Skip to content

Read name and version for Dependecy-Track from scan annotations#2062

Merged
o1oo11oo merged 2 commits intosecureCodeBox:mainfrom
o1oo11oo:feat/dependency-track-annotations
Nov 7, 2023
Merged

Read name and version for Dependecy-Track from scan annotations#2062
o1oo11oo merged 2 commits intosecureCodeBox:mainfrom
o1oo11oo:feat/dependency-track-annotations

Conversation

@o1oo11oo
Copy link
Copy Markdown
Contributor

@o1oo11oo o1oo11oo commented Oct 20, 2023
edited
Loading

Description

Adds two possible scan annotations that the Dependency-Track hook checks to get the name and the version for matching/creating the project in Dependency-Track:

  • dependencytrack.securecodebox.io/project-name
  • dependencytrack.securecodebox.io/project-version

If the annotations are not available the name defaults to the docker image repository, the version defaults to the tag, digest and latest in that order.

This also configures the AWS Cloud AutoDiscovery to set the name and version as annotations for the SBOM scans it generates.

Closes #2061

Checklist

  • Test your changes as thoroughly as possible before you commit them. Preferably, automate your test by unit/integration tests.
  • Make sure that all your commits are signed-off and that you are added to the Contributors file.
  • Make sure that all CI finish successfully.
  • Optional (but appreciated): Make sure that all commits are Verified.

Lukas Fischer added 2 commits October 20, 2023 19:00
secureCodeBox#2061 Read name and version from scan annotations
16c77eb 
Instead of relying on the brittle docker image reference parsing, read
the project name and version for sending the SBOM to Dependency-Track
from annotations, simmilar to how other hooks (especially DefectDojo)
already do this. If the annotations are missing fall back to the regex.

The annotations use _project_ instead of _product_ because that is the
terminology Dependency-Track uses.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
secureCodeBox#2061 Set dependencytrack annotations for SBOMs
c100c5f 
Now that the Dependency-Track hook supports reading the project name and
version from scan annotations, set the name and version of the docker
image as annotations on the scan.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
@o1oo11oo o1oo11oo added enhancement New feature or request hook Implement or update a hook auto-discovery labels Oct 20, 2023
@o1oo11oo o1oo11oo self-assigned this Oct 20, 2023
@netlify
Copy link
Copy Markdown

netlify bot commented Oct 20, 2023
edited
Loading

Deploy Preview for docs-securecodebox canceled.

Name Link
🔨 Latest commit c100c5f
🔍 Latest deploy log https://app.netlify.com/sites/docs-securecodebox/deploys/6532b8ce2e519f0008f50b28

J12934
J12934 approved these changes Nov 7, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@J12934 J12934 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wasn't able to test it myself, but this looks good 👍
would it be possible to also make this parsed image information available for the k8s container auto discovery? would probably be also be useful there and be good to have this consistent for both of our containery auto-discoveries?

@o1oo11oo o1oo11oo merged commit 8859d9e into secureCodeBox:main Nov 7, 2023
@o1oo11oo o1oo11oo deleted the feat/dependency-track-annotations branch November 7, 2023 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@J12934 J12934 J12934 approved these changes

Assignees

@o1oo11oo o1oo11oo

Labels

auto-discovery enhancement New feature or request hook Implement or update a hook

Projects

secureCodeBox
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow setting project name and version in annotations for Dependency-Track hook

2 participants

@o1oo11oo @J12934