Containers are the standard to run server applications these days, so you likely have many SBOM to transfer to Dependency Track SaaS. Luckily the extraction of software packaged as containers or docker containers is fast and super easy.
In the example below we will illustrate the SBOM generation from a docker image and its transfer to Dependency Track SaaS. To generate the SBOM from any piece of software use one of the approaches described this cheat sheet.
Docker SBOM transfer
To automate the transfer we need to associate the SBOM file with a project in Dependency Track. There are several ways, including the automatic creation of a new project.
In the most likely scenario, we will assume that you already have a project in Dependency Track and that you wish to update its list of components. For this, the easiest is to link the SBOM with the project UUID of Dependency Track.
The script below will do the SBOM extraction from a local docker registry and transfer to your Dependency Track tenant. You would run it with something like extract-sbom.sh alpine:latest 29cd2fb7-db8c-4513-8c6c-ffb4443be67f
. The Dependency Track project UUID to use can be found in the object identifier of the project details.
Obviously, you should modify the script and replace your <YourPrefixDomain>
and <YourApiKey>
at lines 9 and 10 with the values your received after ordering your SaaS subscription.
#!/bin/bash
if [ "$#" -ne 2 ]; then
echo "$0 <dockerImage> <depTrackProjectUuid>"
exit -1
fi
# REPLACE HERE-------------------------
companyPrefix=<YourPrefixDomain>
apiKey=<YourApiKey>
# END REPLACE--------------------------
SCRIPT_PATH=$(dirname -- "$(readlink -f "${BASH_SOURCE}")")
project="$2"
sbom="$(uuidgen).sbom"
echo -n "Extracting SBOM..."
&& $SCRIPT_PATH/syft.sh scan "registry:$1" -o cyclonedx-json > $sbom
&& echo -ne " done\nSending SBOM..."
&& curl -X POST -H "X-API-Key: $apiKey"
-H 'Content-Type: multipart/form-data; boundary=__X_BOM__'
-F "bom=@$sbom"
-F "project=$project"
"https://$companyPrefix.deptrack.yoursky.blue/api/v1/bom"
&& echo -e " sent\n\nCleaning..."
&& rm $sbom
The script above does not use the command docker scout sbom, which no longer supports SBOMs in the CycloneDX format. Instead, it uses our syft.sh script.
CI/CD plugins
In your CI/CD, you can easily reuse the curl transfer part of the above script. The SBOM transfer can be made even simpler with one of the following open-source plugins:
- Azure pipelines
- GitHub Action
- Jenkins
- dtrack-audit generic transfer and audit helper written in Go, special compatibility for TeamCity CI
Additionally the following plugins might come in handy for other automations scenarios, for example to implement policies based on software vulnerability analysis:
- dtapac audits dependency-track findings and policy violations via policy as code
- DTrackAuditor can fails CI build based on software vulnerability severity or policy violations
Other possible scenarios
With the docker SBOM example shown above, we have just scratched the surface, there are many automation scenarios possible. It can serve you as a template to get started. With a few adaptations, you can generate the SBOM from other sources as described in the cheat sheet.
Other options of transfer are possible, please refer to our API documentation.
We gladly help on any SBOM transfer issue.
Let us know how we can help !