Stowage/dependency-track
2
0
Fork 0
mirror of https://github.com/DependencyTrack/dependency-track.git synced 2026-02-08 02:39:49 +00:00
Code Issues Projects Releases Packages Wiki Activity
dependency-track/docs/_docs/usage/cicd.md
Steve Springett e6cfc3e7d6
spacing
2019-10-13 21:43:01 -05:00

56 lines
2.1 KiB
Markdown
Raw Blame History

---
title: Continuous Integration & Delivery
category: Usage
chapter: 2
order: 1
---
Dependency-Track can ingest CycloneDX and SPDX BOMs as part of a CI/CD pipeline. The
generation of CycloneDX BOMs often occur during CI or when the final application assembly
is being generated.
> Dependency-Track continuously monitors components for known vulnerabilities. When components are added or
> updated in Dependency-Track, an analysis is performed against the component. This action occurs during
> ingestion of files as well as changes to the components via REST or from the user interface. All
> components in Dependency-Track, regardless of changes, are automatically analyzed on a daily basis.
The [Dependency-Track Jenkins Plugin]({{ site.baseurl }}{% link _docs/integrations/jenkins.md %}) is the
recommended method for publishing CycloneDX BOMs to Dependency-Track in a Jenkins environment.
For other environments, cURL (or similar) can be used.
#### CycloneDX or SPDX BOM
To publish CycloneDX or SPDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the
bom and insert the resulting text into the 'bom' field.
```bash
curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: application/json' \
-H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
-d $'{
"project": "f90934f5-cb88-47ce-81cb-db06fc67d4b4",
"bom": "PD94bWwgdm..."
}'
```
It's also possible to publish BOMs via HTTP POST which does not require Base64 encoding the payload.
```bash
curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: multipart/form-data; charset=utf-8; boundary=__X_CURL_BOUNDARY__' \
-H 'X-Api-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
-F "project=f90934f5-cb88-47ce-81cb-db06fc67d4b4" \
-F "bom=<?xml version=\"1.0\" encoding=\"UTF-8\"?>..."
```
#### Large Payloads
In cases where the scan or BOM being uploaded is large, using cURLs capability of specifying a file
containing a payload may be preferred.
```bash
curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: application/json' \
-H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
-d @payload.json
```
Reference in a new issue View git blame Copy permalink