Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline

Question

Who can help me?

1. I want to implement uploading SBOM-file xxxx.xml to Dependency Track in GitLab СI/СD pipeline
2. Global idea (next step): at the start of the build (beginning of the pipeline), create a SBOM-file and upload it to Dependency Track, now I use a manually created SBOM-file.

With the following composition of gitlab-ci.yml:

DT_SCA:
     stage: test
     script:
       - git clone https://gitlab.com/.../test.git
       - cd test/
       - curl
         -X "PUT" "http://х.х.х.х:8080/api/v1/bom"
         -H "X-API-Key:xxxx"
         -H "Content-Type:multipart/form-data" /// option 2. -H "Content-Type:application/json'
         -d @хххх.xml /// option 2. -d @хххх.json

I get a 500 error (Internal Server Error).

Tried different variations, always different errors.

At the same time, there is no official possibility of integration. Help me please.

Is there a ready solution? Thank you!

Answer 1

I'm using something similar for frontend/nodejs:

I have a file for the sbom that runs

cyclonedx-node -d -t application -o ./bom.json

Another one deptrack.sh:

version=`node -p "process.env.npm_package_version"`

name=`node -p "process.env.npm_package_name"`

curl -X 'POST' 'http://--your IP--:8081/api/v1/bom'\
     -H 'Content-Type: multipart/form-data' \
     -H 'X-Api-Key: --your key--' \
     -F "projectName=$name" \
     -F "projectVersion=$version" \
     -F 'autoCreate=true' \
     -x "" \
     -F 'bom=@./bom.json'

In my package.json I have 2 scripts that I trigger from the pipeline:

  "scripts": {
    "sbom": "sh ./sbom.sh",
    "deptrack": "sh ./deptrack.sh"
},

In your gitlab.ci you can then have a job like:

sbom:
  stage: compile
  image: --your nodejs image--
  tags:
  - docker
  script:
  - npm ci
  - npm run sbom
  - npm run deptrack
  only:
    - master
  interruptible: true