Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM).

Chainloop can be configured to automatically send any CycloneDX Software Bill Of Materials that has been received as part of an attestation to a Dependency-Track instance.

Once configured, any SBOM_CYCLONEDX_JSON piece of evidence received during the attestation process will be sent to Dependency-Track.

See below an example of a contract that includes a SBOM_CYCLONEDX_JSON material.

schemaVersion: v1
materials:
  # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation
  - type: SBOM_CYCLONEDX_JSON
    name: skynet-sbom

See the integration in action in the following video:

Configure Integration

There are two steps involved to enable this integration:

  1. Setup a Dependency-Track integration provider in your Chainloop account
  2. Attach this integration instance to your workflow

Prerequisites

Dependency-Track API Token

An API Token is required for the Chainloop instance to communicate securely with DependencyTrack. The required permissions are BOM_UPLOAD, VIEW_PORTFOLIO (to validate that the provided project ID exists) and optionally PROJECT_CREATION_UPLOAD if project-auto-creation is enabled, more on that later.

The API Key can be created by going to Settings -> Access Management -> Teams -> Select (or create) a Team -> Set permissions -> Copy API key

1 - Setup the integration in your Chainloop account

Let’s register an instance of Dependency-Track that later on can be attached to any of your workflows.

Navigate to the integrations section and click Add Registration.

We can see that there are two required inputs: apiKey and instanceURI, provide those values and click on the Register button.

2 - Attach the Integration to a Workflow

Once the integration is live, it can be attached to any workflow. In practice, that means that every workflow attestation that is received that contains a SBOM_CYCLONEDX_JSON material will be forwarded.

The same integration can be attached to multiple workflows

Navigate to the workflow section and click on the Attach button.

During the attachment process, you can decide whether to send the SBOMs to a specific project projectID or create a new one defined by the provided projectName. For the latter to work, you need to make sure that the integration was setup with --allow-project-auto-create option. Furthermore, you can request the new project is created as a child of an existing one parentID, to enable you to group projects in Dependency Track.

That’s all!

Next time Chainloop receives an attestation, its contained SBOMs will be uploaded to https://dependency-track.chainloop.dev to a project called example-project.

Dynamically set the project name

You can also use interpolation to calculate the Depdendency-Track project name dynamically based on the annotations set in either the attestation and the materials.

For example, let’s say that you have the following contract

chainloop-contract.yaml
schemaVersion: v1

annotations:
  - name: version
    value: oss
materials:
  - type: SBOM_CYCLONEDX_JSON
    name: controlplane-sbom
    annotations:
      - name: component
        value: controlplane

You can then use the {{ .Material.Annotations.Component }} or {{ .Attestation.Annotations.Asset }} templates during attachment, for example

$ chainloop integration attached add \
    ...
    --opt projectName="project-{{ .Material.Annotations.component }}"
    # or both combined
    --opt projectName="project-{{ .Material.Annotations.component }}-{{ .Attestation.Annotations.version }}"

this will send the SBOM to a project called project-controlplane or project-controlplane-oss respectively.

Was this page helpful?