add sbom upload option

2025-05-21 15:56:16 +02:00
parent 8d56fcf7c2
commit 035da3fdca
3 changed files with 51 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,5 @@ defs/
 */.venv/
 __pycache__/
 .*.swp
+tmp/

--- a/src/sbom-dt-dd.py
+++ b/src/sbom-dt-dd.py
@ -44,6 +44,7 @@ def generateSBOM(target='.', name='dummyName', version='0.0.0'):
        logger.error(f"SBOM scanner failed: {e.stderr}")
        raise MyLocalException(e)

+# ---- main starts here with preparation of config -----------------------------------------------------------------------

 try:
    DTRACK_API_URL = os.environ["DTRACK_API_URL"]
@ -70,37 +71,58 @@ parser.add_argument('--type', '-t',
                    required=True)
 parser.add_argument('--classifier', '-c',
                    help='Project Classifier from DependencyTrack',
-                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
+                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 
+                             'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
                    required=True)
+parser.add_argument('--uploadsbom', '-U',
+                    help='Upload a already existing SBOM instead of generating it. Give the SBOM file at -F instead of a target',
+                    required=False,
+                    action='store_true',
+                    default=False)
+parser.add_argument('--sbomfile', '-F',
+                    help='Filename of existing SBOM file to upload, use together with -U, do not use together with -T',
+                    required=False)
 parser.add_argument('--target', '-T',
                    help='Target to scan, either path name for sources or docker image tag',
-                    required=True)
+                    required=False)
 args = parser.parse_args()
 projectName = args.name
 projectVersion = args.version
 projectDescription = args.description
 productType = args.type
 projectClassifier = args.classifier
-target = args.target
+
+uploadSbomFlag = args.uploadsbom
+if uploadSbomFlag:
+    sbomFileName = args.sbomfile
+else:
+    target = args.target


-logger.info(f"Generating SBOM for {target}")
-sbom = generateSBOM(target, projectName, projectVersion)
-logger.info("Done.")
+# ---- main starts here --------------------------------------------------------------------------------------------------
+
+if uploadSbomFlag:
+    # ------- read uploaded SBOM -------------
+    logger.info(f"Reading SBOM from file {sbomFileName}")
+    with open(sbomFileName, 'r') as sbomFile:
+        sbom = sbomFile.read()
+    logger.info("Done.")
+else:
+    # ------- generate SBOM ------------
+    logger.info(f"Generating SBOM for {target}")
+    sbomJson = generateSBOM(target, projectName, projectVersion)
+    sbom = json.dumps(sbomJson)
+    logger.info("Done.")


+
+# ------- create product and engagement in DefectDojo -------
 defectdojo_configuration = defectdojo_api.Configuration(
    host = DEFECTDOJO_URL
 )
 defectdojo_configuration.api_key['tokenAuth'] = DEFECTDOJO_TOKEN
 defectdojo_configuration.api_key_prefix['tokenAuth'] = 'Token'

-dependencytrack_configuration = dependencytrack_api.Configuration(
-    host = f"{DTRACK_API_URL}/api"
-)
-dependencytrack_configuration.debug = False
-dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
-
 with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client:
    print("Create product in DefectDojo")
    productName = f"{projectName}:{projectVersion}"
@ -134,6 +156,14 @@ with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client
    engagement_id = engagement_response.id
    print(f"{engagement_id=}")

+
+# ------- create project in DependencyTrack, connect project to engagement in DefectDojo, upload SBOM --------
+dependencytrack_configuration = dependencytrack_api.Configuration(
+    host = f"{DTRACK_API_URL}/api"
+)
+dependencytrack_configuration.debug = False
+dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
+
 with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencytrack_api_client:
    project_response = \
        executeApiCall(
@ -149,9 +179,12 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
    print(f"{project_uuid=}")

    properties = [
-        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 'property_value': str(engagement_id), 'property_type': "STRING" },
-        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 'property_value': "true", 'property_type': "BOOLEAN" },
-        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 'property_value': "true", 'property_type': "BOOLEAN" }
+        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 
+          'property_value': str(engagement_id), 'property_type': "STRING" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 
+          'property_value': "true", 'property_type': "BOOLEAN" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 
+          'property_value': "true", 'property_type': "BOOLEAN" }
    ]
    for property in properties:
        executeApiCall(
@ -170,6 +203,6 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
            dependencytrack_api.BomApi.upload_bom,
            None,
            None,
-            [ None, False, projectName, projectVersion, None, None, None, None, True, json.dumps(sbom) ]
+            [ None, False, projectName, projectVersion, None, None, None, None, True, sbom ]
        )

--- a/todo.md
+++ b/todo.md
@ -6,6 +6,6 @@
    - [ ] Trivy-Deployment in cluster shall be integrated with DefectDojo
  - Thomas O.
    - [ ] DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities
-    - [ ] add switch to glue logic to disable integrated SBOM generator and read externally
+    - [x] add switch to glue logic to disable integrated SBOM generator and read externally
      generated SBOM from file