Enhancement: Add support for task-depends.dot file #23
Comments
|
Task-depends.dot contains all recipes in the project including dev dependencies, and also includes multiple hierarchical tasks per recipe (making it potentially very large). For most use-cases, the focus of assessments is for packages in the delivered image excluding those ONLY used in the dev environment, and as far as I can tell, this list can only be determined from the license.manifest file. Furthermore, full analysis of the project requires access to the build environment to scan the installed package files and confirm they match the intended target of the recipe, also looking for modified packages etc. Scans performed outside the build environment using only the license.manifest (or task-depends.dot) file(s) can only determine unmodified, original packages as reported by OpenEmbedded, leading to potential gaps in analysis. Please email me at [email protected] to confirm:
Also please confirm your company name so we can lookup your Black Duck license entitlement. Thanks |
|
Hi Matt, Thanks and Regards, |
|
I didn't see an email from you, but have gone ahead and added a new option '--task_depends_dot_file FILE' option to v1.0.18 in the devlocal branch. |
Currently bd_scan_yocto_via_sbom supports ONLY license.manifest (as option -l). It will be of great help to add support for "task-depends.dot" file, which is generated by Yocto build (https://docs.yoctoproject.org/bitbake/2.10/bitbake-user-manual/bitbake-user-manual-intro.html). I was using a custom script to convert the task-depends.dot to license.manifest.
The text was updated successfully, but these errors were encountered: