Dependency Track Examples
Examples of generating BOMs and loading them to Dependency Track.
- Examples in the Dependency Track documentation: https://docs.dependencytrack.org/usage/cicd/
- Tools to create BOMs: https://cyclonedx.org/tool-center/
Python virtual environment
You can create BOM from virtual environment, using cyclonedx-bom tool. In the following example, you will create separate virtual environment for the cyclonedx-bom and use it to create BOM file from other virtual environment in path /path/to/venv/bin/python.
Creating python virtual environment, install cyclonedx-bom, create BOM from the separate virtual environment and post it to Dependency Track.
python -m venv venv-bom source venv-bom/bin/activate pip install cyclonedx-bom cyclonedx-py environment '/path/to/venv/bin/python' > bom.json curl -X POST "https://dtrack.it.helsinki.fi/api/v1/bom" -H "Content-Type: multipart/form-data" -H "X-Api-Key: <api-key>" -F "autoCreate=true" -F "projectName=<project name>" -F "projectVersion=1.0" -F "bom=@bom.json"
Automatic process with cron job:
/path/to/venv-bom/bin/cyclonedx-py environment '/path/to/venv/bin/python' > /path/to/bom.json curl -X POST "https://dtrack.it.helsinki.fi/api/v1/bom" -H "Content-Type: multipart/form-data" -H "X-Api-Key: <api-key>" -F "autoCreate=true" -F "projectName=<project name>" -F "projectVersion=1.0" -F "bom=@/path/to/bom.json"
Java project with GitLab CI/CD
1a Install cyclonedx-maven-plugin by adding example code to the plugins part of pom.xml.
<plugin> <groupId>org.cyclonedx</groupId> <artifactId>cyclonedx-maven-plugin</artifactId> <version>2.9.0</version> <executions> <execution> <phase>package</phase> <goals> <goal>makeAggregateBom</goal> </goals> </execution> </executions> </plugin>
1b In a Gradle project install cyclonedx-gradle-plugin by modifying build.gradle file. project.group is required to be defined:
plugins{ id 'org.cyclonedx.bom' version '1.8.2' } project.group = 'fi.helsinki.example-app'
2. Generate the bom.xml file and save it as artifact in GitLab CI.
stages: - dtrack-sbom - dependency-track-submit
dtrack-sbom:
stage: dtrack-sbom
only:
- main
script:
- mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
artifacts:
expire_in: 1h
paths:
- target/bom.xml
3. Add required environment variables to GitLab project (DTRACK_API_URL, DTRACK_API_KEY, PROJECT_NAME, PROJECT_VERSION) and send bom.xml to Dependency Track using curl.
submit-sbom: image: alpine:latest stage: dtrack-submit only: - main dependencies: - dtrack-sbom before_script: - apk add --no-cache curl script: - "curl -X POST ${DTRACK_API_URL} -H 'Content-Type: multipart/form-data' -H 'X-Api-Key: '${DTRACK_API_KEY} -F 'projectName='${PROJECT_NAME} -F 'autoCreate=true' -F 'projectVersion='${PROJECT_VERSION} -F 'bom=@target/bom.xml'"
Node.js project with GitLab CI/CD
1. Install @cyclonedx/cyclonedx-npm library as devDependency:
npm install --save-dev @cyclonedx/cyclonedx-npm
2. Generate the bom.xml file and save it as artifact in GitLab CI.
stages: - dependency-track-sbom - dependency-track-submit generate-sbom: stage: dependency-track-sbom only: - main script: - npx @cyclonedx/cyclonedx-npm --output-file bom.xml artifacts: expire_in: 1h paths: - bom.xml
3. Add required environment variables to GitLab project (DTRACK_API_URL, DTRACK_API_KEY, PROJECT_NAME, PROJECT_VERSION) and send bom.xml to Dependency Track using curl.
submit-sbom: image: alpine:latest stage: dependency-track-submit only: - main dependencies: - generate-sbom before_script: - apk add --no-cache curl script: - "curl -X POST ${DTRACK_API_URL} -H 'Content-Type: multipart/form-data' -H 'X-Api-Key: '${DTRACK_API_KEY} -F 'projectName='${PROJECT_NAME} -F 'autoCreate=true' -F 'projectVersion='${PROJECT_VERSION} -F 'bom=@bom.xml'"
SBOMs and containers
Manual method
Tools like syft can be used to create SBOMs from container images. For example the following command can be used to create a Cyclonedx SBOM from the container image docker.io/dependencytrack/apiserver:4.12.2.
The syft tool can also be added to CI/CD by adding this line
Automating SBOM creation inside OpenShift
In Tike container platform, the administration provides multiple helpful container images, with sbom-generator being one of them. The repo contains more detailed instructions and more examples, but basically the CronJob uses syft to create an SBOM, which will be passed to Dependency Track with curl.
kind: CronJob
metadata:
name: sbom-generator-cronjob
spec:
schedule: "0 0 * * 0" # Runs every Sunday at midnight
jobTemplate:
spec:
backoffLimit: 0 # Never retry if the job fails
template:
spec:
restartPolicy: Never # Do not restart failed pods
containers:
- name: sbom-generator
image: image-registry.openshift-image-registry.svc:5000/image-cache/sbom-generator
command: ["/bin/sh", "-c"]
envFrom:
- secretRef:
name: sbom-generator
args:
- |
set -e # Exit on any error
echo "Image: $IMAGE"
# Extract version from the image name
VERSION=$(echo $IMAGE | awk -F ':' '{print $2}')
if [ -z "$VERSION" ]; then
echo "ERROR: Failed to extract version from image name"
exit 1
fi
echo "Detected Version: $VERSION"
echo "Generating CycloneDX SBOM..."
syft "$IMAGE" -o cyclonedx-json > /tmp/sbom.json # Ensure IMAGE is quoted!
echo "SBOM generated successfully at /tmp/sbom.json"
cat /tmp/sbom.json | head -n 20 # Preview first 20 lines for debugging
# POST request to Dependency-Track API with the generated SBOM
curl -X POST $URL \
-H "Content-Type: multipart/form-data" \
-H "X-Api-Key: $API_KEY" \
-F "autoCreate=true" \
-F "projectName=$PROJECT_NAME" \
-F "projectVersion=$VERSION" \
-F "bom=@/tmp/sbom.json"
The CronJob pulls Environment variables from s secret called sbom-generator, so one needs to be created with the following keys:
- API_KEY
- PROJECT_NAME
- URL
metadata:
name: sbom-generator
namespace: <namespace>
stringData:
API_KEY: <API-key>
PROJECT_NAME: <Project name>
URL: https://dtrack.it.helsinki.fi/api/v1/bom
type: Opaque
The following variables can be searched for from within a Pods definition or they can be provided in advance, in which case they need to be added to the Secret or provided to the Pod someway else. More info here
- IMAGE
- VERSION