OWASP Dependency Track is a create tool and platform for tracking Software Bills of Material (SBOM) for further Vulnerability and Licence scanning.

To use this features as a quality gate, use the OWASP Dependency Track CLI tool within your pipeline as a Python script (you can also use an OCI container instead).

Requirements

  • You need a running OWASP Dependency Track instance, which can be easily installed via. Docker compose file
  • You need to login in your instance and setup an API key with several permissions
  • You need a previously created SBOM of your application. You can use Trivy or any other tool or library for that.

Install and setup the CLI

Install the CLI first:

pip install owasp-dependency-track-cli

Setup your environment variables by exporting them:

export OWASP_DTRACK_URL="http://localhost:8081/api"  # The URL to your OWASP DT instance
export OWASP_DTRACK_VERIFY_SSL="True"  # Disable for self-hosted environments without valid certificate
export OWASP_DTRACK_API_KEY="xyz"  # Your API key

Test your SBOM

Once you’ve finished your setup. All you need to do, is to analyze the previous created SBOM file.

owasp-dtrack-cli test --project-name "My project" --auto-create /path/to/sbom.json

A project named My project will be created, uploaded and analyzed. If you want to implement a quality gate, use the SEVERITY_THRESHOLD_* environment variables.

export SEVERITY_THRESHOLD_HIGH="1"

This will cause the CLI to exit with a non-zero code if at least one vulnerability with the CVSS severity HIGH has been found, which can be used to break your pipeline in a regular script run step.

More features

The help flag reveals you more useful features of the CLI tool:

owasp-dtrack-cli --help

You can provide Prometheus metrics of Vulnerabilities for Grafana.

owasp-dtrack-cli metrics prometheus

Or perform automated updates on your projects

owasp-dtrack-cli project upsert --project-name "My project" --file /path/to/project.json