You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
A DT server with several hundred projects will often have a real variance in BOM quality. This might be caused by a number of things:
Different ecosystems means different tools generating the BOM... Gradle, Maven, etc.
Out-of-date version of tools generating the BOM. eg, two Maven projects both reporting BOM version is 1.4 in DT but one is generated using an older version of the cyclonedx-maven-plugin and thus may be lower quality
Up-to-date plugin generates BOM... but is incorrectly configured for (say) schemaVersion. Thus, one might get two projects with same out-of-date schemaVersion but one generated with latest plugin has higher quality
Describe the solution you'd like
Incorporate the sbomqs tool into the DT Jenkins plugin. This will allow for several pieces of functionality:
Calculation of BOM Quality Score
Option to fail a build (or mark it unstable) based on BOM quality (score)
Creation of quality score labels in Dependency-Track
Reporting of scoring output as a report in Jenkins so that one can see WHY a score is low (especially if it is causing the build to fail)
Additional context
Here is a screenshot showing labels in DT that have been created by sbomqs
The tool will take care of removing old tags... important if (say) an upgrade of the tool that generates the BOM improves the score.
The text was updated successfully, but these errors were encountered:
This function goes beyond what this plugin is intended for. It is not a generic SBOM plugin and does not call an external executable, for whatever reason.
You can do this yourself in your Jenkins pipeline.
call sbomqs and capture the output: def out = sh(script: 'sbomqs score <sbom-file>', returnStdout: true).trim()
extract the score from the captured output and store it in a variable: def score = Float.parseFloat(out.split(' ')[0])
let the build fail if the score is to low: if (score < 9.0) { error 'sbom quality to low' }
use the feature of setting tags to set the sbomqs-tag when uploading the sbom file: dependencyTrackPublisher artifact: '<sbom-file>', ..., projectProperties: [tags: ["sbomqs=${score}"]]
Is your feature request related to a problem? Please describe.
A DT server with several hundred projects will often have a real variance in BOM quality. This might be caused by a number of things:
cyclonedx-maven-plugin
and thus may be lower qualityDescribe the solution you'd like
Incorporate the sbomqs tool into the DT Jenkins plugin. This will allow for several pieces of functionality:
Additional context
Here is a screenshot showing labels in DT that have been created by
sbomqs
The tool will take care of removing old tags... important if (say) an upgrade of the tool that generates the BOM improves the score.
The text was updated successfully, but these errors were encountered: