Dependency Track Examples

Last modified by Jouni Mäkeläinen on 2025/03/25 17:44

Examples of generating BOMs and loading them to Dependency Track.

Python virtual environment

You can create BOM from virtual environment, using cyclonedx-bom tool. In the following example, you will create separate virtual environment for the cyclonedx-bom and use it to create BOM file from other virtual environment in path /path/to/venv/bin/python.

Creating python virtual environment, install cyclonedx-bom, create BOM from the separate virtual environment and post it to Dependency Track.

python -m venv venv-bom
source venv-bom/bin/activate
pip install cyclonedx-bom
cyclonedx-py environment '/path/to/venv/bin/python' > bom.json
curl -X POST "https://dtrack.it.helsinki.fi/api/v1/bom" -H "Content-Type: multipart/form-data" -H "X-Api-Key: <api-key>" -F "autoCreate=true" -F "projectName=<project name>" -F "projectVersion=1.0" -F "bom=@bom.json"

Automatic process with cron job:

/path/to/venv-bom/bin/cyclonedx-py environment '/path/to/venv/bin/python' > /path/to/bom.json
curl -X POST "https://dtrack.it.helsinki.fi/api/v1/bom" -H "Content-Type: multipart/form-data" -H "X-Api-Key: <api-key>" -F "autoCreate=true" -F "projectName=<project name>" -F "projectVersion=1.0" -F "bom=@/path/to/bom.json"

Java project with GitLab CI/CD

1a Install cyclonedx-maven-plugin by adding example code to the plugins part of pom.xml.

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.9.0</version>
    <executions>
       <execution>
          <phase>package</phase>
          <goals>
             <goal>makeAggregateBom</goal>
          </goals>
       </execution>
    </executions>
</plugin>

1b In a Gradle project install cyclonedx-gradle-plugin by modifying build.gradle file. project.group is required to be defined:

​plugins{
    id 'org.cyclonedx.bom' version '1.8.2'
}
project.group = 'fi.helsinki.example-app'

2. Generate the bom.xml file and save it as artifact in GitLab CI.

stages:
- dtrack-sbom
- dependency-track-submit

dtrack-sbom:
  stage: dtrack-sbom
  only:
    - main
  script:
    - mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
  artifacts:
    expire_in: 1h
    paths:
      - target/bom.xml

3. Add required environment variables to GitLab project (DTRACK_API_URL, DTRACK_API_KEY, PROJECT_NAME, PROJECT_VERSION) and send bom.xml to Dependency Track using curl.

submit-sbom:
  image: alpine:latest
  stage: dtrack-submit
  only:
    - main
  dependencies:
    - dtrack-sbom
  before_script:
    - apk add --no-cache curl
  script:
    - "curl -X POST ${DTRACK_API_URL} -H 'Content-Type: multipart/form-data' -H 'X-Api-Key: '${DTRACK_API_KEY} -F 'projectName='${PROJECT_NAME} -F 'autoCreate=true' -F 'projectVersion='${PROJECT_VERSION} -F 'bom=@target/bom.xml'"

Node.js project with GitLab CI/CD

1. Install @cyclonedx/cyclonedx-npm library as devDependency: 

npm install --save-dev @cyclonedx/cyclonedx-npm

2. Generate the bom.xml file and save it as artifact in GitLab CI.

stages:
  - dependency-track-sbom
  - dependency-track-submit

generate-sbom:
  stage: dependency-track-sbom
  only:
    - main
  script:
    - npx @cyclonedx/cyclonedx-npm --output-file bom.xml
  artifacts:
    expire_in: 1h
    paths:
      - bom.xml

3. Add required environment variables to GitLab project (DTRACK_API_URL, DTRACK_API_KEY, PROJECT_NAME, PROJECT_VERSION) and send bom.xml to Dependency Track using curl.

submit-sbom:
  image: alpine:latest
  stage: dependency-track-submit
  only:
    - main
  dependencies:
    - generate-sbom
  before_script:
      - apk add --no-cache curl
  script:
    - "curl -X POST ${DTRACK_API_URL} -H 'Content-Type: multipart/form-data' -H 'X-Api-Key: '${DTRACK_API_KEY} -F 'projectName='${PROJECT_NAME} -F 'autoCreate=true' -F 'projectVersion='${PROJECT_VERSION} -F 'bom=@bom.xml'"

SBOMs and containers

Manual method

Tools like syft can be used to create SBOMs from container images. For example the following command can be used to create a Cyclonedx SBOM from the container image docker.io/dependencytrack/apiserver:4.12.2.

syft docker.io/dependencytrack/apiserver:4.12.2 -o cyclonedx-json > dtrack-api-4-12-1.json

The syft tool can also be added to CI/CD by adding this line

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin 

Automating SBOM creation inside OpenShift

In Tike container platform, the administration provides multiple helpful container images, with sbom-generator being one of them. The repo contains more detailed instructions and more examples, but basically the CronJob uses syft to create an SBOM, which will be passed to Dependency Track with curl.

apiVersion: batch/v1
kind: CronJob
metadata:
 name: sbom-generator-cronjob
spec:
 schedule: "0 0 * * 0"  # Runs every Sunday at midnight
 jobTemplate:
   spec:
     backoffLimit: 0  # Never retry if the job fails
     template:
       spec:
         restartPolicy: Never  # Do not restart failed pods
         containers:
            - name: sbom-generator
             image: image-registry.openshift-image-registry.svc:5000/image-cache/sbom-generator
             command: ["/bin/sh", "-c"]
             envFrom:
              - secretRef:
                 name: sbom-generator
             args:
                - |
                 set -e  # Exit on any error

                 echo "Image: $IMAGE"

                 # Extract version from the image name
                 VERSION=$(echo $IMAGE | awk -F ':' '{print $2}')
                 if [ -z "$VERSION" ]; then
                   echo "ERROR: Failed to extract version from image name"
                   exit 1
                 fi

                 echo "Detected Version: $VERSION"

                 echo "Generating CycloneDX SBOM..."
                 syft "$IMAGE" -o cyclonedx-json > /tmp/sbom.json  # Ensure IMAGE is quoted!

                 echo "SBOM generated successfully at /tmp/sbom.json"
                 cat /tmp/sbom.json | head -n 20  # Preview first 20 lines for debugging

                 # POST request to Dependency-Track API with the generated SBOM
                 curl -X POST $URL \
                   -H "Content-Type: multipart/form-data" \
                   -H "X-Api-Key: $API_KEY" \
                   -F "autoCreate=true" \
                   -F "projectName=$PROJECT_NAME" \
                   -F "projectVersion=$VERSION" \
                   -F "bom=@/tmp/sbom.json"
Information

Note: If the version changes multiple times, this will generate a separate project for each version of the project. E.g. if the software changes from 4.12.2 to 4.12.3, there will be two versions of the software as their own projects.

This behaviour is meant for software, of which multiple versions are being run separately. Omit the version number if you don't intend to run multiple different versions for extended periods of time.

The CronJob pulls Environment variables from s secret called sbom-generator, so one needs to be created with the following keys:

  • API_KEY
  • PROJECT_NAME
  • URL
kind: Secret
metadata:
 name: sbom-generator
 namespace: <namespace>
stringData:
 API_KEY: <API-key>
 PROJECT_NAME: <Project name>
 URL: https://dtrack.it.helsinki.fi/api/v1/bom
type: Opaque

The following variables can be searched for from within a Pods definition or they can be provided in advance, in which case they need to be added to the Secret or provided to the Pod someway else. More info here

  • IMAGE
  • VERSION