SBOM with CycloneDX and Dependency Tracker


Делаю:
2025.12.26

$ helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
$ helm repo update



$ kubectl create namespace dependency-track



$ cd ~/tmp



$ cat > deptrack.values.yaml <<EOF
ingress:
  enabled: true
  tls:
    enabled: false
    secretName: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    ## allow large bom.xml uploads:
    # nginx.ingress.kubernetes.io/proxy-body-size: 10m
  host: dependencytrack.example.org

frontend:
  replicaCount: 1
  service:
    type: NodePort

apiserver:
  resources:
    # https://docs.dependencytrack.org/getting-started/deploy-docker/
    requests:
      cpu: 1
      memory: 3000Mi
    limits:
      cpu: 2
      memory: 7Gi
EOF



$ helm install dependency-track --values deptrack.values.yaml --namespace dependency-track evryfs-oss/dependency-track
$ helm list -n dependency-track



$ kubectl get pods -n dependency-track



// hosts
192.168.49.2 dependencytrack.example.org



// OK!
// admin /admin
http://dependencytrack.example.org/change-password?redirect=%2Fdashboard


Administration -> Access Management -> Teams -> Automation


Copy the API Key: AjqsiQwaewMwD1AoaZRaCHBJOR2D7XPu

Also add the following permissions

PROJECT_CREATION_UPLOAD POLICY_VIOLATION_ANALYSIS VULNERABILITY_ANALYSIS


Configure Jenkins to Connect with Dependency Tracker

http://192.168.49.2:30264/manage/pluginManager/available

  • OWASP Dependency-Track


http://192.168.49.2:31272/manage/configure


Dependency-Track URL : http://dependency-track-apiserver.dependency-track.svc.cluster.local

API Key ->

Kind - Secret Secret: key copied from Dependency-Track earlier id: dep-track-api-key

Check Auto Create Projects Box


Test Connection ->

The detected version 4.6.3 is older than the required version 4.12.0 and is no longer supported


jenkinsfile после

“OSS License Checker”

stage('Generate SBOM') {
    steps {
        container('maven') {
            sh 'mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom'
        }
    }
    post {
        success {
            dependencyTrackPublisher projectName: 'sample-spring-app',
                                     projectVersion: '0.0.1',
                                     artifact: 'target/bom.xml',
                                     autoCreateProjects: true,
                                     synchronous: true
            archiveArtifacts (
                allowEmptyArchive: true,
                artifacts: 'target/bom.xml',
                fingerprint: true,
                onlyIfSuccessful: true
            )
        }
    }
}