dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Update Dependency-Track BOM to Support CycloneDX 1.5

Open msymons opened this issue 1 year ago • 1 comments

Current Behavior

The latest release of DT is v4.10.1 and the BOM is published as a release asset.

The BOM is generated using CycloneDX v2.7.9 which only supports CDX 1.4.

Proposed Behavior

  • Upgrade plugin from 2.7.9 to 2.8.0 (or later)
  • Ensure that specVersion = 1.5
  • Plugin v2.8.0 automatically adds 'build' lifecycle phase when BOM is CDX 1.5. But is this phase correct for our release BOM?
  • Add additional External Reference of type documentation (via plugin config) to link to DT documentation website.
  • Ditto for chat (link to Slack)
  • The 4.10.1 BOM contains the following External Reference: 
          {
        "url": "https://oss.sonatype.org/service/local/staging/deploy/maven2/",
        "type": "distribution"
      },
    ...which the plugin v2.8.0 will change to distribution-intake. Thus, distribution should be defined in plugin configuration to point to the actual download location.
  • Add additional External References that are deemed to be useful.. security-contact? release-notes? The list of possibilities is big

The intention of this enhancement is to provide additional value in the BOM, but also to use the BOM as a reference implementation (which will also apply once the BOM is uploaded to a DT instance for analysis).

Checklist

msymons avatar Apr 04 '24 23:04 msymons

Should also update https://github.com/DependencyTrack/dependency-track/blob/master/src/main/resources/services.bom.json

And ensure the merging of the BOM generated during the build, and the services BOM linked above still works. For reference, this command is executed in CI to achieve this:

https://github.com/DependencyTrack/dependency-track/blob/757a9664d67aaec510f2ec651da4f28b9d1ec16e/.github/workflows/_meta-build.yaml#L47

The merge is performed using the CycloneDX CLI:

https://github.com/DependencyTrack/dependency-track/blob/757a9664d67aaec510f2ec651da4f28b9d1ec16e/pom.xml#L516-L540

It may be necessary to update the CLI in order to support CDX v1.5. In that case, this step in CI must be changed accordingly:

https://github.com/DependencyTrack/dependency-track/blob/757a9664d67aaec510f2ec651da4f28b9d1ec16e/.github/workflows/_meta-build.yaml#L36-L42

nscuro avatar Apr 05 '24 10:04 nscuro

Plugin v2.8.0 automatically adds 'build' lifecycle phase when BOM is CDX 1.5. But is this phase correct for our release BOM?

Since we'll be moving to v1.5 of the spec, lifecycle is not yet available anyway.

nscuro avatar Sep 01 '24 18:09 nscuro

Since we'll be moving to v1.5 of the spec, lifecycle is not yet available anyway.

Misinterpretation on my side. The Maven plugin does generate lifecycle information for CycloneDX v1.5. But, the CycloneDX CLI drops this information when merging with services.bom.json.

nscuro avatar Sep 02 '24 11:09 nscuro

Here's the BOM as generated by the Maven plugin: bom.json

And here's the result after merging it with services.bom.json: bom.json

nscuro avatar Sep 02 '24 13:09 nscuro