Send SBOMs to Dependency-Track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM).
Chainloop can be configured to automatically send any CycloneDX Software Bill Of Materials that has been received as part of an attestation to a Dependency-Track instance.
Once configured, any SBOM_CYCLONEDX_JSON piece of evidence received during the attestation process will be sent to Dependency-Track.
See below an example of a contract that includes a SBOM_CYCLONEDX_JSON material.
See the integration in action in the following video:
Configure Integration
There are two steps involved to enable this integration:
- Setup a Dependency-Track integration provider in your Chainloop account
- Attach this integration instance to your workflow
Prerequisites
Dependency-Track API Token
An API Token is required for the Chainloop instance to communicate securely with DependencyTrack. The required permissions are BOM_UPLOAD, VIEW_PORTFOLIO (to validate that the provided project ID exists) and optionally PROJECT_CREATION_UPLOAD if project-auto-creation is enabled, more on that later.
The API Key can be created by going to Settings -> Access Management -> Teams -> Select (or create) a Team -> Set permissions -> Copy API key
1 - Setup the integration in your Chainloop account
Let’s register an instance of Dependency-Track that later on can be attached to any of your workflows.
Navigate to the integrations section and click Add Registration.
We can see that there are two required inputs: apiKey and instanceURI, provide those values and click on the Register button.
Navigate to the integrations section and click Add Registration.
We can see that there are two required inputs: apiKey and instanceURI, provide those values and click on the Register button.
With the CLI, we’ll use the chainloop integration registered add command but first let’s find out what are the required inputs using the available describe command.
We can see that there are two required inputs: apiKey and instanceURI.
Let’s go ahead and add an integration for an instance hosted at https://dependency-track.chainloop.dev that allows the auto-creation of projects. You’ll get a prompt to introduce the API key
Command Output
Command Output
2 - Attach the Integration to a Workflow
Once the integration is live, it can be attached to any workflow. In practice, that means that every workflow attestation that is received that contains a SBOM_CYCLONEDX_JSON material will be forwarded.
The same integration can be attached to multiple workflows
Navigate to the workflow section and click on the Attach button.
During the attachment process, you can decide whether to send the SBOMs to a specific project projectID or create a new one defined by the provided projectName. For the latter to work, you need to make sure that the integration was setup with --allow-project-auto-create option. Furthermore, you can request the new project is created as a child of an existing one parentID, to enable you to group projects in Dependency Track.
Navigate to the workflow section and click on the Attach button.
During the attachment process, you can decide whether to send the SBOMs to a specific project projectID or create a new one defined by the provided projectName. For the latter to work, you need to make sure that the integration was setup with --allow-project-auto-create option. Furthermore, you can request the new project is created as a child of an existing one parentID, to enable you to group projects in Dependency Track.
The attachment is done via chainloop integration attached add command. But as we did before, let’s first find out what are the required inputs using the available describe command.
During the attachment process, you can decide whether to send the SBOMs to a specific project projectID or create a new one defined by the provided projectName. For the latter to work, you need to make sure that the integration was setup with --allow-project-auto-create option. Furthermore, you can request the new project is created as a child of an existing one parentID, to enable you to group projects in Dependency Track.
The workflowID can be found by running chainloop workflow list
That’s all!
Next time Chainloop receives an attestation, its contained SBOMs will be uploaded to https://dependency-track.chainloop.dev to a project called example-project.
Advanced Options
Filter SBOMs dispatch
You can filter the SBOMs that are sent to Dependency-Track based on the attestation or material annotations by providing an optional filter option.
- If multiple filters are provided, they will be applied in an AND operation.
- If the same annotation is provided in both the attestation and the material, the value in the material will take precedence.
Dynamically set the project name
You can also use interpolation to calculate the Depdendency-Track project name dynamically based on the annotations set in either the attestation and the materials.
For example, let’s say that you have the following contract
You can then use the {{ .Material.Annotations.Component }} or {{ .Attestation.Annotations.Asset }} templates during attachment, for example
this will send the SBOM to a project called project-controlplane or project-controlplane-oss respectively.