➹ New Feature implementation request

Is your feature request related to a problem?

The Dependency-Track hook tries to read the project name and version from the main component of the SBOM, this is a bit brittle and sometimes leads to very long names or inconvenient versions. Especially combined with the Cloud AutoDiscovery, which normalizes the docker images and always sets the digest.

Describe the solution you'd like

Similar to the DefectDojo hook, the Dependency-Track hook should optionally read the name and version from scan annotations. DefectDojo for example uses these annotations (among others):

• defectdojo.securecodebox.io/product-name
• defectdojo.securecodebox.io/product-tags
• defectdojo.securecodebox.io/engagement-name
• defectdojo.securecodebox.io/engagement-version

Similarly, the Dependency-Track hook should use:

• dependencytrack.securecodebox.io/project-name
• dependencytrack.securecodebox.io/project-version

Note the project instead of product, since that is the terminology Dependency-Track uses.

Describe alternatives you've considered

Additional context

Since the Cloud AutoDiscovery always removes the tag and sets a digest, all SBOMs that originate there get pushed to Dependency-Track with the digest as version.