Dependency-Track logov4.2

Dependency-Track consumes and analyzes CycloneDX BOMs at high-velocity and is ideal for use in modern build pipelines. The generation of CycloneDX BOMs often occur during CI or when the final application assembly is being generated. CycloneDX is the preferred BOM format due to the availability of build-time tools and the formats focus on security use cases. However, BOMs in SPDX tag and RDF formats are also supported.

Visit the CycloneDX Tool Center for information on the available tools for generating CycloneDX BOMs from various build systems.

Dependency-Track continuously monitors components for known vulnerabilities. When components are added or updated in Dependency-Track, an analysis is performed against the component. This action occurs during ingestion of files as well as changes to the components via REST or from the user interface. All components in Dependency-Track, regardless of changes, are automatically analyzed on a daily basis.

The Dependency-Track Jenkins Plugin is the recommended method for publishing CycloneDX BOMs to Dependency-Track in a Jenkins environment.

For other environments, cURL (or similar) can be used.

CycloneDX or SPDX BOM

To publish CycloneDX or SPDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the bom and insert the resulting text into the ‘bom’ field.

curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: application/json' \
     -H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -d $'{
  "project": "f90934f5-cb88-47ce-81cb-db06fc67d4b4",
  "bom": "PD94bWwgdm..."
  }'

It’s also possible to publish BOMs via HTTP POST which does not require Base64 encoding the payload.

curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: multipart/form-data; charset=utf-8; boundary=__X_CURL_BOUNDARY__' \
     -H 'X-Api-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -F "project=f90934f5-cb88-47ce-81cb-db06fc67d4b4" \
     -F "bom=<?xml version=\"1.0\" encoding=\"UTF-8\"?>..."

Large Payloads

In cases where the scan or BOM being uploaded is large, using cURLs capability of specifying a file containing a payload may be preferred.

curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
     -H 'Content-Type: application/json' \
     -H 'X-API-Key: LPojpCDSsEd4V9Zi6qCWr4KsiF3Konze' \
     -d @payload.json