add parameter checking and debugging to dt consumer

smithy-security · Aug 25, 2024 · 0cad06d · 0cad06d
1 parent 9111d22
commit 0cad06d
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/components/consumers/dependency-track/main.go b/components/consumers/dependency-track/main.go
@@ -2,10 +2,13 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"flag"
 	"fmt"
 	"log"
+	"log/slog"
+	"net/http"
 	"strings"
 
 	dtrack "github.com/DependencyTrack/client-go"
@@ -24,6 +27,8 @@ var (
 	projectUUID     string
 	client          *dtrack.Client
 	ownerAnnotation string
+	// used for debugging, turns off certificate and enables debug
+	insecure bool
 )
 
 func main() {
@@ -32,6 +37,7 @@ func main() {
 	flag.StringVar(&projectName, "projectName", "", "dependency track project name")
 	flag.StringVar(&projectUUID, "projectUUID", "", "dependency track project name")
 	flag.StringVar(&projectVersion, "projectVersion", "", "dependency track project version")
+	flag.BoolVar(&insecure, "insecure", false, "setup client with no tls and enable debug")
 	flag.StringVar(
 		&ownerAnnotation,
 		"ownerAnnotation",
@@ -47,11 +53,42 @@ func main() {
 	if projectUUID == "" {
 		log.Fatal("project uuid is mandatory for dependency track")
 	}
+	if authURL == "" {
+		log.Fatal("auth url is mandatory for dependency track")
+	}
+	if apiKey == "" {
+		log.Fatal("api key is mandatory for dependency track")
+	}
+	if projectName == "" {
+		log.Fatal("project name is mandatory for dependency track")
+	}
+	if projectVersion == "" {
+		log.Fatal("project version is mandatory for dependency track")
+	}
+
 	c, err := dtrack.NewClient(authURL, dtrack.WithAPIKey(apiKey))
 	if err != nil {
 		log.Panicf("could not instantiate client err: %#v\n", err)
 	}
+
+	if insecure {
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		httpClient := &http.Client{Transport: tr}
+		cl, err := dtrack.NewClient(authURL, dtrack.WithHttpClient(httpClient), dtrack.WithDebug(true), dtrack.WithAPIKey(apiKey))
+		if err != nil {
+			log.Panicf("could not instantiate client err: %#v\n", err)
+		}
+		c = cl
+	}
+
 	client = c
+	abt, err := client.Metrics.LatestPortfolioMetrics(context.Background())
+	if err != nil {
+		log.Fatalf("cannot connect to Dependency Track at %s, err:'%v'", authURL, err)
+	}
+	slog.Info(fmt.Sprintf("Connection to DT successful, projects in instance: %d", abt.Projects))
 	if consumers.Raw {
 		responses, err := consumers.LoadToolResponse()
 		if err != nil {
@@ -164,6 +201,7 @@ func addOwnersTags(owners []string) error {
 }
 
 func uploadBOM(bom string, projectVersion string) (string, error) {
+	slog.Info(fmt.Sprintf("Uploading BOM to Dependency Track for project %s version %s", projectName, projectVersion))
 	if projectVersion == "" {
 		projectVersion = "Unknown"
 	}
@@ -172,6 +210,7 @@ func uploadBOM(bom string, projectVersion string) (string, error) {
 		ProjectName:    projectName,
 		ProjectVersion: projectVersion,
 		ProjectUUID:    &uuid,
+		AutoCreate:     true,
 		BOM:            base64.StdEncoding.EncodeToString([]byte(bom)),
 	})
 	return string(token), err

diff --git a/components/consumers/dependency-track/task.yaml b/components/consumers/dependency-track/task.yaml
@@ -8,6 +8,7 @@ metadata:
 spec:
   description: Pushes findings to a Dependency-Track instance.
   params:
+    # Warning: at the time of writing this api-url is for the port 8081
     - name: consumer-dependency-track-api-url
       type: string
     - name: consumer-dependency-track-project-name