Accept repo url for direct sbom generation with cdxgen server

[prabhu]

Current Behavior

Dependency track requires an external tool such as cdxgen to ingest the SBoM. The proposal is to add input fields in the UI to accept the repo URL and authentication information and enable the backend service to invoke the cdxgen server directly over REST API to generate the SBoM continuously.

Will create a separate ticket to enhance the backend service and link it with this.

Proposed Behavior

cdxgen supports a server mode. SBoM could be generated for a git repo or file path over REST.

GitHub repo

curl "http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git&multiProject=true&type=js"

File path

curl "http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-app&multiProject=true&type=js"

An example docker-compose configuration starts the cdxgen server with dependency track.

https://github.com/AppThreat/dep-scan/blob/master/contrib/dependency-track/docker-compose.yml

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested