There are many tools to help you to continuously monitor your software supply chain security for example Github dependabot or OWASP Dependency Track .

In this article we take a look at Dependency Track and explore how it can help us secure our software supply chain .

Dependency Track

In short, Dependency Track is a web-application that helps you to continuously monitor the dependencies of your software-projects for vulnerabilities.

So what is OWASP Dependency Track in detail?

“Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. “Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.

What is OWASP ?

“The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”

How to use

What you have to do for the project that you want to monitor, is to generate the software bill of materials and upload it to your Dependency Track instance. Dependency Track stores the dependencies of your project and checks periodically for vulnerabilities, using different continuously updated vulnerability databases.

The generation of the SBOM is dependent on the tools that you are using, but cyclonedx will help you with this task.

The upload of the SBOM can be done via curl, but it’s a little clunky. As we all want to integrate the upload in all our Github-Pipelines, we would like to have some Github-Action that does exactly this.

There is a Github Action in the marketplace that aims to do both steps and more, but it currently lacks support for Gradle, so we can not use it for all our projects. So we wrote our own upload github action .

If you use Jenkins, you might consider using the mighty OWASP Dependency-Track Jenkins Plugin .

API-Key

First you have to create an API-Key in order to be able to upload your BOM. Login as ‘admin’, go to “Access Management / Teams”, select your Team (or create a new one) and click the “plus” Button to create an API-Key for your upload. Please note that you’ll need BOM_UPLOAD and VIEW_PORTFOLIO permissions. If you want to use autoCreate, you’ll also need PROJECT_CREATION_UPLOAD

Upload via curl

In this example, we used the project name and version instead of specifying the project-UUID. If the project does not exist, it will be automatically created using the autoCreate=true parameter.

curl -X "POST" "http://<your-dep-track-host>/api/v1/bom" \
-H 'Content-Type: multipart/form-data' \
-H "X-Api-Key: <your-deptrack-api-key>" \
-F "autoCreate=true" \
-F "projectName=myproject" \
-F "projectVersion=1.0.0" \
-F "bom=@build/reports/bom.xml"

Integrate Github Action

This is an example .github/workflows/deptrack.yml, where you just have to fill in your <your-dep-track-host> and set the API-Key, that you have configured in your dependency Track instance “AccessManagement/Teams/API Keys”, as Secret DEPENDENCYTRACK_APIKEY for your Action.

on: [push]
jobs:
  deptrack_test:
    name: Generate and upload SBOM
    runs-on: ubuntu-latest
    steps:
      - name: Generate SBOM
        uses: gradle/gradle-build-action@v2
        with:
          arguments: cyclonedxBom
      - name: Upload SBOM to dependency-track instance
        uses: droid42/deptrackupload-github-action@v2
        with:
          serverUrl: 'https://<your-dep-track-host>/api/v1/bom'
          apiKey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
          bomFile: 'build/reports/bom.xml'
          projectName: ${{ github.repository }}
          projectVersion: ${{ github.ref_name }}
          autoCreate: true
      - name: StatusCode
        run: echo "Upload returned ${{ steps.deptrack.outputs.statusCode }}"

Please note that we use the github environment variables ${{ github.repository }} and ${{ github.ref_name }} together with autoCreate=true to get analysis of branches, pull requests and tags without the need to create the projects in Dependency Track beforehand.

Dashboard

After upload, the SBOM gets analyzed and the results are shown on the Dependency Track Dashboard.

The dashboard lists your projects with versions and the current analysis results - the analysis is repeated periodically, after new vulnerability-database versions are downloaded from the configured vulnerability sources.

Conclusion

It’s rather easy to get started with software supply chain security and gain some insight in your project dependencies, but it does not stop here.

If you are interested in how you can build your own custom Gibthub Action, you should read our article Making of: Dependency Track Upload Github Action