wn/dtrack-defectdojo-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
67bab6710c73670b764f322d053331ec2a1a87e2
dtrack-defectdojo-automation/readme.md
Wolfgang Hottgenroth 67bab6710c
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
documentation
2025-06-20 10:38:12 +02:00

189 lines
5.1 KiB
Markdown
Raw Blame History

# DependencyTrack and DefectDojo Automation
## Using
### Distribution
The glue logic comes in a docker image and can be started as a docker container. Due to the dependencies, especially the ones related to the
APIs of DependencyTrack and DefectDojo this approach has been chosen.
The image is available at
```
quay.io/wollud1969/dtrack-defectdojo-automation
```
and at
```
devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation
```
The tag to be used at the moment is `1.0.5`.
### Start script
On Linux I've created two files to start the beast:
env-sbom-dd-dt
```
DTRACK_API_URL=https://dtrack-api-rd.krohne.com
DEFECTDOJO_URL=https://defectdojo-rd.krohne.com
DTRACK_TOKEN=...
DEFECTDOJO_TOKEN=...
```
The correct values for the tokens must be set here, obviously.
sbom-dd-dt.sh
```
#!/bin/bash
docker run -t -v $PWD:/work --rm --env-file ~/env-sbom-dt-dd devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation:1.0.5 "$@"
```
I've both files directly in my home-dir.
### File locations
When using the container and the script, you must consider that the container has no full access to your filesystem and you need to mount required parts of your filesystem into the container. In the above script I do this with the option `-v $PWD:/work`. This option mounts the current directory (the one from where you are starting the script and thus the container) into the directory `/work` within the container.
This is required when scanning a directory or uploading a prepared SBOM file.
### Options of the container/script
The container has the glue logic script as entrypoint. To find out about the options, call
```
dehottgw@DE01RDDEV01:~$ docker run -t -v $PWD:/work --rm --env-file ~/env-sbom-dt-dd devnexus.krohne.com:18079/repository/docker-krohne/dtrack-defectdojo-automation:1.0.5 -- -h
usage: sbom-dt-dd.py [-h] --name NAME --version VERSION --description DESCRIPTION --type TYPE --classifier
{APPLICATION,FRAMEWORK,LIBRARY,CONTAINER,OPERATING_SYSTEM,DEVICE,FIRMWARE,FILE,PLATFORM,DEVICE_DRIVER,MACHINE_LEARNING_MODEL,DATA}
[--uploadsbom] [--sbomfile SBOMFILE] [--target TARGET] [--verbose]
sbom-dt-dd.py: error: the following arguments are required: --name/-n, --version/-v, --description/-d, --type/-t, --classifier/-c
dehottgw@DE01RDDEV01:~$
```
Note the double-dash at the end of the commandline before the `-h`. It is necessary, otherwise the `-h` would be considered as an option for the docker command itself.
### SBOM upload example
For this example I've a file `combined-sbom.json` in the directory `software1`:
```
cd software1/
~/sbom-dt-dd.sh --name software1-server --version 0.0.1 --description "Server software for the Software1 platform" --type 1 --classifier APPLICATION --uploadsbom --sbomfile /work/combined-sbom.json -V
```
## Building
### Python Client Packages for the DependencyTrack and DefectDojo API
#### Download the OpenAPI definitions
```
curl https://dtrack-api.hottis.de/api/openapi.json \
> dependencytrack-openapi.json
curl https://defectdojo.hottis.de/api/v2/oa3/schema/?format=json \
> defectdojo-openapi.json
```
#### Naive Generation of the Client Package for DefectDojo
```
docker run \
-it \
--rm \
-v $PWD:/work \
-u $UID \
openapitools/openapi-generator-cli:v7.12.0 \
generate \
-i /work/defectdojo-openapi.json \
-g python \
-o /work/defectdojo-client \
--package-name defectdojo_api
```
For DefectDojo the naive code generation works.
#### Naive Generation of the Client Package for DependencyTrack
```
docker run \
-it \
--rm \
-v $PWD:/work \
-u $UID openapitools/openapi-generator-cli:v7.12.0 \
generate \
-i /work/dependencytrack-openapi.json \
-g python \
-o /work/dependencytrack-client \
--package-name dependencytrack_api
```
#### Fixed Generation of the Client Package for DependencyTrack
In the OpenAPI definition of DependencyTrack a regex is used which is not understood by Python's
default regex implement `re`, which in turn is hardwired in the openapi-generator provided code.
So, it is necessary to adjust the template for code generation to use the extended regex module
`regex` instead of the default one.
For this purpose, the template must be exported:
```
docker run \
--rm \
-v $PWD:/work \
openapitools/openapi-generator-cli:v7.12.0 \
author \
template \
-g python \
-o /work/dependencytrack-custom-templates
```
Now within `dependencytrack-custom-templates` the both files `model_anyof.mustache` and `model_generic.mustache` must be fixed.
Replace
```
import re
```
at the tops of the files by
```
import regex as re
```
Now run the generator using the adjusted template:
```
docker run \
-it \
--rm \
-v $PWD:/work \
-u $UID \
openapitools/openapi-generator-cli:v7.12.0 \
generate \
-i /work/dependencytrack-openapi.json \
-g python \
-o /work/dependencytrack-client \
--package-name dependencytrack_api \
-t /work/dependencytrack-custom-templates
```
Make sure to install the module `regex` in the environment the client shall run in.
Reference in New Issue View Git Blame Copy Permalink