Trying to integrate Dependency track with azure devops and currently we are using bitbucket to dependency track.
I have installed the https://marketplace.visualstudio.com/items?itemName=GSoft.dependency-track-vsts this extension already in my project.
Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.
Regards, Shan
Installed extension in azure devops project and trying to find the BOM file and YML file to make use of this extension.
Dependency track - https://docs.dependencytrack.org/usage/cicd/
Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.
It's a pipeline task extension, it adds the "Upload a BOM file to Dependency Track
" task to DevOps. You can find the task when creating a pipeline.
For the inputs, you can reference the Parameters descripted in the extension overview page or this GitHub page.
For the usages, you can reference the pipeline samples mentioned in the extension overview page or this GitHub page.
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- script: |
npm install
npm install -g @cyclonedx/cyclonedx-npm
displayName: 'npm install'
- script: |
cyclonedx-npm --version
cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
displayName: 'Create BOM'
- task: upload-bom-dtrack-task@1
displayName: 'Upload BOM to https://dtrack.example.com/'
inputs:
bomFilePath: '$(Agent.TempDirectory)/bom.xml'
dtrackProjId: '00000000-0000-0000-0000-000000000000'
dtrackAPIKey: '$(dtrackAPIKey)'
dtrackURI: 'https://dtrack.example.com/'
To understand the Dependency-Track you can reference the following threads:
UPDATE:
I created a C# project and referenced the vulnerable nuget package System.Text.RegularExpressions@4.3.0
. The vulnerability can be seen after the bom file is uploaded to DT. You can have a try for that.
Yaml for your reference:
trigger:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UseDotNet@2
inputs:
packageType: 'sdk'
version: '8.x'
- task: DotNetCoreCLI@2
displayName: Install CycloneDX
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install --global CycloneDX'
- task: DotNetCoreCLI@2
displayName: Create BOM File
inputs:
command: 'custom'
custom: 'CycloneDX'
arguments: '-d $(Build.Repository.LocalPath)/WebApplication/WebApplication.sln -o $(Agent.TempDirectory)'
- task: upload-bom-dtrack-task@1
displayName: 'Upload BOM to http://xxx/'
inputs:
bomFilePath: '$(Agent.TempDirectory)/bom.xml'
dtrackProjName: 'WebAPP'
dtrackProjVersion: 'v1.2'
dtrackProjAutoCreate: true
dtrackAPIKey: '$(dtrackAPIKey)'
dtrackURI: 'http://xxxx:8081'