diff --git a/.gitignore b/.gitignore index 58924b5..016fd6d 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ defs/ */.venv/ __pycache__/ .*.swp +tmp/ diff --git a/src/sbom-dt-dd.py b/src/sbom-dt-dd.py index ab5131b..87b4d9d 100644 --- a/src/sbom-dt-dd.py +++ b/src/sbom-dt-dd.py @@ -44,6 +44,7 @@ def generateSBOM(target='.', name='dummyName', version='0.0.0'): logger.error(f"SBOM scanner failed: {e.stderr}") raise MyLocalException(e) +# ---- main starts here with preparation of config ----------------------------------------------------------------------- try: DTRACK_API_URL = os.environ["DTRACK_API_URL"] @@ -70,37 +71,58 @@ parser.add_argument('--type', '-t', required=True) parser.add_argument('--classifier', '-c', help='Project Classifier from DependencyTrack', - choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'], + choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', + 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'], required=True) +parser.add_argument('--uploadsbom', '-U', + help='Upload a already existing SBOM instead of generating it. Give the SBOM file at -F instead of a target', + required=False, + action='store_true', + default=False) +parser.add_argument('--sbomfile', '-F', + help='Filename of existing SBOM file to upload, use together with -U, do not use together with -T', + required=False) parser.add_argument('--target', '-T', help='Target to scan, either path name for sources or docker image tag', - required=True) + required=False) args = parser.parse_args() projectName = args.name projectVersion = args.version projectDescription = args.description productType = args.type projectClassifier = args.classifier -target = args.target + +uploadSbomFlag = args.uploadsbom +if uploadSbomFlag: + sbomFileName = args.sbomfile +else: + target = args.target -logger.info(f"Generating SBOM for {target}") -sbom = generateSBOM(target, projectName, projectVersion) -logger.info("Done.") +# ---- main starts here -------------------------------------------------------------------------------------------------- + +if uploadSbomFlag: + # ------- read uploaded SBOM ------------- + logger.info(f"Reading SBOM from file {sbomFileName}") + with open(sbomFileName, 'r') as sbomFile: + sbom = sbomFile.read() + logger.info("Done.") +else: + # ------- generate SBOM ------------ + logger.info(f"Generating SBOM for {target}") + sbomJson = generateSBOM(target, projectName, projectVersion) + sbom = json.dumps(sbomJson) + logger.info("Done.") + +# ------- create product and engagement in DefectDojo ------- defectdojo_configuration = defectdojo_api.Configuration( host = DEFECTDOJO_URL ) defectdojo_configuration.api_key['tokenAuth'] = DEFECTDOJO_TOKEN defectdojo_configuration.api_key_prefix['tokenAuth'] = 'Token' -dependencytrack_configuration = dependencytrack_api.Configuration( - host = f"{DTRACK_API_URL}/api" -) -dependencytrack_configuration.debug = False -dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN - with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client: print("Create product in DefectDojo") productName = f"{projectName}:{projectVersion}" @@ -134,6 +156,14 @@ with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client engagement_id = engagement_response.id print(f"{engagement_id=}") + +# ------- create project in DependencyTrack, connect project to engagement in DefectDojo, upload SBOM -------- +dependencytrack_configuration = dependencytrack_api.Configuration( + host = f"{DTRACK_API_URL}/api" +) +dependencytrack_configuration.debug = False +dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN + with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencytrack_api_client: project_response = \ executeApiCall( @@ -149,9 +179,12 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt print(f"{project_uuid=}") properties = [ - { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 'property_value': str(engagement_id), 'property_type': "STRING" }, - { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 'property_value': "true", 'property_type': "BOOLEAN" }, - { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 'property_value': "true", 'property_type': "BOOLEAN" } + { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", + 'property_value': str(engagement_id), 'property_type': "STRING" }, + { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", + 'property_value': "true", 'property_type': "BOOLEAN" }, + { 'group_name': "integrations", 'property_name': "defectdojo.reimport", + 'property_value': "true", 'property_type': "BOOLEAN" } ] for property in properties: executeApiCall( @@ -170,6 +203,6 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt dependencytrack_api.BomApi.upload_bom, None, None, - [ None, False, projectName, projectVersion, None, None, None, None, True, json.dumps(sbom) ] + [ None, False, projectName, projectVersion, None, None, None, None, True, sbom ] ) diff --git a/todo.md b/todo.md index 24e0a80..c18b967 100644 --- a/todo.md +++ b/todo.md @@ -6,6 +6,6 @@ - [ ] Trivy-Deployment in cluster shall be integrated with DefectDojo - Thomas O. - [ ] DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities - - [ ] add switch to glue logic to disable integrated SBOM generator and read externally + - [x] add switch to glue logic to disable integrated SBOM generator and read externally generated SBOM from file