin as a sample. It not just checks the build file (pom.xml) but also the files in the workspace. So from my point of view it is better suited to create a bom of a project.

Would it be possible - with reasonable effort - to generate a CycloneDX bom.xml as a result file of the DependencyCheck? This would allow the use of DependencyCheck for detection of immediate vulnerabilities and the generation of the bom. DependencyTrack can then cover the long term scope, vulnerabilities found after build time and updates or retirements of used dependencies.

enhancement

Source

amandel

👍6

Most helpful comment

It's a really useful feature :+1: .

In which version we can expect this feature?

mathuriga on 1 Nov 2019

👍8

All 3 comments

It's a really useful feature :+1: .

In which version we can expect this feature?

mathuriga on 1 Nov 2019

👍8

This would be a great addition! A seamless integration with Dependency Track would be great for the OWASP projects

ufkesba on 31 Jul 2020

In order for DC to support this, it would theoretically need to:

Remove all existing evidence-based analysis and replace it with high-confidence or factual analysis that would end up in the BOM. This would change the entire premises from which DC is designed.
Natively recreate how each of the supported ecosystems (npm, pypi, nuget, etc) resolve dependencies and provide metadata for each package analyzed from each ecosystem.

These two things would be a ton of work and would essentially remove the value that DC provides as an audit tool. Simply bolting on CycloneDX output to the existing design would lead to inaccurate and incomplete data in the BOM.

DT will not import vulnerabilities from a CycloneDX BOM. The base specification doesn't support opinion or dynamic facts such as vulnerabilities, only static facts like hashes, license, and authors. So I'm not entirely sure why outputting CycloneDX would be a useful feature for DC in the first place.

I'd recommend creating PRs to the tools in question to add the features you need, or use a tool like ORT that already supports the above ecosystems and outputs CycloneDX.