Stowage/dependency-track
2
0
Fork 0
mirror of https://github.com/DependencyTrack/dependency-track.git synced 2026-02-07 02:10:01 +00:00
Code Issues Projects Releases Packages Wiki Activity
dependency-track/docs/_docs/usage/cicd.md
Steve Springett e6cfc3e7d6
spacing
2019-10-13 21:43:01 -05:00

2.1 KiB
Raw Blame History

title category chapter order
Continuous Integration & Delivery Usage 2 1

Dependency-Track can ingest CycloneDX and SPDX BOMs as part of a CI/CD pipeline. The generation of CycloneDX BOMs often occur during CI or when the final application assembly is being generated.

Dependency-Track continuously monitors components for known vulnerabilities. When components are added or updated in Dependency-Track, an analysis is performed against the component. This action occurs during ingestion of files as well as changes to the components via REST or from the user interface. All components in Dependency-Track, regardless of changes, are automatically analyzed on a daily basis.

The [Dependency-Track Jenkins Plugin]({{ site.baseurl }}{% link _docs/integrations/jenkins.md %}) is the recommended method for publishing CycloneDX BOMs to Dependency-Track in a Jenkins environment.

For other environments, cURL (or similar) can be used.

CycloneDX or SPDX BOM

To publish CycloneDX or SPDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the bom and insert the resulting text into the 'bom' field.

curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: application/json' \
     -H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -d $'{
  "project": "f90934f5-cb88-47ce-81cb-db06fc67d4b4",
  "bom": "PD94bWwgdm..."
  }'

It's also possible to publish BOMs via HTTP POST which does not require Base64 encoding the payload.

curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: multipart/form-data; charset=utf-8; boundary=__X_CURL_BOUNDARY__' \
     -H 'X-Api-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -F "project=f90934f5-cb88-47ce-81cb-db06fc67d4b4" \
     -F "bom=<?xml version=\"1.0\" encoding=\"UTF-8\"?>..."

Large Payloads

In cases where the scan or BOM being uploaded is large, using cURLs capability of specifying a file containing a payload may be preferred.

curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: application/json' \
     -H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -d @payload.json