├── .gitignore
├── docs
    ├── api-key.png
    └── project-id.png
├── conf
    └── layer.conf
├── LICENSE
├── README.md
└── classes
    └── dependency-track.bbclass


/.gitignore:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/docs/api-key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bgnetworks/meta-dependencytrack/HEAD/docs/api-key.png


--------------------------------------------------------------------------------
/docs/project-id.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bgnetworks/meta-dependencytrack/HEAD/docs/project-id.png


--------------------------------------------------------------------------------
/conf/layer.conf:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: MIT
2 | # Copyright 2022 BG Networks, Inc.
3 | 
4 | BBPATH .= ":${LAYERDIR}"
5 | 
6 | LAYERSERIES_COMPAT_bgnetworks = " honister"
7 | 
8 | BGNETWORKS_LAYERDIR := "${LAYERDIR}"
9 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | SPDX-License-Identifier: MIT
 2 | 
 3 | Copyright 2022 BG Networks, Inc.
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # meta-dependencytrack
 2 | 
 3 | `meta-dependencytrack` is a [Yocto](https://www.yoctoproject.org/) meta-layer which produces a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (aka [SBOM](https://www.ntia.gov/SBOM)) from your root filesystem and then uploads it to a [Dependency-Track](https://dependencytrack.org/) server against the project of your choice.
 4 | 
 5 | ## Installation
 6 | 
 7 | To install this meta-layer simply clone the repository into the `sources` directory and add it to your `build/conf/bblayers.conf` file:
 8 | 
 9 | ```sh
10 | $ cd sources
11 | $ git clone https://github.com/bgnetworks/meta-dependencytrack.git
12 | ```
13 | 
14 | and in your `bblayers.conf` file:
15 | 
16 | ```sh
17 | BBLAYERS += "${BSPDIR}/sources/meta-dependencytrack"
18 | ```
19 | 
20 | ## Configuration
21 | 
22 | To enable and configure the layer simply inherit the `dependency-track` class in your `local.conf` file and then set the following variables:
23 | 
24 | * `DEPENDENCYTRACK_PROJECT` - The ID of the project in Dependency-Track
25 | * `DEPENDENCYTRACK_API_URL` - The URL of the Dependency-Track API server. (*Note:* this is usually different from the URL of the web server you use in your browser)
26 | * `DEPENDENCYTRACK_API_KEY` - An authentication key for the server. You can find these in the `Teams` section of the `Adminitration` page in Dependency-Track.
27 | 
28 | ### Example
29 | 
30 | ```sh
31 | DEPENDENCYTRACK_PROJECT = "41990900-1b3c-4ccd-8b55-57dd0ddc32d9"
32 | DEPENDENCYTRACK_API_URL = "http://localhost:8081/api"
33 | DEPENDENCYTRACK_API_KEY = "mkj6wn4dziQm7UmrBJcym5f6hOKBDxGB"
34 | INHERIT += "dependency-track"
35 | ```
36 | 
37 | ### Finding your Project ID
38 | 
39 | ![Project ID](docs/project-id.png)
40 | 
41 | ### Finding your API Key
42 | 
43 | ![API Key](docs/api-key.png)
44 | 
45 | ## Building and Uploading
46 | 
47 | Once everything is configured simply build your image as you normally would. The final CycloneDX SBOM is saved as `tmp/deploy/dependency-track/bom.json` and, after buiding is complete, you should be able to simply refresh the project in Dependency Track to see the results of the scan.
48 | 


--------------------------------------------------------------------------------
/classes/dependency-track.bbclass:
--------------------------------------------------------------------------------
  1 | # SPDX-License-Identifier: MIT
  2 | # Copyright 2022 BG Networks, Inc.
  3 | 
  4 | # The product name that the CVE database uses.  Defaults to BPN, but may need to
  5 | # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
  6 | CVE_PRODUCT ??= "${BPN}"
  7 | CVE_VERSION ??= "${PV}"
  8 | 
  9 | DEPENDENCYTRACK_DIR ??= "${DEPLOY_DIR}/dependency-track"
 10 | DEPENDENCYTRACK_SBOM ??= "${DEPENDENCYTRACK_DIR}/bom.json"
 11 | DEPENDENCYTRACK_TMP ??= "${TMPDIR}/dependency-track"
 12 | DEPENDENCYTRACK_LOCK ??= "${DEPENDENCYTRACK_TMP}/bom.lock"
 13 | 
 14 | DEPENDENCYTRACK_PROJECT ??= ""
 15 | DEPENDENCYTRACK_API_URL ??= "http://localhost:8081/api"
 16 | DEPENDENCYTRACK_API_KEY ??= ""
 17 | 
 18 | python do_dependencytrack_init() {
 19 |     import uuid
 20 |     from datetime import datetime
 21 | 
 22 |     sbom_dir = d.getVar("DEPENDENCYTRACK_DIR")
 23 |     bb.debug(2, "Creating cyclonedx directory: %s" % sbom_dir)
 24 |     bb.utils.mkdirhier(sbom_dir)
 25 | 
 26 |     bb.debug(2, "Creating empty sbom")
 27 |     write_sbom(d, {
 28 |         "bomFormat": "CycloneDX",
 29 |         "specVersion": "1.4",
 30 |         "serialNumber": "urn:uuid:" + str(uuid.uuid4()),
 31 |         "version": 1,
 32 |         "metadata": {
 33 |             "timestamp": datetime.now().isoformat(),
 34 |         },
 35 |         "components": []
 36 |     })
 37 | }
 38 | addhandler do_dependencytrack_init
 39 | do_dependencytrack_init[eventmask] = "bb.event.BuildStarted"
 40 | 
 41 | python do_dependencytrack_collect() {
 42 |     import json
 43 |     import oe.cve_check
 44 |     from pathlib import Path
 45 | 
 46 |     # load the bom
 47 |     name = d.getVar("CVE_PRODUCT")
 48 |     version = d.getVar("CVE_VERSION")
 49 |     sbom = read_sbom(d)
 50 | 
 51 |     # update it with the new package info
 52 |     names = name.split()
 53 |     for index, cpe in enumerate(oe.cve_check.get_cpe_ids(name, version)):
 54 |         bb.debug(2, f"Collecting pagkage {name}@{version} ({cpe})")
 55 |         if not next((c for c in sbom["components"] if c["cpe"] == cpe), None):
 56 |             sbom["components"].append({
 57 |                 "name": names[index],
 58 |                 "version": version,
 59 |                 "cpe": cpe
 60 |             })
 61 | 
 62 |     # write it back to the deploy directory
 63 |     write_sbom(d, sbom)
 64 | }
 65 | 
 66 | addtask dependencytrack_collect before do_build after do_fetch
 67 | do_dependencytrack_collect[nostamp] = "1"
 68 | do_dependencytrack_collect[lockfiles] += "${DEPENDENCYTRACK_LOCK}"
 69 | do_rootfs[recrdeptask] += "do_dependencytrack_collect"
 70 | 
 71 | python do_dependencytrack_upload () {
 72 |     import json
 73 |     import base64
 74 |     import urllib
 75 |     from pathlib import Path
 76 | 
 77 |     sbom_path = d.getVar("DEPENDENCYTRACK_SBOM")
 78 |     dt_project = d.getVar("DEPENDENCYTRACK_PROJECT")
 79 |     dt_url = f"{d.getVar('DEPENDENCYTRACK_API_URL')}/v1/bom"
 80 | 
 81 |     bb.debug(2, f"Loading final SBOM: {sbom_path}")
 82 |     sbom = Path(sbom_path).read_text()
 83 | 
 84 |     payload = json.dumps({
 85 |         "project": dt_project,
 86 |         "bom": base64.b64encode(sbom.encode()).decode('ascii')
 87 |     }).encode()
 88 |     bb.debug(2, f"Uploading SBOM to project {dt_project} at {dt_url}")
 89 |     
 90 |     headers = {
 91 |         "Content-Type": "application/json",
 92 |         "X-API-Key": d.getVar("DEPENDENCYTRACK_API_KEY")
 93 |     }
 94 |     req = urllib.request.Request(
 95 |         dt_url,
 96 |         data=payload,
 97 |         headers=headers,
 98 |         method="PUT")
 99 |     
100 |     try:
101 |         urllib.request.urlopen(req)
102 |     except urllib.error.HTTPError as e:
103 |         bb.error(f"Failed to upload SBOM to Dependency Track server at {dt_url}. [HTTP Error] {e.code}; Reason: {e.reason}")
104 |     except urllib.error.URLError as e:
105 |         bb.error(f"Failed to upload SBOM to Dependency Track server at {dt_url}. [URL Error] Reason: {e.reason}")
106 |     else:
107 |         bb.debug(2, f"SBOM successfully uploaded to {dt_url}")
108 | }
109 | addhandler do_dependencytrack_upload
110 | do_dependencytrack_upload[eventmask] = "bb.event.BuildCompleted"
111 | 
112 | def read_sbom(d):
113 |     import json
114 |     from pathlib import Path
115 |     return json.loads(Path(d.getVar("DEPENDENCYTRACK_SBOM")).read_text())
116 | 
117 | def write_sbom(d, sbom):
118 |     import json
119 |     from pathlib import Path
120 |     Path(d.getVar("DEPENDENCYTRACK_SBOM")).write_text(
121 |         json.dumps(sbom, indent=2)
122 |     )
123 | 


--------------------------------------------------------------------------------