* [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs
@ 2026-02-24 13:20 Fabien Lehoussel via buildroot
2026-02-24 13:36 ` Thomas Perale via buildroot
2026-03-27 10:02 ` Thomas Perale via buildroot
0 siblings, 2 replies; 4+ messages in thread
From: Fabien Lehoussel via buildroot @ 2026-02-24 13:20 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale, Fabien Lehoussel
Add 'source' attribute to each CVE in vulnerabilities node, including NVD
URL reference to enable proper import into Dependency-Track.
Dependency-Track's VEX importer requires the source attribute to
properly process vulnerability entries. Without it, vulnerabilities are
skipped during import with "does not have an ID and / or source" warnings.
Include the full NVD URL following the CycloneDX 1.6 documentation format:
https://nvd.nist.gov/vuln/detail/{CVE-ID}
Test Environment:
- Buildroot: 2025.02.11 (or master)
- Dependency-Track: v4.13.6
Test Results - BEFORE (without source attribute):
apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
...
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
Test Results - AFTER (with source):
apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
CVEs are correctly imported in Dependency-Track
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
---
utils/generate-cyclonedx | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 2b6c6d63d3..35198a47cf 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -327,6 +327,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
return [{
"id": cve,
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/" + cve
+ },
"analysis": {
"state": "resolved_with_pedigree" if cve in VULN_WITH_PEDIGREE else "in_triage",
"detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs
2026-02-24 13:20 [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs Fabien Lehoussel via buildroot
@ 2026-02-24 13:36 ` Thomas Perale via buildroot
2026-03-17 21:16 ` Romain Naour via buildroot
2026-03-27 10:02 ` Thomas Perale via buildroot
1 sibling, 1 reply; 4+ messages in thread
From: Thomas Perale via buildroot @ 2026-02-24 13:36 UTC (permalink / raw)
To: Fabien Lehoussel; +Cc: Thomas Perale, buildroot
Thanks Fabien.
Acked-By: Thomas Perale <thomas.perale@mind.be>
In reply of:
> Add 'source' attribute to each CVE in vulnerabilities node, including NVD
> URL reference to enable proper import into Dependency-Track.
>
> Dependency-Track's VEX importer requires the source attribute to
> properly process vulnerability entries. Without it, vulnerabilities are
> skipped during import with "does not have an ID and / or source" warnings.
>
> Include the full NVD URL following the CycloneDX 1.6 documentation format:
> https://nvd.nist.gov/vuln/detail/{CVE-ID}
>
> Test Environment:
> - Buildroot: 2025.02.11 (or master)
> - Dependency-Track: v4.13.6
>
> Test Results - BEFORE (without source attribute):
> apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
> ...
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
> apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
>
> Test Results - AFTER (with source):
> apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
>
> CVEs are correctly imported in Dependency-Track
>
> Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
> ---
> utils/generate-cyclonedx | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 2b6c6d63d3..35198a47cf 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -327,6 +327,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
>
> return [{
> "id": cve,
> + "source": {
> + "name": "NVD",
> + "url": "https://nvd.nist.gov/vuln/detail/" + cve
> + },
> "analysis": {
> "state": "resolved_with_pedigree" if cve in VULN_WITH_PEDIGREE else "in_triage",
> "detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs
2026-02-24 13:36 ` Thomas Perale via buildroot
@ 2026-03-17 21:16 ` Romain Naour via buildroot
0 siblings, 0 replies; 4+ messages in thread
From: Romain Naour via buildroot @ 2026-03-17 21:16 UTC (permalink / raw)
To: Thomas Perale, Fabien Lehoussel; +Cc: buildroot
Hello Fabien, Thomas, All,
Le 24/02/2026 à 14:36, Thomas Perale via buildroot a écrit :
> Thanks Fabien.
>
> Acked-By: Thomas Perale <thomas.perale@mind.be>
Applied to master, thanks.
Best regards,
Romain
>
> In reply of:
>> Add 'source' attribute to each CVE in vulnerabilities node, including NVD
>> URL reference to enable proper import into Dependency-Track.
>>
>> Dependency-Track's VEX importer requires the source attribute to
>> properly process vulnerability entries. Without it, vulnerabilities are
>> skipped during import with "does not have an ID and / or source" warnings.
>>
>> Include the full NVD URL following the CycloneDX 1.6 documentation format:
>> https://nvd.nist.gov/vuln/detail/{CVE-ID}
>>
>> Test Environment:
>> - Buildroot: 2025.02.11 (or master)
>> - Dependency-Track: v4.13.6
>>
>> Test Results - BEFORE (without source attribute):
>> apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
>> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
>> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
>> ...
>> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
>> apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
>>
>> Test Results - AFTER (with source):
>> apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
>> apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
>>
>> CVEs are correctly imported in Dependency-Track
>>
>> Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
>
>> ---
>> utils/generate-cyclonedx | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
>> index 2b6c6d63d3..35198a47cf 100755
>> --- a/utils/generate-cyclonedx
>> +++ b/utils/generate-cyclonedx
>> @@ -327,6 +327,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
>>
>> return [{
>> "id": cve,
>> + "source": {
>> + "name": "NVD",
>> + "url": "https://nvd.nist.gov/vuln/detail/" + cve
>> + },
>> "analysis": {
>> "state": "resolved_with_pedigree" if cve in VULN_WITH_PEDIGREE else "in_triage",
>> "detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
>> --
>> 2.43.0
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs
2026-02-24 13:20 [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs Fabien Lehoussel via buildroot
2026-02-24 13:36 ` Thomas Perale via buildroot
@ 2026-03-27 10:02 ` Thomas Perale via buildroot
1 sibling, 0 replies; 4+ messages in thread
From: Thomas Perale via buildroot @ 2026-03-27 10:02 UTC (permalink / raw)
To: Fabien Lehoussel; +Cc: Thomas Perale, buildroot
In reply of:
> Add 'source' attribute to each CVE in vulnerabilities node, including NVD
> URL reference to enable proper import into Dependency-Track.
>
> Dependency-Track's VEX importer requires the source attribute to
> properly process vulnerability entries. Without it, vulnerabilities are
> skipped during import with "does not have an ID and / or source" warnings.
>
> Include the full NVD URL following the CycloneDX 1.6 documentation format:
> https://nvd.nist.gov/vuln/detail/{CVE-ID}
>
> Test Environment:
> - Buildroot: 2025.02.11 (or master)
> - Dependency-Track: v4.13.6
>
> Test Results - BEFORE (without source attribute):
> apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
> ...
> apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
> apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
>
> Test Results - AFTER (with source):
> apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
> apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
>
> CVEs are correctly imported in Dependency-Track
>
> Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Applied to 2026.02.x & 2025.02.x. Thanks
> ---
> utils/generate-cyclonedx | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 2b6c6d63d3..35198a47cf 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -327,6 +327,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
>
> return [{
> "id": cve,
> + "source": {
> + "name": "NVD",
> + "url": "https://nvd.nist.gov/vuln/detail/" + cve
> + },
> "analysis": {
> "state": "resolved_with_pedigree" if cve in VULN_WITH_PEDIGREE else "in_triage",
> "detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-27 10:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-24 13:20 [Buildroot] [PATCH 1/1 v2] support/scripts/generate-cyclonedx: add source attribute to CVEs Fabien Lehoussel via buildroot
2026-02-24 13:36 ` Thomas Perale via buildroot
2026-03-17 21:16 ` Romain Naour via buildroot
2026-03-27 10:02 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox