Re: [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs
Date: Tue, 24 Feb 2026 14:36:49 +0100	[thread overview]
Message-ID: <20260224133649.89563-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260224132033.1700023-1-fabien.lehoussel@smile.fr>

Thanks Fabien.

Acked-By: Thomas Perale <thomas.perale@mind.be>

In reply of:
> Add 'source' attribute to each CVE in vulnerabilities node, including NVD
> URL reference to enable proper import into Dependency-Track.
> 
> Dependency-Track's VEX importer requires the source attribute to
> properly process vulnerability entries. Without it, vulnerabilities are
> skipped during import with "does not have an ID and / or source" warnings.
> 
> Include the full NVD URL following the CycloneDX 1.6 documentation format:
> https://nvd.nist.gov/vuln/detail/{CVE-ID}
> 
> Test Environment:
> - Buildroot: 2025.02.11 (or master)
> - Dependency-Track: v4.13.6
> 
> Test Results - BEFORE (without source attribute):
> apiserver_1  | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1  | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
> apiserver_1  | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
> ...
> apiserver_1  | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
> apiserver_1  | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
> 
> Test Results - AFTER (with source):
> apiserver_1  | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1  | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> 
> CVEs are correctly imported in Dependency-Track
> 
> Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>

> ---
>  utils/generate-cyclonedx | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 2b6c6d63d3..35198a47cf 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -327,6 +327,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
>  
>      return [{
>          "id": cve,
> +        "source": {
> +            "name": "NVD",
> +            "url": "https://nvd.nist.gov/vuln/detail/" + cve
> +        },
>          "analysis": {
>              "state": "resolved_with_pedigree" if cve in VULN_WITH_PEDIGREE else "in_triage",
>              "detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot