dependency-track
dependency-track copied to clipboard
DependencyTrack
Add CI information to project
Add information about the CI tools that triggered the dependency track job.
SonarQube does this. It adds a field called "detectedCI" to the project analysis if it was triggered by CI.
Here's an excerpt from a real JSON returned by Sonar project analysis API:
{
"paging": {
"pageIndex": 1,
"pageSize": 10,
"total": 22
},
"analyses": [
{
"key": "AYAJFoPcOLJzMQtheSh4",
"date": "2022-04-08T09:08:00-0300",
"events": [
{
"key": "AYAJFpJQOLJzMQtheWe6",
"category": "VERSION",
"name": "1.8.7"
}
],
"projectVersion": "1.8.7",
"manualNewCodePeriodBaseline": false,
"revision": "10a08ad9bfbf30ecae747f5400cab57f0164d539",
"detectedCI": "Gitlab CI"
}
]
}
Current Behavior:
CI information is not stored in project:
[
{
"name": "projectName",
"version": "1.0.0",
"classifier": "APPLICATION",
"directDependencies": "[{\"name\":\"cxf-rt-frontend-jaxws\",\"purl\":\"pkg:maven/org.apache.cxf/[email protected]?type=jar\",\"uuid\":\"013f3514-8558-4ae5-abfc-dcd57de4e45b\",\"version\":\"3.1.12\",\"group\":\"org.apache.cxf\",\"purlCoordinates\":\"pkg:maven/org.apache.cxf/[email protected]\",\"objectType\":\"COMPONENT\"}]",
"uuid": "a07b3448-a2a1-4197-8530-0b084440c3e3",
"lastBomImport": 1652908808576,
"lastBomImportFormat": "CycloneDX 1.3",
"lastInheritedRiskScore": 1075.0,
"active": true,
"metrics": {
"critical": 56,
"high": 69,
"medium": 52,
"low": 4,
"unassigned": 2,
"vulnerabilities": 183,
"vulnerableComponents": 23,
"components": 153,
"suppressed": 0,
"findingsTotal": 183,
"findingsAudited": 0,
"findingsUnaudited": 183,
"inheritedRiskScore": 1075.0,
"policyViolationsFail": 0,
"policyViolationsWarn": 0,
"policyViolationsInfo": 0,
"policyViolationsTotal": 0,
"policyViolationsAudited": 0,
"policyViolationsUnaudited": 0,
"policyViolationsSecurityTotal": 0,
"policyViolationsSecurityAudited": 0,
"policyViolationsSecurityUnaudited": 0,
"policyViolationsLicenseTotal": 0,
"policyViolationsLicenseAudited": 0,
"policyViolationsLicenseUnaudited": 0,
"policyViolationsOperationalTotal": 0,
"policyViolationsOperationalAudited": 0,
"policyViolationsOperationalUnaudited": 0,
"firstOccurrence": 1653183398506,
"lastOccurrence": 1653417442812
}
}
]
Proposed Behavior:
CI information is added to the project, if the dependency track job was triggered by CI:
[
{
"name": "projectName",
"version": "1.0.0",
"classifier": "APPLICATION",
"directDependencies": "[{\"name\":\"cxf-rt-frontend-jaxws\",\"purl\":\"pkg:maven/org.apache.cxf/[email protected]?type=jar\",\"uuid\":\"013f3514-8558-4ae5-abfc-dcd57de4e45b\",\"version\":\"3.1.12\",\"group\":\"org.apache.cxf\",\"purlCoordinates\":\"pkg:maven/org.apache.cxf/[email protected]\",\"objectType\":\"COMPONENT\"}]",
"uuid": "a07b3448-a2a1-4197-8530-0b084440c3e3",
"lastBomImport": 1652908808576,
"lastBomImportFormat": "CycloneDX 1.3",
"lastInheritedRiskScore": 1075.0,
"active": true,
"metrics": {
"critical": 56,
"high": 69,
"medium": 52,
"low": 4,
"unassigned": 2,
"vulnerabilities": 183,
"vulnerableComponents": 23,
"components": 153,
"suppressed": 0,
"findingsTotal": 183,
"findingsAudited": 0,
"findingsUnaudited": 183,
"inheritedRiskScore": 1075.0,
"policyViolationsFail": 0,
"policyViolationsWarn": 0,
"policyViolationsInfo": 0,
"policyViolationsTotal": 0,
"policyViolationsAudited": 0,
"policyViolationsUnaudited": 0,
"policyViolationsSecurityTotal": 0,
"policyViolationsSecurityAudited": 0,
"policyViolationsSecurityUnaudited": 0,
"policyViolationsLicenseTotal": 0,
"policyViolationsLicenseAudited": 0,
"policyViolationsLicenseUnaudited": 0,
"policyViolationsOperationalTotal": 0,
"policyViolationsOperationalAudited": 0,
"policyViolationsOperationalUnaudited": 0,
"firstOccurrence": 1653183398506,
"lastOccurrence": 1653417442812
},
"detectedCI": "Jenkins"
}
]
I think the first thing required to make this happen is to add support for external references to projects. Currently, only components and services support external references. Projects do not. External references often contain information about the build environment which could then be used to deduce other CI information.
DT supports external references at project level since 4.7 (PR #2251 and https://github.com/DependencyTrack/frontend/pull/347). It is now a matter of including the relevant information into the SBOM meta component. Such task is rather in the scope of the tool used to generate the SBOM.
Dependency-Track does indeed now support external references at project level, and very useful it is too. Accessible via "View Details" -> "External References"
For me, I see different references displayed for different DT projects, As @syalioune says, the SBOM tool is critical... but also it is important that the developers are diligent. For example, in maven it is not compulsory to include (say) issueManagement in your POM. But if it omitted then it will not be in the SBOM and thus wont be displayed in DT as "issue tracker".
However, as great as all this is, I do not think that the above answers your question, @brunobastosg . An external reference (per CycloneDX spec) consists of two elements... type and url. Nothing about whether the CI is Jenkins or Gitlab CI or whatever. Nothing about the version of the tool. Or the plugins used. etc. etc.
This is something that will be covered by the addition of formulation support to the CycloneDX specification... hopefully in v1.5.
Once that is released then there will b a lag before support for it is added to tools (such as cyclonedx-maven-plugin) and a lag before Dependency-Track can make use of formulation info in SBOMs.
At the very least, an external reference of type build-system with the appropriate URL can help deduce the origin of the SBOM. For example, with a tool like cyclonedx-maven-plugin, a ciManagement tag could be put in the pom.xml with a dedicated profile only used by the CI. That information would make its way to the SBOM external references.
It would have been even greater if the plugin could capture the system sub tag and put it as comment of the external reference. However only the URL is captured.
<ciManagement>
<system>github-actions</system>
<url>https://github.com/DependencyTrack/dependency-track/actions</url>
</ciManagement>
@msymons Do you have some links to share about formulation ?
Indeed... having the origin of the SBOM as a clickable link in Dependency-Track v4.7.0 is very useful. I run numerous Jenkins servers and before v4.7.0 it could be real challenge to work out why (say) a DT project had seen no BOM upload for a month. Bear in mind that devs (or a CI pipeline) might have created DT project names that do not quite match up with what you think things should be called.
Anyway, for formulation, see: https://github.com/CycloneDX/specification/issues/31