Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components.
It integrates with multiple vulnerability databases including the National Vulnerability Database (NVD), NPM Public Advisories, Sonatype OSS Index, and VulnDB from Risk Based Security. Dependency-Track monitors all applications in its portfolio in order to proactively identify vulnerabilities in components that are placing your applications at risk. Use of Dependency-Track can play a vital role in an overall Cyber Supply Chain Risk Management (C-SCRM) program by fulfilling many of the recommendations laid out by SAFECode.
Dependency-Track is designed to be used in an automated DevOps environment where software bill-of-material (S-BoM) formats are automatically ingested during CI/CD. Use of this plugin is highly recommended for this purpose and is well suited for use in Jenkins Pipeline. In such an environment, Dependency-Track enables your DevOps teams to accelerate while still keeping tabs on component usage and any inherited risk.
The Dependency-Track Jenkins plugin aids in publishing CycloneDX and SPDX BoMs as well as Dependency-Check XML reports to the Dependency-Track platform.
Publishing BoMs can be performed asynchronously or synchronously.
Asynchronous publishing simply uploads the BoM to Dependency-Track and the job continues. Synchronous publishing waits for Dependency-Track to process the BoM after being uploaded. Synchronous publishing has the benefit of displaying interactive job trends and per build findings.
Once configured with a valid URL and API key, simply configure a job to publish the artifact.
Dependency-Track project: Specifies the unique project ID to upload scan results to. This dropdown will be automatically populated with a list of projects.
Artifact: Specifies the file to upload. Paths are relative from the Jenkins workspace.
Artifact Type: Options are:
Synchronous mode: Uploads a BoM to Dependency-Track and waits for Dependency-Track to process and return results. The results returned are identical to the auditable findings but exclude findings that have previously been suppressed. Analysis decisions and vulnerability details are included in the response. Synchronous mode is possible with Dependency-Track v3.3.1 and higher.
When Synchronous mode is enabled, thresholds can be defined which can optionally put the job into an UNSTABLE or FAILURE state.
Total Findings: Sets the threshold for the total number of critical, high, medium, or low severity findings allowed. If the number of findings equals or is greater than the threshold for any one of the severities, the job status will be changed to UNSTABLE or FAILURE.
New Findings: Sets the threshold for the number of new critical, high, medium, or low severity findings allowed. If the number of new findings equals or is greater than the previous builds finding for any one of the severities, the job status will be changed to UNSTABLE or FAILURE.
To setup, navigate to Jenkins > System Configuration and complete the Dependency-Track section.