Using DefectDojo for license compliance

[stefanbethke]

We're starting to analyse and deal with potential license issues in a large project (~7000 deps across ~10 components). We're happy with the realive ease of LicenseFinder, but for a number of deps, we do need to do a quite thorough analysis because of the mix of licenses we have, incouding commerial software where the vendor is taking on responsibility for compliance for their bits.

Since we're already using DefectDojo for vulns, we thought that it would be a good match as well, but it doesn't seem to be a target usage scenario.

Are we on the wrong track here? Or are we overlooking how to import (for example) CycloneDX results for package licenses and dealing with them? If not DefectDojo, what alternative tools should we be looking at that would support a workflow like this?

[manuel-sommer]

@stefanbethke, did you consider DependencyTrack with CycloneDX?

[mtesauro]

+1 on what @manuel-sommer said above.

I see DependencyTrack as an inventory of all the libraries/modules/3rd party code, etc - the contents of a SBOM like CycloneDX

I see DefectDojo as the place that holds all the vulnerabilities - including vulnerable libraries but SBOM's are more than just the vulnerable libraries. It's not like DefectDojo holds the source code along with the SAST scan results. It's the Unix idea of creating tool to do 1 thing really well.

DependencyTrack can hold the full list of libraries, has great support for CycloneDX and includes a DefectDojo integration. When there's an issue with a library, it can send that finding to DefectDojo. I believe that's both generally vulnerable libraries and licenses that don't match a policy of approved licenses.

The pair together make a great team and are both OWASP projects 👍