SBOM Tool for OpenWRT to feed Dependency Track

Petr Štetiar ynezz at
Thu Oct 26 13:34:39 PDT 2023

Pfendtner Steffen <S.Pfendtner at> [2022-10-18 14:38:56]:


> We decided to publish our internal fork of the Timesys SBOM Tool we found on
> github. You find our version at:

thanks for sharing!

BTW I took that output and drafted first version[1] by extending current
image/package metadata handling. Its not finished, not ideal, but looks
somehow usable already. Feedback welcome.

Hauke Mehrtens <hauke at> [2022-10-25 00:32:21]:

> Nice tool, do you have some "demo" output for a recent OpenWrt release
> somewhere?

BTW its really quite easy to setup[2] for toying purposes:

 curl -LO
 docker-compose up -d

then wait a bit for init and head to http://localhost:8080
> One advantage of uscan from my point of view is that I just have to open a
> website to see the results for OpenWrt master and the maintained branches
> and do not have to run some scripts and install some tooling myself.

In the long term it would be perhaps nice to have DependencyTrack running at, feeded automatically from buildbot.




More information about the openwrt-devel mailing list