Dependency track improvements (#48)

* add the ability to enrich sbom document with security scorecard score

* lint:

* fix logging

* fix depsdev + tests

* dependency track owner tagging

* Update components/consumers/dependency-track/main.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/enrichers/depsdev/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update components/consumers/dependency-track/main_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

components/consumers/dependency-track/README.md

@@ -2,8 +2,10 @@
 
 This producer imports SBOM results from Dracon producers into [owasp/dependency-track](https://owasp.org/www-project-dependency-track/). It ignores all other results as dependency-track does not do vulnerability management and Dracon does not have any VEX producers yet.
 
-You can use this producer to generate or keep up to date SBOMs for your projects. 
+You can use this consumer to generate or keep up to date SBOMs for your projects. 
 
+This consumer recognises the annotation from the codeowners enricher and will add a project tag with each username found in the codeowners annotations.
+The tag format is `Owner:<username>`
 
 ## Testing without Dracon
 

components/consumers/dependency-track/kustomization.yaml

@@ -33,6 +33,8 @@ patches:
                 value: $(params.consumer-dependency-track-token)
               - name: consumer-dependency-track-project-uuid
                 value: $(params.consumer-dependency-track-project-uuid)
+              - name: consumer-dependency-track-owner-annotation
+                value: $(params.consumer-dependency-track-owner-annotation)
         params:
           - name: consumer-dependency-track-api-url
             type: string
@@ -44,6 +46,9 @@ patches:
             type: string
           - name: consumer-dependency-track-project-uuid
             type: string
+          - name: consumer-dependency-track-owner-annotation
+            type: string
+            default: Owner
     target:
       kind: Pipeline
   # Add anchors to Task.

components/consumers/dependency-track/main.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"encoding/base64"
 	"flag"
+	"fmt"
 	"log"
+	"strings"
 
 	dtrack "github.com/DependencyTrack/client-go"
 	"github.com/google/uuid"
@@ -14,12 +16,13 @@ import (
 )
 
 var (
-	authURL        string
-	apiKey         string
-	projectName    string
-	projectVersion string
-	projectUUID    string
-	client         *dtrack.Client
+	authURL         string
+	apiKey          string
+	projectName     string
+	projectVersion  string
+	projectUUID     string
+	client          *dtrack.Client
+	ownerAnnotation string
 )
 
 func init() {
@@ -28,6 +31,7 @@ func init() {
 	flag.StringVar(&projectName, "projectName", "", "dependency track project name")
 	flag.StringVar(&projectUUID, "projectUUID", "", "dependency track project name")
 	flag.StringVar(&projectVersion, "projectVersion", "", "dependency track project version")
+	flag.StringVar(&ownerAnnotation, "ownerAnnotation", "", "if this consumer is in running after any enricher that adds ownership annotations, then provide the annotation-key for this enricher so it can tag owners as tags")
 	flag.Parse()
 }
 
@@ -66,25 +70,38 @@ func main() {
 func uploadBOMSFromEnriched(responses []*v1.EnrichedLaunchToolResponse) ([]string, error) {
 	var tokens []string
 	for _, res := range responses {
-		var bomIssue *v1.Issue
+		var bomIssue *v1.EnrichedIssue
 		for _, issue := range res.GetIssues() {
 			if issue.GetRawIssue().GetCycloneDXSBOM() != "" && bomIssue == nil {
-				bomIssue = issue.GetRawIssue()
-			} else if bomIssue != nil && *bomIssue.CycloneDXSBOM != "" {
-				log.Fatalf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got something else instead",
+				bomIssue = issue
+			} else if bomIssue != nil && bomIssue.GetRawIssue().GetCycloneDXSBOM() != "" {
+				log.Printf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got something else instead",
 					res.GetOriginalResults().GetToolName())
+				continue
 			}
 		}
-		cdxbom, err := cyclonedx.FromDracon(bomIssue)
+		cdxbom, err := cyclonedx.FromDracon(bomIssue.GetRawIssue())
 		if err != nil {
 			return tokens, err
 		}
-		token, err := uploadBOM(bomIssue.GetCycloneDXSBOM(), cdxbom.Metadata.Component.Version)
+		token, err := uploadBOM(bomIssue.GetRawIssue().GetCycloneDXSBOM(), cdxbom.Metadata.Component.Version)
 		if err != nil {
 			log.Fatal("could not upload bom to dependency track, err:", err)
 		}
 		log.Println("upload token is", token)
 		tokens = append(tokens, token)
+		if ownerAnnotation != "" {
+			log.Println("tagging owners")
+			owners := []string{}
+			for key, value := range bomIssue.Annotations {
+				if strings.Contains(key, ownerAnnotation) {
+					owners = append(owners, value)
+				}
+			}
+			if err := addOwnersTags(owners); err != nil {
+				log.Println("could not tag owners, err:", err)
+			}
+		}
 	}
 	return tokens, nil
 }
@@ -97,8 +114,9 @@ func uploadBOMsFromRaw(responses []*v1.LaunchToolResponse) ([]string, error) {
 			if *issue.CycloneDXSBOM != "" && bomIssue == nil {
 				bomIssue = issue
 			} else if bomIssue != nil && *bomIssue.CycloneDXSBOM != "" {
-				log.Fatalf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got multiple issues with sboms instead",
+				log.Printf("Tool response for tool %s is malformed, we expected a single issue with an SBOM as part of the tool, got multiple issues with sboms instead",
 					res.GetToolName())
+				continue
 			}
 		}
 		cdxbom, err := cyclonedx.FromDracon(bomIssue)
@@ -115,6 +133,30 @@ func uploadBOMsFromRaw(responses []*v1.LaunchToolResponse) ([]string, error) {
 	return tokens, nil
 }
 
+func addOwnersTags(owners []string) error {
+	// addOwnersTags expects a map of <ownerAnnotation>-<number>:<username> tagging owners
+	// it then adds to the projectUUID the owners in the following tag format: Owner:<username>
+	uuid := uuid.MustParse(projectUUID)
+	project, err := client.Project.Get(context.Background(), uuid)
+	if err != nil {
+		log.Println("could not add project tags error getting project by uuid, err:", err)
+		return err
+	}
+	for _, owner := range owners {
+		found := false
+		for _, t := range project.Tags {
+			if t.Name == fmt.Sprintf("%s:%s", ownerAnnotation, owner) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			project.Tags = append(project.Tags, dtrack.Tag{Name: fmt.Sprintf("%s:%s", ownerAnnotation, owner)})
+		}
+	}
+	_, err = client.Project.Update(context.Background(), project)
+	return err
+}
 func uploadBOM(bom string, projectVersion string) (string, error) {
 	if projectVersion == "" {
 		projectVersion = "Unknown"