secureCodeBox · o1oo11oo · Oct 5, 2023 · Aug 8, 2023 · Aug 8, 2023 · Aug 9, 2023
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -350,6 +350,7 @@ jobs:
           - ssh-scan
           - sslyze
           - trivy
+          - trivy-sbom
           - typo3scan
           - whatweb
           - wpscan
@@ -703,6 +704,7 @@ jobs:
           - generic-webhook
           - persistence-azure-monitor
           # - persistence-elastic # Fails on the CI due to insufficient cpu as mentioned in issue #1165
+          - persistence-dependencytrack
           - update-field-hook
           - finding-post-processing
           - notification

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
@@ -223,6 +223,7 @@ jobs:
           - notification
           - persistence-elastic
           - persistence-defectdojo
+          - persistence-dependencytrack
           - persistence-azure-monitor
           - update-field-hook
     steps:
@@ -340,6 +341,7 @@ jobs:
           - sslyze
           - test-scan
           - trivy
+          - trivy-sbom
           - typo3scan
           - whatweb
           - wpscan

diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml
@@ -38,6 +38,7 @@ jobs:
           - ssh-scan
           - sslyze
           - trivy
+          - trivy-sbom
           - typo3scan
           - whatweb
           - wpscan

diff --git a/hooks/persistence-dependencytrack/.helm-docs.gotmpl b/hooks/persistence-dependencytrack/.helm-docs.gotmpl
@@ -0,0 +1,60 @@
+{{- /*
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+*/ -}}
+
+{{- define "extra.docsSection" -}}
+---
+title: "Dependency-Track"
+category: "hook"
+type: "persistenceProvider"
+state: "developing"
+usecase: "Publishes all CycloneDX SBOMs to Dependency-Track."
+---
+{{- end }}
+
+{{- define "extra.dockerDeploymentSection" -}}
+## Supported Tags
+- `latest`  (represents the latest stable release build)
+- tagged releases, e.g. `3.0.0`, `2.9.0`, `2.8.0`, `2.7.0`
+{{- end }}
+
+{{- define "extra.chartAboutSection" -}}
+## What is "Persistence Dependency-Track" Hook about?
+The Dependency-Track persistenceProvider hook saves all generated CycloneDX SBOMs into the configured [OWASP Dependency-Track][dependencytrack.org] instance, other findings or SPDX SBOMs cannot be handled and are ignored.
+This allows automatically cataloging infrastructure to gain an overview over the used components and dependencies.
+To learn more about Dependency-Track visit [dependencytrack.org].
+
+To use the _secureCodeBox_ to generate SBOMs, you can use the [Trivy-SBOM scanner][trivy-sbom].
+{{- end }}
+
+{{- define "extra.scannerConfigurationSection" -}}{{- end }}
+
+{{- define "extra.chartConfigurationSection" -}}
+## Additional Chart Configurations
+
+Installing the Dependency-Track persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.
+
+You need to provide the API key to connect to Dependency-Track as a [Kubernetes secret][k8ssecret].
+Check the [Dependency-Track documentation][dt-api-docs], to learn how to configure an API key.
+
+```bash
+kubectl create secret generic dependencytrack-credentials --from-literal="apikey=NoEs..."
+
+helm upgrade --install dt secureCodeBox/persistence-dependencytrack \
+    --set="dependencytrack.url=https://dependency-track-backend.default.svc"
+```
+
+SBOMs are imported for a project in Dependency-Track.
+To avoid configuring all of them by hand first and assigning projects to scans somehow, the hook automatically detects name and version from the scan and then creates Dependency-Track projects if they do not exist yet.
+This requires either the `PORTFOLIO_MANAGEMENT` or `PROJECT_CREATION_UPLOAD` permission for the API key which gets used by the hook (or rather for the team the key is defined for).
+
+{{- end }}
+
+{{- define "extra.scannerLinksSection" -}}
+[dependencytrack.org]: https://dependencytrack.org/
+[dt-api-docs]: https://docs.dependencytrack.org/integrations/rest-api/
+[k8ssecret]: https://kubernetes.io/docs/concepts/configuration/secret/
+[trivy-sbom]: https://www.securecodebox.io/docs/scanners/trivy-sbom
+{{- end }}
diff --git a/hooks/persistence-dependencytrack/.helmignore b/hooks/persistence-dependencytrack/.helmignore
@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore
+docs/*
+*.tar
+hook/*
+integration-tests/*
+examples/*
+coverage/*
+Makefile
diff --git a/hooks/persistence-dependencytrack/Chart.yaml b/hooks/persistence-dependencytrack/Chart.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: persistence-dependencytrack
+description: The dependencytrack persistence provider persists secureCodeBox CycloneDX SBOMs into Dependency-Track.
+
+type: application
+
+# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
+version: "4.0.0"
+
+appVersion: "4.8.2"
+kubeVersion: ">=v1.11.0-0"
+
+keywords:
+  - security
+  - secureCodeBox
+  - hook
+  - dependencytrack
+  - owasp
+sources:
+  - https://github.com/secureCodeBox/secureCodeBox
+maintainers:
+  - name: iteratec GmbH
+    email: secureCodeBox@iteratec.com
+
+dependencies: []
diff --git a/hooks/persistence-dependencytrack/Makefile b/hooks/persistence-dependencytrack/Makefile
@@ -0,0 +1,10 @@
+#!/usr/bin/make -f
+#
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+include_guard = set
+hook = persistence-dependencytrack
+
+include ../../hooks.mk
diff --git a/hooks/persistence-dependencytrack/README.md b/hooks/persistence-dependencytrack/README.md
@@ -0,0 +1,106 @@
+---
+title: "Dependency-Track"
+category: "hook"
+type: "persistenceProvider"
+state: "developing"
+usecase: "Publishes all CycloneDX SBOMs to Dependency-Track."
+---
+
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Lab Project" src="https://img.shields.io/badge/OWASP-Lab%20Project-yellow"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>
+</p>
+
+## What is "Persistence Dependency-Track" Hook about?
+The Dependency-Track persistenceProvider hook saves all generated CycloneDX SBOMs into the configured [OWASP Dependency-Track][dependencytrack.org] instance, other findings or SPDX SBOMs cannot be handled and are ignored.
+This allows automatically cataloging infrastructure to gain an overview over the used components and dependencies.
+To learn more about Dependency-Track visit [dependencytrack.org].
+
+To use the _secureCodeBox_ to generate SBOMs, you can use the [Trivy-SBOM scanner][trivy-sbom].
+
+## Deployment
+The persistence-dependencytrack chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install persistence-dependencytrack secureCodeBox/persistence-dependencytrack
+```
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
+## Additional Chart Configurations
+
+Installing the Dependency-Track persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.
+
+You need to provide the API key to connect to Dependency-Track as a [Kubernetes secret][k8ssecret].
+Check the [Dependency-Track documentation][dt-api-docs], to learn how to configure an API key.
+
+```bash
+kubectl create secret generic dependencytrack-credentials --from-literal="apikey=NoEs..."
+
+helm upgrade --install dt secureCodeBox/persistence-dependencytrack \
+    --set="dependencytrack.url=https://dependency-track-backend.default.svc"
+```
+
+SBOMs are imported for a project in Dependency-Track.
+To avoid configuring all of them by hand first and assigning projects to scans somehow, the hook automatically detects name and version from the scan and then creates Dependency-Track projects if they do not exist yet.
+This requires either the `PORTFOLIO_MANAGEMENT` or `PROJECT_CREATION_UPLOAD` permission for the API key which gets used by the hook (or rather for the team the key is defined for).
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| dependencytrack.authentication | object | `{"apiKeyKey":"apikey","userSecret":"dependencytrack-credentials"}` | Authentication information. Dependency-Track expects an API key, which can be generated for a team (see: https://docs.dependencytrack.org/integrations/rest-api/). The hook automatically creates missing projects, for that either the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission is required. |
+| dependencytrack.authentication.apiKeyKey | string | `"apikey"` | Name of the apikey key in the `userSecret` secret. |
+| dependencytrack.authentication.userSecret | string | `"dependencytrack-credentials"` | Link a pre-existing generic secret with `apikey` key / value pair |
+| dependencytrack.url | string | `"http://dependency-track-backend.default.svc"` | Url to the Dependency-Track instance, make sure to use the backend url |
+| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
+| hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
+| hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-dependencytrack"` | Hook image repository |
+| hook.image.tag | string | defaults to the charts version | Container image tag |
+| hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
+| hook.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
+| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
+
+## License
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license].
+
+[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox
+[scb-docs]: https://www.securecodebox.io/
+[scb-site]: https://www.securecodebox.io/
+[scb-github]: https://github.com/secureCodeBox/
+[scb-twitter]: https://twitter.com/secureCodeBox
+[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU
+[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE
+[dependencytrack.org]: https://dependencytrack.org/
+[dt-api-docs]: https://docs.dependencytrack.org/integrations/rest-api/
+[k8ssecret]: https://kubernetes.io/docs/concepts/configuration/secret/
+[trivy-sbom]: https://www.securecodebox.io/docs/scanners/trivy-sbom
diff --git a/hooks/persistence-dependencytrack/hook/Dockerfile b/hooks/persistence-dependencytrack/hook/Dockerfile
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+ARG namespace
+ARG baseImageTag
+FROM node:18-alpine as build
+RUN mkdir -p /home/app
+WORKDIR /home/app
+COPY package.json package-lock.json ./
+RUN npm ci --production
+
+FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest}
+WORKDIR /home/app/hook-wrapper/hook/
+COPY --chown=app:app ./hook.js ./hook.js
-Original file line number
+Diff line change
@@ Expand Up / @@ -38,6 +38,7 @@ jobs: @@
               - ssh-scan
               - sslyze
               - trivy
+              - trivy-sbom
               - typo3scan
               - whatweb
               - wpscan
@@ Expand Down @@