Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add dependency track integration #594

Merged
merged 5 commits into from
Aug 17, 2023
Merged

feat: add dependency track integration #594

merged 5 commits into from
Aug 17, 2023

Conversation

takumakume
Copy link
Contributor

@takumakume takumakume commented Jul 27, 2023
edited

ref #575

SBOM Report has been supported since Trivy Operator 0.15.0 .

I want to execute a webhook to Dependency Track via Postee. (ref: aquasecurity/trivy-operator#143 (comment) )

In this Pull Request, I implemented the following:

  • Added Integration of Dependency Track
  • Added Template for sending Trivy Operator sbomReport to Dependency Track

Dependency Track uploads the BOM with ProjectName and ProjectVersion as keys.

Dependency Track Integration has the following specification:

  • ProjectName:ProjectVersion is the template title . (e.g. busybox:latest)
  • BOM data is in the template description .

In this Pull Request, only JSON used by trivy-operator is supported as BOM format.

The operation was checked in the following environment.

routes:
  - name: dependencytrack
    input: contains(input.kind, "SbomReport")
    actions: [ dependencytrack ]
    template: dependencytrack
actions:
  - name: my-dependencytrack
    type: dependencytrack
    enable: true
    url: http://192.168.100.28:8081/ # local docker compose
    dependency-track-api-key: **
templates:
  - name: dependencytrack
    rego-package: postee.trivyoperator.dependencytrack
  • trivy-operator sends SBOM Report webhook to Postee and is registered in Dependency Track.
  • Can be configured from Postee UI
    image

@takumakume
Copy link
Contributor Author

https://aquasecurity.slack.com/archives/C02NT2Y4FJL/p1691406606182759

Hi all, I would just quickly like to remind everyone that our efforts have shifted to Trivy and Tracee, you are still welcome to use Postee -- however, it is not actively being developed upon by the core team

Will this pull request be reviewed and merged?

DmitriyLewen
DmitriyLewen reviewed Aug 9, 2023
View reviewed changes
Copy link
Collaborator

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @takumakume
Sorry for waiting!

I left some comments.

cfg.yaml Outdated Show resolved Hide resolved
actions/dependencytrack.go Show resolved Hide resolved
@takumakume
Copy link
Contributor Author

@DmitriyLewen
Thanks for the check! I have push some fixes.

DmitriyLewen
DmitriyLewen approved these changes Aug 10, 2023
View reviewed changes
Copy link
Collaborator

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work!
LGTM.
@simar7 can you take a look and merge PR?

@takumakume
Copy link
Contributor Author

Hi, is there anything I can do to merge this pull request? Thank you for your time. @simar7

@simar7 simar7 merged commit 698003e into aquasecurity:main Aug 17, 2023
4 checks passed
@takumakume takumakume deleted the add-dependency-track branch August 21, 2023 14:28
@DmitriyLewen DmitriyLewen mentioned this pull request Aug 29, 2023
Closed
@takumakume takumakume mentioned this pull request Sep 7, 2023
Closed
@justin-sto justin-sto mentioned this pull request Apr 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@AndreyLevchenko AndreyLevchenko Awaiting requested review from AndreyLevchenko

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@takumakume @DmitriyLewen @simar7