azureazure-devopscontinuous-integrationazure-devops-extensionsowasp-dependency-track

Azure Devops & Code dependency track integration


Trying to integrate Dependency track with azure devops and currently we are using bitbucket to dependency track.

I have installed the https://marketplace.visualstudio.com/items?itemName=GSoft.dependency-track-vsts this extension already in my project.

Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.

Regards, Shan

Installed extension in azure devops project and trying to find the BOM file and YML file to make use of this extension.

Dependency track - https://docs.dependencytrack.org/usage/cicd/


Solution

  • Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.

    It's a pipeline task extension, it adds the "Upload a BOM file to Dependency Track" task to DevOps. You can find the task when creating a pipeline.

    enter image description here

    For the inputs, you can reference the Parameters descripted in the extension overview page or this GitHub page.

    For the usages, you can reference the pipeline samples mentioned in the extension overview page or this GitHub page.

    Basic Usage Example:

    trigger:
    - master
    
    pool:
      vmImage: 'ubuntu-latest'
    
    steps:
    - task: NodeTool@0
      inputs:
        versionSpec: '18.x'
      displayName: 'Install Node.js'
    
    - script: |
        npm install
        npm install -g @cyclonedx/cyclonedx-npm
      displayName: 'npm install'
    
    - script: |
        cyclonedx-npm --version
        cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
      displayName: 'Create BOM'
    
    - task: upload-bom-dtrack-task@1
      displayName: 'Upload BOM to https://dtrack.example.com/'
      inputs:
        bomFilePath: '$(Agent.TempDirectory)/bom.xml'
        dtrackProjId: '00000000-0000-0000-0000-000000000000'
        dtrackAPIKey: '$(dtrackAPIKey)'
        dtrackURI: 'https://dtrack.example.com/'
    

    To understand the Dependency-Track you can reference the following threads:

    UPDATE:

    I created a C# project and referenced the vulnerable nuget package System.Text.RegularExpressions@4.3.0. The vulnerability can be seen after the bom file is uploaded to DT. You can have a try for that.

    enter image description here

    Yaml for your reference:

    trigger:
    - master
    
    pool:
      vmImage: 'ubuntu-latest'
    
    steps:
    - task: UseDotNet@2
      inputs:
        packageType: 'sdk'
        version: '8.x'
    - task: DotNetCoreCLI@2
      displayName: Install CycloneDX
      inputs:
        command: 'custom'
        custom: 'tool'
        arguments: 'install --global CycloneDX'
    - task: DotNetCoreCLI@2
      displayName: Create BOM File
      inputs:
       command: 'custom'
       custom: 'CycloneDX'
       arguments: '-d $(Build.Repository.LocalPath)/WebApplication/WebApplication.sln -o $(Agent.TempDirectory)'
    - task: upload-bom-dtrack-task@1
      displayName: 'Upload BOM to http://xxx/'
      inputs:
        bomFilePath: '$(Agent.TempDirectory)/bom.xml'
        dtrackProjName: 'WebAPP'
        dtrackProjVersion: 'v1.2'
        dtrackProjAutoCreate: true
        dtrackAPIKey: '$(dtrackAPIKey)'
        dtrackURI: 'http://xxxx:8081'