gsoft-inc / azure-pipelines-dependency-track Goto Github PK

Azure DevOps extension for submitting BOM reports to Dependency-Track

License: Apache License 2.0

JavaScript 100.00%

azure-pipelines-dependency-track's Introduction

Dependency Track for Azure DevOps Pipelines

Azure DevOps extension for submitting BOM reports to Dependency-Track

Note: BOM files with Byte-Order-Marks are not supported by this extension. This is an issue with Depenedency Track prior to version 4.7.1. See this issue for the Dependency Track fix and this issue for this extension.

Parameters

Base Settings

Name	Id	Description	Required
BOM File Path	bomFilePath	The path where the BOM file is located. (e.g. 'directory/**/bom.xml').	True
Project Id	dtrackProjId	The guid of the project in Dependency Track. Required if project name and version are not specified.	False
Project Name	dtrackProjName	The name of the project in Dependency Track. Required if project id is not specified.	False
Project Version	dtrackProjVersion	The version of the project in Dependency Track. Required if project id is not specified.	False
Auto Create Project	dtrackProjAutoCreate	When set to TRUE and the project in Dependency Track does not exist, it will be created. Requires project name and version to be specified. The API Key will need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission. Default: False	False
API Key	dtrackAPIKey	The Dependency Track API key	True
Dependency Track URI	dtrackURI	The URL to the Dependency Track platform	True

Threshold Options

Setting these options will force the task to wait for the BOM analysis to be finished and the metrics to be recalculated before finishing the task.

Name	Id	Description	Required
Action on Threshold	thresholdAction	The result of the task if the threshold is attained. Values are `none`, `warn`, and `error`.	False
Critical Vulnerability Count	thresholdCritical	Maximum number of critical vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
High Vulnerability Count	thresholdHigh	Maximum number of high vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Medium Vulnerability Count	thresholdMedium	Maximum number of medium vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Low Vulnerability Count	thresholdLow	Maximum number of low vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Unassigned Vulnerability Count	thresholdUnassigned	Maximum number of unassigned vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Fail Policy Violation Count	thresholdpolicyViolationsFail	Maximum number of failed policy violations to tolerate. A value of `-1` disables this threshold.	False
Warn Policy Violation Count	thresholdpolicyViolationsWarn	Maximum number of warn policy violations to tolerate. A value of `-1` disables this threshold.	False
Info Policy Violation Count	thresholdpolicyViolationsInfo	Maximum number of info policy violations to tolerate. A value of `-1` disables this threshold.	False
Total Policy Violation Count	thresholdpolicyViolationsTotal	Maximum number of Total policy violations to tolerate. A value of `-1` disables this threshold.	False

SSL Options

Name	Id	Description	Required
Trusted CA certificate	caFilePath	File path to PEM encoded CA certificate. This setting is used when Dependency Track is using a self-signed certificate or an internal CA provider for it's TLS configuration.	False

Basic Usage Example

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjId: '00000000-0000-0000-0000-000000000000'
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'

Auto Create Project Usage Example

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjName: 'Test Project'
    dtrackProjVersion: 'v1.2'
    dtrackProjAutoCreate: true
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'

Thresholds Usage Example

This example finishes the pipeline with a warning if the number of low vulnerabilities surpasse zero.

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjId: '00000000-0000-0000-0000-000000000000'
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'
    thresholdAction: 'warn'
    thresholdLow: '0'

Installation

Dependency Track for Azure DevOps Pipelines can be installed from the Visual Studio Marketplace.

License

azure-pipelines-dependency-track's People

Contributors

Stargazers

Watchers

Forkers

sekharreddy0463 37b arjenkorevaar stefanleh

azure-pipelines-dependency-track's Issues

[Feature Proposal] - Enable auto-creation of new projects

I just found your task today and I think it's great.

In my personal opinion in a DevOps process we should not only have a track record of dependencies that devs can lookup over time but to be able to aware teams at the time of adding code that they might have something bad under the hood. Because anyone can agree that, it's way easier to deal with this type of issue when you have just added packages to the code than six months later when you have a hole monolith that depends on it. And your solution does it perfectly, with thresholds, cheers to that!

Yet something that I feel it lacks is that in the current implementation where it's using the PUT method we need to pass an existing UUID for a project to them implement the task. And getting this id requires that anyone using the solution need to manually go to their DataTrack portal to grab it, our to implement prior steps in the pipeline to get this info through the API.

I think a cleaver and most autonomous implementation would be to use the same route yet with a POST request and make available to users an option to turn on/off the autoCreate property, which would enable pipelines to upload a bill of material to a data track on an existing project or to create a new one if it doesn't exist.

Something in these lines:

curl -X "POST" "https://dtrack-url.com/api/v1/bom" \
        -H 'X-Api-Key: $(api-key)' \
        -F '$(Build.Repository.Name)' \
        -F 'autoCreate=true' \
        -F 'projectVersion=latest' \
        -F 'bom=@$(Agent.TempDirectory)/bom.xml'

I'm up to develop this new implementation, what do you guys think about it?

Occasionally giving errors uploading SBOM

On our dotnet pipelines we're getting ocasional errors submiting the SBOM, the error in the pipeline looks like this:

2022-11-28T13:19:57.4206314Z ##[section]Starting: Submit BOM
2022-11-28T13:19:57.4216287Z ==============================================================================
2022-11-28T13:19:57.4216822Z Task         : Upload BOM to Dependency Track
2022-11-28T13:19:57.4217120Z Description  : Upload a BOM file to Dependency Track platform.
2022-11-28T13:19:57.4217562Z Version      : 1.12.0
2022-11-28T13:19:57.4217817Z Author       : Edouard Shaar
2022-11-28T13:19:57.4218012Z Help         : 
2022-11-28T13:19:57.4218287Z ==============================================================================
2022-11-28T13:19:57.7948413Z Reading BOM from location: /home/vsts/work/_temp/bom.xml
2022-11-28T13:19:57.7951998Z Starting BOM upload to Dependency Track at url: https://dtrack-api.anova.dev/
2022-11-28T13:19:58.6143782Z Uploading the BOM succeeded! Token: 458055c0-7b9c-4de7-a6c6-365a8b81333d
2022-11-28T13:19:58.6151594Z Waitting for Dependency Track to finish processing the BOM.
2022-11-28T13:20:00.6199347Z Polling Dependency Track for update.
2022-11-28T13:20:01.0774893Z Waitting for metrics to refresh.
2022-11-28T13:20:03.5113973Z Polling Dependency Track for update.
2022-11-28T13:20:03.9325056Z Finished task execution with error - SyntaxError: Unexpected end of JSON input
2022-11-28T13:20:03.9329826Z ##[error]Unexpected end of JSON input
2022-11-28T13:20:03.9476065Z ##[error]Exit code 1 returned from process: file name '/home/vsts/agents/2.213.2/externals/node10/bin/node', arguments '"/home/vsts/work/_tasks/upload-bom-dtrack-task_8703d74d-71e5-4666-ae55-b26df77f2ad5/1.12.0/task.js"'.
2022-11-28T13:20:03.9481678Z ##[section]Finishing: Submit **BOM**

Looking serverside on the dependency-track api endpoint log we've noticed several of these warnings, while it seems to happen when submitting from the pipeline task, downloading the SBOM artifact and manually submiting doesn't seem to cause the same error.

2022-11-28 14:43:26,240 WARN [BomUploadProcessingTask] The BOM uploaded is not in a supported format. Supported formats include CycloneDX XML and JSON

I thought it could be due to enconding but seems that has been resolved on the API side so unsure what might be causing the Warnings and ocasional errors.

Push as sub-project with project name

Hi,

we have our projects organized like this in dependency track:

|_ project 1
|___ component (e.g. UI)
|___ component (e.g. API)
|___ ...
|_ project 2
|___ component (e.g. UI)
|___ component (e.g. API)
|___ ...

Is there a way to create new projects with project name and version given to the pipeline step as subprojects?
I already tried project/component as a name, but that did not work.

Allow Project Name & Version instead of Project ID

Currently, all API calls require a Project ID (UUID), which may not be known at runtime. The API optionally allows many requests to use the project name and version combination as the unique identifier for a project.

Since not all API calls allow name/version combination, if a name and version is provided instead of a project ID, the first API call should be is to fetch the UUID for subsequent calls.

Trusted Certificate Authority

Currently, if Dependency-Track is installed using HTTPS with an internally signed certificate, the dependency-track pipeline task doesn't have a way to trust the cert chain. From the pipeline log:
Finished task execution with error - Error: Uploading the BOM to Dependency Track Failed: {"code":"SELF_SIGNED_CERT_IN_CHAIN"}
##[error]Uploading the BOM to Dependency Track Failed: {"code":"SELF_SIGNED_CERT_IN_CHAIN"}

Given that many organizations will want to keep their security tools internal and use their own CA, I think this task should allow for either the injection of a certificate chain or a directory path to a chain as part of the configuration.

[Feature Proposal] Include Policy violation metrics in deciding build failures.

Following metrics are currently not included in deciding build pipeline failure. We would like to include them as we would like to stop PR from merging in case of policy failures.

policyViolationsFail
policyViolationsWarn
policyViolationsInfo
policyViolationsTotal

Pull request is already created which solves this problem.
Request you to review, test and merge in case you think it's good feature to include

Unable to upload bom with secured dependency track

Hello,
I am getting below error while uploading bom.json to dependency track with https.
I am able to upload bom to dependency track with http.

_Starting: Upload BOM to Dependency Track

Task : Upload BOM to Dependency Track
Description : Upload a BOM file to Dependency Track platform.
Version : 1.12.0
Author : Edouard Shaar
Help :

Reading certificate from location: C:\Agents\Root-CA.cer
Reading BOM from location: C:\Agents\bom.json
Starting BOM upload to Dependency Track at url: https://hc-sec-tools.hcwtestsaas.local:8445/
Finished task execution with error - Error: Uploading the BOM to Dependency Track Failed: {"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"}
##[error]Uploading the BOM to Dependency Track Failed: {"code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"}_