wn/dtrack-defectdojo-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
dtrack-defectdojo-automation/readme.md
Wolfgang Hottgenroth bd92d8eb87
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
drop plantuml snippet
2025-07-09 08:43:37 +02:00

5.1 KiB
Raw Permalink Blame History

DependencyTrack and DefectDojo Automation

Using

Distribution

The glue logic comes in a docker image and can be started as a docker container. Due to the dependencies, especially the ones related to the APIs of DependencyTrack and DefectDojo this approach has been chosen.

The image is available at

quay.io/wollud1969/dtrack-defectdojo-automation

and at

devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation

The tag to be used at the moment is 1.0.5.

Start script

On Linux I've created two files to start the beast:

env-sbom-dd-dt

DTRACK_API_URL=https://dtrack-api-rd.krohne.com
DEFECTDOJO_URL=https://defectdojo-rd.krohne.com
DTRACK_TOKEN=...
DEFECTDOJO_TOKEN=...

The correct values for the tokens must be set here, obviously.

sbom-dd-dt.sh

#!/bin/bash

docker run -t -v $PWD:/work --rm --env-file ~/env-sbom-dt-dd devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation:1.0.5 "$@"

I've both files directly in my home-dir.

File locations

When using the container and the script, you must consider that the container has no full access to your filesystem and you need to mount required parts of your filesystem into the container. In the above script I do this with the option -v $PWD:/work. This option mounts the current directory (the one from where you are starting the script and thus the container) into the directory /work within the container.

This is required when scanning a directory or uploading a prepared SBOM file.

Options of the container/script

The container has the glue logic script as entrypoint. To find out about the options, call

dehottgw@DE01RDDEV01:~$ docker run -t -v $PWD:/work --rm --env-file ~/env-sbom-dt-dd devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation:1.0.5 -- -h
usage: sbom-dt-dd.py [-h] --name NAME --version VERSION --description DESCRIPTION --type TYPE --classifier
                     {APPLICATION,FRAMEWORK,LIBRARY,CONTAINER,OPERATING_SYSTEM,DEVICE,FIRMWARE,FILE,PLATFORM,DEVICE_DRIVER,MACHINE_LEARNING_MODEL,DATA}
                     [--uploadsbom] [--sbomfile SBOMFILE] [--target TARGET] [--verbose]
sbom-dt-dd.py: error: the following arguments are required: --name/-n, --version/-v, --description/-d, --type/-t, --classifier/-c
dehottgw@DE01RDDEV01:~$

Note the double-dash at the end of the commandline before the -h. It is necessary, otherwise the -h would be considered as an option for the docker command itself.

SBOM upload example

For this example I've a file combined-sbom.json in the directory software1:

cd software1/
~/sbom-dt-dd.sh --name software1-server --version 0.0.1 --description "Server software for the Software1 platform" --type 1 --classifier APPLICATION --uploadsbom --sbomfile /work/combined-sbom.json -V

Building

Python Client Packages for the DependencyTrack and DefectDojo API

Download the OpenAPI definitions

curl https://dtrack-api.hottis.de/api/openapi.json \
  > dependencytrack-openapi.json
curl https://defectdojo.hottis.de/api/v2/oa3/schema/?format=json \
  > defectdojo-openapi.json

Naive Generation of the Client Package for DefectDojo

docker run \
  -it \
  --rm \
  -v $PWD:/work \
  -u $UID \
  openapitools/openapi-generator-cli:v7.12.0 \
  generate \
    -i /work/defectdojo-openapi.json \
    -g python \
    -o /work/defectdojo-client \
    --package-name defectdojo_api

For DefectDojo the naive code generation works.

Naive Generation of the Client Package for DependencyTrack

docker run \
  -it \
  --rm \
  -v $PWD:/work \
  -u $UID openapitools/openapi-generator-cli:v7.12.0 \
  generate \
    -i /work/dependencytrack-openapi.json \
    -g python \
    -o /work/dependencytrack-client \
    --package-name dependencytrack_api

Fixed Generation of the Client Package for DependencyTrack

In the OpenAPI definition of DependencyTrack a regex is used which is not understood by Python's default regex implement re, which in turn is hardwired in the openapi-generator provided code. So, it is necessary to adjust the template for code generation to use the extended regex module regex instead of the default one.

For this purpose, the template must be exported:

docker run \
  --rm \
  -v $PWD:/work \
  openapitools/openapi-generator-cli:v7.12.0 \
  author \
    template \
    -g python \
    -o /work/dependencytrack-custom-templates

Now within dependencytrack-custom-templates the both files model_anyof.mustache and model_generic.mustache must be fixed. Replace

import re

at the tops of the files by

import regex as re

Now run the generator using the adjusted template:

docker run \
  -it \
  --rm \
  -v $PWD:/work \
  -u $UID \
  openapitools/openapi-generator-cli:v7.12.0 \
  generate \
    -i /work/dependencytrack-openapi.json \
    -g python \
    -o /work/dependencytrack-client \
    --package-name dependencytrack_api \
    -t /work/dependencytrack-custom-templates

Make sure to install the module regex in the environment the client shall run in.