dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Add Dependency-Track as default project

Open AbdelHajou opened this issue 2 years ago • 5 comments

Current Behavior:

When starting a fresh instance of Dependency-Track, there are no projects in the portfolio.

Proposed Behavior:

Add Dependency-Track as default project to every new portfolio, with the SBOM that has been generated during the build (should be in the resources folder).

When a new critical CVE-vulnerability is reported, companies want to know whether any of the applications within their application landscape are affected by this vulnerability. Dependency-Track is part of this application landscape, so I think it should be part of the portfolio.

This project can also be used as an example project for users who want to quickly try out Dependency-Track without generating an SBOM themselves.

Maybe the project can be made read-only, but this would take more effort to implement. I’m also not sure whether the front-end and API server should be added as separate projects, or all components should be added to the same project.

AbdelHajou avatar Apr 22 '22 16:04 AbdelHajou

Thanks for the suggestion. Its a great idea. Will see what it will take to implement.

stevespringett avatar Apr 22 '22 20:04 stevespringett

@stevespringett May I work on this?

AbdelHajou avatar Apr 22 '22 23:04 AbdelHajou

Sure, absolutely. Ideally, there would be two projects:

  1. Dependency-Track API Server
  2. Dependency-Track Frontend

The BOM for the API Server is produced from the build.

There's also a BOM containing only the services used. https://github.com/DependencyTrack/dependency-track/blob/master/src/main/resources/services.bom.json

Both of these BOMs need to be merged together using the CycloneDX CLI. However, I ran into an issue with the CLI in which metadata was lost. See: https://github.com/CycloneDX/cyclonedx-cli/issues/153

The final BOM for the API Server would then contain all the components and services, which would be ideal as a default project for all new DT installations.

stevespringett avatar Apr 23 '22 04:04 stevespringett

Using the merge command requires the CycloneDX CLI to be installed on the build machine, I think it would be nice to use the Maven plugin for it. However, I couldn't find a merge option in the maven plugin. I've opened an issue for this in the cyclonedx-maven-plugin repo. Do you think this would be a better option, or should we just call the CLI from a pre-release or release script?

AbdelHajou avatar Apr 23 '22 09:04 AbdelHajou

Note, the release process will likely end up changing prior to v4.5 with #1419. I'll likely add the CycloneDX CLI to the release scripts so it will be available.

stevespringett avatar Apr 24 '22 06:04 stevespringett

Dabbling with this right now, as the issue with the CLI has since been fixed.

The BOM generated during the Maven build can be merged with the service BOM using the exec-maven-plugin:

<properties>
    <bom-merge.cyclonedx-cli.path>cyclonedx</bom-merge.cyclonedx-cli.path>
    <bom-merge.skip>true</bom-merge.skip>
</properties>
<!-- ... -->
<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>exec-maven-plugin</artifactId>
    <executions>
        <execution>
            <id>merge-bom</id>
            <phase>prepare-package</phase>
            <goals>
                <goal>exec</goal>
            </goals>
            <configuration>
                <executable>${bom-merge.cyclonedx-cli.path}</executable>
                <arguments>
                    <argument>merge</argument>
                    <argument>--input-files</argument>
                    <argument>${project.build.directory}/bom.json</argument>
                    <argument>${project.basedir}/src/main/resources/services.bom.json</argument>
                    <argument>--output-file</argument>
                    <argument>${project.build.directory}/bom.json</argument>
                </arguments>
                <skip>${bom-merge.skip}</skip>
            </configuration>
        </execution>
    </executions>
</plugin>

My suggestion would be to have ${bom-merge.skip} default to false so that the build won't fail when folks don't have the CLI installed. There's already a build step that copies the BOM to .well-known/sbom:

https://github.com/DependencyTrack/dependency-track/blob/45868a937f9e5902bee630a2a8c627e459b773d1/pom.xml#L375-L378

We can load the SBOM from the classpath at runtime, parse it, and create a project from it. Was wondering though, do we want to kick off the various analysis tasks we have, or do we just import the data?

nscuro avatar Nov 03 '22 22:11 nscuro

Was wondering though, do we want to kick off the various analysis tasks we have, or do we just import the data?

I would personally expect the analysis tasks to run on the created project so that I can set up notifications for administrators.

syalioune avatar Nov 04 '22 07:11 syalioune

I raised a draft PR and would appreciate feedback on how this feature should behave: https://github.com/DependencyTrack/dependency-track/pull/2124

nscuro avatar Nov 05 '22 19:11 nscuro

Moved to milestone 4.10 in order to align with incorporation of bom-repo-server etc.

msymons avatar Feb 01 '23 09:02 msymons