This Gradle plugin is designed to ease the process of working with Dependency Track, a Continuous SBOM Analysis Platform. With this plugin, you can automate the upload process of SBOM files, generate Vex files for component or vulnerability suppression, and more. This plugin internally applies the CycloneDX Gradle plugin, so you don't need to manually include it in your project.
The plugin offers several tasks:
createProject
: Creates a ProjectgenerateSbom
: Generates the SBOM (Runs "cyclonedxBom" from cyclonedx-gradle-plugin under the hood)uploadSbom
: Uploads SBOM file.generateVex
: Generates VEX file.uploadVex
: Uploads VEX file.analyzeProject
: Triggers Vulnerability Analysis on a specific projectriskScore
: Gets risk score. If the risk score is higher than the specified value, the task will fail.getOutdatedDependencies
: Gets outdated dependencies.getSuppressedVuln
: Gets suppressed vulnerabilities.runDepTrackWorkflow
: RunsgenerateSbom
,uploadSbom
,generateVex
anduploadVex
tasks for CI/CD.
Each task requires certain inputs which are to be specified in your build.gradle.kts
. The configuration for each task is as follows:
url
: Dependency Track API URLapiKey
: Dependency Track API KEYprojectName
: The Name of the Project you want to createprojectVersion
: Optional - The Version of the Project you want to createprojectActive
: Optional - default is true, set to false to create an inactive ProjectprojectTags
: Optional - add Tags to your ProjectparentUUID
: Optional - Used for creating in a parent projectignoreProjectAlreadyExists
: Optional - default is false, set to true to ignore "Project already exist" error
url
: Dependency Track API URLapiKey
: Dependency Track API KEYinputFile
: Optional - Default: build/reports/bom.jsonautoCreate
: Optional - Default: falseprojectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersionparentUUID
: Optional - Used for creating in a parent projectparentName
: Optional - Used for creating in a parent projectparentVersion
: Optional - Used for creating in a parent project
vexComponent
: Optional - For suppressing vulnerabilities in one componentvexVulnerability
: Optional - For suppressing vulnerabilities in all componentsinputFile
: Optional - Default: build/reports/bom.jsonoutputFile
: Optional - Default: build/reports/vex.json
url
: Dependency Track API URLapiKey
: Dependency Track API KEYoutputFile
: Optional (Default "build/reports/vex.json")projectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersion
url
: Dependency Track API URLapiKey
: Dependency Track API KEYprojectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersionriskScore
: Optional - Used for failing the task if the risk score is higher than the specified value.timeout
: Optional - If specified, the task will wait for the risk score to be calculated. Default: 0 secondsmaxRiskScore
: Optional - If specified, the task will fail if the risk score is higher than the specified value.
url
: Dependency Track API URLapiKey
: Dependency Track API KEYprojectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersion
url
: Dependency Track API URLapiKey
: Dependency Track API KEYprojectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersion
url
: Dependency Track API URLapiKey
: Dependency Track API KEYprojectUUID
: Optional - You need to set UUID or projectName and projectVersionprojectName
: Optional - You need to set UUID or projectName and projectVersionprojectVersion
: Optional - You need to set UUID or projectName and projectVersion
Here's how you can configure all tasks:
import com.liftric.dtcp.extensions.*
import org.cyclonedx.model.vulnerability.Vulnerability
val version: String by project
val name: String by project
dependencyTrackCompanion {
url.set("https://api.dtrack.example.com")
apiKey.set(System.getenv("DT_API_KEY"))
autoCreate.set(true)
projectName.set(name)
projectVersion.set(version)
parentName.set(name)
riskScore{
timeout.set(20.seconds)
maxRiskScore.set(7.0)
}
vexComponent {
purl.set("pkg:maven/org.eclipse.jetty/jetty-http@9.4.49.v20220914?type=jar")
vulnerability {
id.set("CVE-2023-26048")
source.set("NVD")
analysis.set(Vulnerability.Analysis.State.FALSE_POSITIVE)
}
}
vexVulnerability {
id.set("CVE-2020-8908")
source.set("NVD")
analysis.set(Vulnerability.Analysis.State.RESOLVED)
detail.set("This is resolved")
}
}
This Gradle Dependency Track Plugin is released under MIT License.
This project is not a derivative of Dependency Track, but a tool that interacts with it. Please note that Dependency Track is released under the Apache 2.0 license. Refer to their respective licenses for more information.