Scanning Buildroot Projects
Scan Buildroot-based embedded Linux projects for license and security compliance with FOSSA.
Overview
This guide explains how to integrate FOSSA into a Buildroot environment for license and security compliance scanning. By leveraging Buildroot's make show-info feature, you extract package dependency information and generate a fossa-deps file that FOSSA can analyze.
Note
- A working Buildroot environment.
- The FOSSA CLI installed. See Installing the FOSSA CLI.
- Python 3 (to run the conversion script).
- Basic familiarity with running Buildroot commands.
- 1
Generate package information from Buildroot
From your Buildroot project directory, export package metadata to JSON:
Shellcd /path/to/your/buildroot-projectmake show-info > buildroot_deps.jsonThis produces
buildroot_deps.jsoncontaining package names, versions, some licenses, and dependencies. - 2
Convert Buildroot dependencies to FOSSA format
FOSSA can enhance the information extracted from Buildroot by incorporating additional insights. Save the following script as
generate_fossa_deps.pyin your Buildroot directory. It reads the JSON and writes afossa-deps.ymlwith referenced and custom dependencies:Python#!/usr/bin/env python3 import jsonimport argparseimport yaml def parse_arguments(): parser = argparse.ArgumentParser(description='Generate fossa-deps.yml from Buildroot package info.') parser.add_argument('input_file', type=str, help='Path to the JSON file containing package information.') return parser.parse_args() def load_package_info(file_path): with open(file_path, 'r') as file: return json.load(file) def map_to_fossa_type(package_name): # Define mapping rules from Buildroot packages to FOSSA dependency types if package_name.startswith('python-'): return 'pypi' elif package_name.startswith('ruby-'): return 'gem' else: return 'custom' def transform_package_name(package_name): # Remove 'python-' if the package name starts with it if package_name.startswith('python-'): return package_name.replace('python-', '', 1) return package_name def generate_fossa_deps(packages): referenced_deps = [] custom_deps = [] for pkg_name, pkg_info in packages.items(): transformed_name = transform_package_name(pkg_name) # Apply name transformation fossa_type = map_to_fossa_type(pkg_name) # Get version and ensure it is not empty or blank version = pkg_info.get('version', None) if not version or str(version).strip() == "": version = '1.0' # Set default version if empty dep_entry = { 'name': transformed_name, # Use transformed package name 'version': version } if fossa_type == 'custom': dep_entry['license'] = pkg_info.get('licenses', 'unknown') custom_deps.append(dep_entry) else: dep_entry['type'] = fossa_type referenced_deps.append(dep_entry) fossa_deps = {} if referenced_deps: fossa_deps['referenced-dependencies'] = referenced_deps if custom_deps: fossa_deps['custom-dependencies'] = custom_deps return fossa_deps def main(): args = parse_arguments() packages = load_package_info(args.input_file) fossa_deps = generate_fossa_deps(packages) with open('fossa-deps.yml', 'w') as f: yaml.dump(fossa_deps, f, default_flow_style=False) print('fossa-deps.yml has been generated.') if __name__ == '__main__': main() - 3
Run the script to generate fossa-deps.yml
Make the script executable and run it against the generated JSON:
Shellchmod +x generate_fossa_deps.py./generate_fossa_deps.py buildroot_deps.jsonThis writes a
fossa-deps.ymlfile in the current directory. - 4
Run the FOSSA analysis
With
fossa-deps.ymlin place, analyze your Buildroot dependencies:Shellfossa analyzeFOSSA scans the dependencies listed in
fossa-deps.ymlfor license compliance and security vulnerabilities. - 5
View the results
Open the FOSSA dashboard, review license compliance and security issues, and address any flagged items.
Troubleshooting
| Issue | Solution |
|---|---|
make show-info fails | Ensure Buildroot is properly set up and built before running the command. |
fossa analyze does not detect dependencies | Check that fossa-deps.yml is correctly formatted by inspecting it manually. |
| Missing license information | Buildroot packages may not always specify a license. Add it manually if known. |