Scan Buildroot with FOSSA for License and Security Compliance

Introduction

This guide explains how to integrate FOSSA into a Buildroot environment for license and security compliance scanning. By leveraging Buildroot's make show-info feature, we extract package dependency information and generate a fossa-deps.yml file, which FOSSA can use for analysis.


Prerequisites

  • A working Buildroot environment.
  • FOSSA CLI installed (installation guide).
  • Python (for script execution).
  • Basic knowledge of running Buildroot commands.

Step 1: Generate high level package Information from Buildroot

Before scanning with FOSSA, we need to extract dependency details from Buildroot.

  1. Navigate to your Buildroot project directory:
    cd /path/to/your/buildroot-project
    
  2. Run the following command to generate the package metadata in JSON format:
    make show-info > buildroot_deps.json
    

This command produces a JSON file (buildroot_deps.json) containing package names, versions, some licenses, and dependencies.


Step 2: Convert Buildroot Dependencies to FOSSA Format

FOSSA can enhance the information extracted from Buildroot by incorporating additional insights. To achieve this, we will generate a fossa-deps.yml file using a Python script, ensuring a more comprehensive analysis.

Python Script to Generate fossa-deps.yml

Save the following script as generate_fossa_deps.py in your Buildroot directory:

#!/usr/bin/env python3

import json
import argparse
import yaml

def parse_arguments():
    parser = argparse.ArgumentParser(description='Generate fossa-deps.yml from Buildroot package info.')
    parser.add_argument('input_file', type=str, help='Path to the JSON file containing package information.')
    return parser.parse_args()

def load_package_info(file_path):
    with open(file_path, 'r') as file:
        return json.load(file)

def map_to_fossa_type(package_name):
    # Define mapping rules from Buildroot packages to FOSSA dependency types
    if package_name.startswith('python-'):
        return 'pypi'
    elif package_name.startswith('ruby-'):
        return 'gem'
    else:
        return 'custom'

def transform_package_name(package_name):
    # Remove 'python-' if the package name starts with it
    if package_name.startswith('python-'):
        return package_name.replace('python-', '', 1)
    return package_name

def generate_fossa_deps(packages):
    referenced_deps = []
    custom_deps = []

    for pkg_name, pkg_info in packages.items():
        transformed_name = transform_package_name(pkg_name)  # Apply name transformation
        fossa_type = map_to_fossa_type(pkg_name)

        # Get version and ensure it is not empty or blank
        version = pkg_info.get('version', None)
        if not version or str(version).strip() == "":
            version = '1.0'  # Set default version if empty

        dep_entry = {
            'name': transformed_name,  # Use transformed package name
            'version': version
        }
        if fossa_type == 'custom':
            dep_entry['license'] = pkg_info.get('licenses', 'unknown')
            custom_deps.append(dep_entry)
        else:
            dep_entry['type'] = fossa_type
            referenced_deps.append(dep_entry)

    fossa_deps = {}
    if referenced_deps:
        fossa_deps['referenced-dependencies'] = referenced_deps
    if custom_deps:
        fossa_deps['custom-dependencies'] = custom_deps

    return fossa_deps

def main():
    args = parse_arguments()
    packages = load_package_info(args.input_file)
    fossa_deps = generate_fossa_deps(packages)

    with open('fossa-deps.yml', 'w') as f:
        yaml.dump(fossa_deps, f, default_flow_style=False)

    print('fossa-deps.yml has been generated.')

if __name__ == '__main__':
    main()    main()

Step 3: Execute the Script to Generate fossa-deps.yml

  1. Ensure the script has executable permissions:
    chmod +x generate_fossa_deps.py
    
  2. Run the script with the generated JSON file:
    ./generate_fossa_deps.py buildroot_deps.json
    

This will generate a fossa-deps.yml file in the current directory.


Step 4: Run FOSSA Analysis

Now that we have the fossa-deps.yml file, we can analyze our Buildroot dependencies using FOSSA.

Run FOSSA analysis:

fossa analyze

FOSSA will scan the dependencies listed in fossa-deps.yml for license compliance and security vulnerabilities.


Step 5: View the Results

  • Visit FOSSA Dashboard to check your analysis results.
  • Review license compliance & security issues in FOSSA.
  • Address any flagged issues as needed.

Troubleshooting

IssueSolution
make show-info failsEnsure Buildroot is properly set up and built before running the command.
fossa analyze does not detect dependenciesCheck if fossa-deps.yml is correctly formatted by inspecting it manually.
Missing license informationBuildroot packages may not always specify a license. Add it manually if known.

Conclusion

By following these steps, you can integrate Buildroot with FOSSA, allowing you to monitor software license compliance and security vulnerabilities efficiently. This automation ensures Buildroot projects align with open-source policies and security best practices.