Skip to main content

Dependency-Track

License Apache-2.0GitHub release (latest SemVer)OWASP Lab ProjectArtifact HUBGitHub Repo starsMastodon Follower

What is "Persistence Dependency-Track" Hook about?

The Dependency-Track persistenceProvider hook saves all generated CycloneDX SBOMs into the configured OWASP Dependency-Track instance, other findings or SPDX SBOMs cannot be handled and are ignored. This allows automatically cataloging infrastructure to gain an overview over the used components and dependencies. To learn more about Dependency-Track visit dependencytrack.org.

To use the secureCodeBox to generate SBOMs, you can use the Trivy-SBOM scanner.

Deployment

The persistence-dependencytrack chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install persistence-dependencytrack oci://ghcr.io/securecodebox/helm/persistence-dependencytrack

Requirements

Kubernetes: >=v1.11.0-0

Additional Chart Configurations

Installing the Dependency-Track persistenceProvider hook will add a ReadOnly Hook to your namespace.

You need to provide the API key to connect to Dependency-Track as a Kubernetes secret. Check the Dependency-Track documentation, to learn how to configure an API key.

kubectl create secret generic dependencytrack-credentials --from-literal="apikey=NoEs..."

helm upgrade --install dt oci://ghcr.io/securecodebox/helm/persistence-dependencytrack \
--set="dependencytrack.url=https://dependency-track-backend.default.svc"

SBOMs are imported for a project in Dependency-Track. To avoid configuring all of them by hand first and assigning projects to scans somehow, the hook automatically detects name and version from the scan and then creates Dependency-Track projects if they do not exist yet. This requires either the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission for the API key which gets used by the hook (or rather for the team the key is defined for).

The hook extracts name and version from the reference of the scanned docker image. For more fine grained control how the projects are matched, you can configure the name and version as annotations to the scan.

Scan AnnotationDescriptionDefault if not set
dependencytrack.securecodebox.io/project-nameName of the ProjectRepository Name of the Docker Image
dependencytrack.securecodebox.io/project-versionVersion of the ProjectImage Tag if avialable, otherwise Image Digest if available, otherwise latest

Values

KeyTypeDefaultDescription
dependencytrack.authenticationobject{"apiKeyKey":"apikey","userSecret":"dependencytrack-credentials"}Authentication information. Dependency-Track expects an API key, which can be generated for a team (see: https://docs.dependencytrack.org/integrations/rest-api/). The hook automatically creates missing projects, for that either the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission is required.
dependencytrack.authentication.apiKeyKeystring"apikey"Name of the apikey key in the userSecret secret.
dependencytrack.authentication.userSecretstring"dependencytrack-credentials"Link a pre-existing generic secret with apikey key / value pair
dependencytrack.urlstring"http://dependency-track-backend.default.svc"Url to the Dependency-Track instance, make sure to use the backend url
hook.affinityobject{}Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
hook.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
hook.image.repositorystring"docker.io/securecodebox/hook-persistence-dependencytrack"Hook image repository
hook.image.tagstringdefaults to the charts versionContainer image tag
hook.labelsobject{}Add Kubernetes Labels to the hook definition
hook.priorityint0Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
hook.resourcesobject{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
hook.tolerationslist[]Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
hook.ttlSecondsAfterFinishedstringnilSeconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
imagePullSecretslist[]Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)

License

License

Code of secureCodeBox is licensed under the Apache License 2.0.