Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline

Question

Who can help me?

I want to implement uploading SBOM-file xxxx.xml to Dependency Track in GitLab СI/СD pipeline
Global idea (next step): at the start of the build (beginning of the pipeline), create a SBOM-file and upload it to Dependency Track, now I use a manually created SBOM-file.

With the following composition of gitlab-ci.yml:

DT_SCA:
     stage: test
     script:
       - git clone https://gitlab.com/.../test.git
       - cd test/
       - curl
         -X "PUT" "http://х.х.х.х:8080/api/v1/bom"
         -H "X-API-Key:xxxx"
         -H "Content-Type:multipart/form-data" /// option 2. -H "Content-Type:application/json'
         -d @хххх.xml /// option 2. -d @хххх.json

I get a 500 error (Internal Server Error).

Tried different variations, always different errors.

At the same time, there is no official possibility of integration. Help me please.

Is there a ready solution? Thank you!

Iman · Answer 1 · 2022-10-18T13:28:01.370

2

As I generate my SBOM with trivy this is how I send its result to Dependency Track:

dt-import-sbom-scan:
  extends: .dt-upload
  needs: ["trivy-fs-sbom-scan"]
  script:
    - |    
      curl -X "POST" "http://<YOUR_URL>/api/v1/bom" \
        -H 'Content-Type: application/json' \
        -H "X-Api-Key: $DT-API-KEY" \
        -F "autoCreate=true" \
        -F "projectName=$CI_PROJECT_NAME" \
        -F "projectVersion=$CI_COMMIT_BRANCH" \
        -F "bom=@trivy-filesystem-sbom.json"
  rules:
    - if: $TRIVY_FS_SBOM == "false"
      when: never

For .dt-upload I used this:

.dt-upload:
  stage: .post
  image: docker:stable
  services:
    - name: docker:dind
  before_script:
    - apk add --update curl

edited Oct 18 '22 at 13:28

answered Oct 18 '22 at 09:31

Iman

410
7
17

Colleagues, thank you very much for your help! – Artem Puzankov Oct 19 '22 at 12:51
your welcome @ArtemPuzankov, it would be nice if you give the answer point and make it the correct answer :) – Iman Oct 23 '22 at 09:41

score 0 · Accepted Answer · edited Oct 19 '22 at 18:07

I'm using something similar for frontend/nodejs:

I have a file for the sbom that runs

cyclonedx-node -d -t application -o ./bom.json

Another one deptrack.sh:

version=`node -p "process.env.npm_package_version"`

name=`node -p "process.env.npm_package_name"`

curl -X 'POST' 'http://--your IP--:8081/api/v1/bom'\
     -H 'Content-Type: multipart/form-data' \
     -H 'X-Api-Key: --your key--' \
     -F "projectName=$name" \
     -F "projectVersion=$version" \
     -F 'autoCreate=true' \
     -x "" \
     -F 'bom=@./bom.json'

In my package.json I have 2 scripts that I trigger from the pipeline:

  "scripts": {
    "sbom": "sh ./sbom.sh",
    "deptrack": "sh ./deptrack.sh"
},

In your gitlab.ci you can then have a job like:

sbom:
  stage: compile
  image: --your nodejs image--
  tags:
  - docker
  script:
  - npm ci
  - npm run sbom
  - npm run deptrack
  only:
    - master
  interruptible: true

Colleagues, thank you very much for your help! – Artem Puzankov Oct 19 '22 at 12:51 — Artem Puzankov, Oct 19 '22 at 12:51

Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline

2 Answers2