Dependency Track for Azure DevOps Pipelines

Azure DevOps extension for submitting BOM reports to Dependency-Track

Parameters

Base Settings

Name	Id	Description	Required
BOM File Path	bomFilePath	The path where the BOM file is located. (e.g. 'directory/**/bom.xml').	True
Project Id	dtrackProjId	The guid of the project in Dependency Track. Required if project name and version are not specified.	False
Project Name	dtrackProjName	The name of the project in Dependency Track. Required if project id is not specified.	False
Project Version	dtrackProjVersion	The version of the project in Dependency Track. Required if project id is not specified.	False
Auto Create Project	dtrackProjAutoCreate	When set to TRUE and the project in Dependency Track does not exist, it will be created. Requires project name and version to be specified. The API Key will need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission. Default: False	False
API Key	dtrackAPIKey	The Dependency Track API key	True
Dependency Track URI	dtrackURI	The URL to the Dependency Track platform	True

Threshold Options

Setting these options will force the task to wait for the BOM analysis to be finished and the metrics to be recalculated before finishing the task.

Name	Id	Description	Required
Action on Threshold	thresholdAction	The result of the task if the threshold is attained. Values are `none`, `warn`, and `error`.	False
Critical Vulnerability Count	thresholdCritical	Maximum number of critical vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
High Vulnerability Count	thresholdHigh	Maximum number of high vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Medium Vulnerability Count	thresholdMedium	Maximum number of medium vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Low Vulnerability Count	thresholdLow	Maximum number of low vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Unassigned Vulnerability Count	thresholdUnassigned	Maximum number of unassigned vulnerabilities to tolerate. A value of `-1` disables this threshold.	False
Fail Policy Violation Count	thresholdpolicyViolationsFail	Maximum number of failed policy violations to tolerate. A value of `-1` disables this threshold.	False
Warn Policy Violation Count	thresholdpolicyViolationsWarn	Maximum number of warn policy violations to tolerate. A value of `-1` disables this threshold.	False
Info Policy Violation Count	thresholdpolicyViolationsInfo	Maximum number of info policy violations to tolerate. A value of `-1` disables this threshold.	False
Total Policy Violation Count	thresholdpolicyViolationsTotal	Maximum number of Total policy violations to tolerate. A value of `-1` disables this threshold.	False

SSL Options

Name	Id	Description	Required
Trusted CA certificate	caFilePath	File path to PEM encoded CA certificate. This setting is used when Dependency Track is using a self-signed certificate or an internal CA provider for it's TLS configuration.	False

Basic Usage Example

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: ceiba-upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjId: '00000000-0000-0000-0000-000000000000'
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'

Auto Create Project Usage Example

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: ceiba-upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjName: 'Test Project'
    dtrackProjVersion: 'v1.2'
    dtrackProjAutoCreate: true
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: ceiba-upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjId: '00000000-0000-0000-0000-000000000000'
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'
    thresholdAction: 'warn'
    thresholdLow: '0'

Credits

Based from Dependency Track by Gsoft in GIT.

Custom Dependency Track

Jesus Prasca - Ceiba