diff --git a/components/consumers/dependency-track/main.go b/components/consumers/dependency-track/main.go index 3af761198..d282a3606 100644 --- a/components/consumers/dependency-track/main.go +++ b/components/consumers/dependency-track/main.go @@ -2,10 +2,13 @@ package main import ( "context" + "crypto/tls" "encoding/base64" "flag" "fmt" "log" + "log/slog" + "net/http" "strings" dtrack "github.com/DependencyTrack/client-go" @@ -24,6 +27,8 @@ var ( projectUUID string client *dtrack.Client ownerAnnotation string + // used for debugging, turns off certificate and enables debug + insecure bool ) func main() { @@ -32,6 +37,7 @@ func main() { flag.StringVar(&projectName, "projectName", "", "dependency track project name") flag.StringVar(&projectUUID, "projectUUID", "", "dependency track project name") flag.StringVar(&projectVersion, "projectVersion", "", "dependency track project version") + flag.BoolVar(&insecure, "insecure", false, "setup client with no tls and enable debug") flag.StringVar( &ownerAnnotation, "ownerAnnotation", @@ -47,11 +53,42 @@ func main() { if projectUUID == "" { log.Fatal("project uuid is mandatory for dependency track") } + if authURL == "" { + log.Fatal("auth url is mandatory for dependency track") + } + if apiKey == "" { + log.Fatal("api key is mandatory for dependency track") + } + if projectName == "" { + log.Fatal("project name is mandatory for dependency track") + } + if projectVersion == "" { + log.Fatal("project version is mandatory for dependency track") + } + c, err := dtrack.NewClient(authURL, dtrack.WithAPIKey(apiKey)) if err != nil { log.Panicf("could not instantiate client err: %#v\n", err) } + + if insecure { + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + httpClient := &http.Client{Transport: tr} + cl, err := dtrack.NewClient(authURL, dtrack.WithHttpClient(httpClient), dtrack.WithDebug(true), dtrack.WithAPIKey(apiKey)) + if err != nil { + log.Panicf("could not instantiate client err: %#v\n", err) + } + c = cl + } + client = c + abt, err := client.Metrics.LatestPortfolioMetrics(context.Background()) + if err != nil { + log.Fatalf("cannot connect to Dependency Track at %s, err:'%v'", authURL, err) + } + slog.Info(fmt.Sprintf("Connection to DT successful, projects in instance: %d", abt.Projects)) if consumers.Raw { responses, err := consumers.LoadToolResponse() if err != nil { @@ -164,6 +201,7 @@ func addOwnersTags(owners []string) error { } func uploadBOM(bom string, projectVersion string) (string, error) { + slog.Info(fmt.Sprintf("Uploading BOM to Dependency Track for project %s version %s", projectName, projectVersion)) if projectVersion == "" { projectVersion = "Unknown" } @@ -172,6 +210,7 @@ func uploadBOM(bom string, projectVersion string) (string, error) { ProjectName: projectName, ProjectVersion: projectVersion, ProjectUUID: &uuid, + AutoCreate: true, BOM: base64.StdEncoding.EncodeToString([]byte(bom)), }) return string(token), err diff --git a/components/consumers/dependency-track/task.yaml b/components/consumers/dependency-track/task.yaml index 92bf8786e..89433d988 100644 --- a/components/consumers/dependency-track/task.yaml +++ b/components/consumers/dependency-track/task.yaml @@ -8,6 +8,7 @@ metadata: spec: description: Pushes findings to a Dependency-Track instance. params: + # Warning: at the time of writing this api-url is for the port 8081 - name: consumer-dependency-track-api-url type: string - name: consumer-dependency-track-project-name