Inofficial OWASP Dependency Track CLI
Project description
OWASP Dependency Track CLI
A CLI for CI/CD usage.
Installation
pip install owasp-dependency-track-cli
Usage
export OWASP_DTRACK_URL="http://localhost:8081"
export OWASP_DTRACK_VERIFY_SSL="False"
export OWASP_DTRACK_API_KEY="xyz"
export SEVERITY_THRESHOLD_HIGH="3"
owasp-dtrack-cli test --project-name webapp --auto-create test/files/test.sbom.xml
As Container runtime:
podman|docker \
run --rm -v"$(pwd):$(pwd)" \
-eOWASP_DTRACK_URL="http://192.168.1.100:8081" \
-eOWASP_DTRACK_VERIFY_SSL="false" \
-eOWASP_DTRACK_API_KEY="xyz" \
ghcr.io/mreiche/owasp-dependency-track-cli:latest test --project-name webapp2 --auto-create "$(pwd)/test/files/test.sbom.xml"
Commands
test: Uploads a SBOM, analyzes and reports the according projectupload: Uploads a SBOM onlyanalyze: Analyzes and reports a projectreport: Creates a report onlymetrics prometheus: Provides Prometheus metrics asowasp_dtrack_cvss_scoreandowasp_dtrack_violationsGauge seriesproject upsert: Upserts a project by file or JSON stringproject remove-property: Removes a property from a projectproject activate: Activates a project and adds thekeepActivepropertyproject deactivate: Deactivates a project and removes thekeepActiveproperty
Examples
owasp-dtrack-cli upload --parent-name "MyGroup" /path/to/sbom.json
owasp-dtrack-cli analyze --project-name "My project" --latest
owasp-dtrack-cli test --auto-create /path/to/sbom.json
owasp-dtrack-cli metrics prometheus --serve
owasp-dtrack-cli project upsert --json '{ "name": "My project" }'
Environment variables
OWASP_DTRACK_URL="http://localhost:8081" # Base-URL to OWASP Dependency Track
OWASP_DTRACK_VERIFY_SSL="False" # Do not verify SSL
OWASP_DTRACK_API_KEY="xyz" # Your OWASP Dependency Track API Key (see below)
SEVERITY_THRESHOLD_[CRITICAL|HIGH|MEDIUM|LOW|UNASSIGNED]="-1" # Threshold for findings severity
VIOLATION_THRESHOLD_[FAIL|WARN|INFO]="-1" # Threshold for policy violations
CVSS_V3_THRESHOLD="-1" # Threshold for cumulated CVSS V3
CVSS_V2_THRESHOLD="-1" # Threshold for cumulated CVSS V2
ANALYZE_TIMEOUT_SEC="300" # Timeout for analyzation in seconds
PROJECT_TIMEOUT_SEC="20" # Timeout for searching the project by name in seconds
HTTPS_PROXY="" # URL for HTTP(S) proxy
LOG_LEVEL="info" # Logging verbosity (optional)
HTTPX_LOG_LEVEL="warning" # Log level of the httpx framework (optional)
API-Key
Setup a user with API key and the following permissions:
- Goto Teams -> Automation
- Add API-Key
- Add Permissions
- SBOM_UPLOAD
- PROJECT_CREATION_UPLOAD (for the auto-create feature)
- VIEW_VULNERABILITY
- VIEW_POLICY_VIOLATION
- PORTFOLIO_MANAGEMENT (for modifying projects)
How it works
sequenceDiagram
actor User
User->>CLI: Provide SBOM
CLI->>+OWASP DT: Clone project as new version
OWASP DT->>-CLI: New project version
CLI->>+OWASP DT: Upload and analyze SBOM
OWASP DT->>-CLI: Return findings
CLI->>OWASP DT: Deactivate older versions
CLI->>+CLI: Generate findings report
CLI->>+CLI: Analyze thresholds
CLI->>User: Print findings report
Explanation of implementation behaviour.
About patching a project
Every patch activates the project, to keep it deactivated, add to your patch:
{ "active": false }
or use the project deactivate command afterwards.
Uploading new project versions
The upload and test commands behave like the following:
- If the
--auto-create=true, a new--project-versionis provided and a previous uploaded version exists, it will be cloned as new version including properties and audit trail unless--clone=false - All other project versions without
keepActiveproperty will be deactivated unless--deactivate-others=false. This property can be added manually or via theproject activatecommand - If
--latestis set, this new project version will be marked as Latest
Testing
Start the test environment
cd test
podman|docker compose up
- Preconfigured user:
admin:admin2 - Preconfigured API key: see
test/test.env
Update the test database
podman run -it --rm --network=test_default -v "$(pwd)/test:/test" postgres:17-alpine pg_dump -h postgres -d dtrack -U "dtrack" -p "5432" -f "/test/postgres-init/init.sql"
More OWASP Dependency Track utils
This library is part of a wider OWASP Dependency Track tool chain:
- OWASP Dependency Track Python API client: https://github.com/mreiche/owasp-dependency-track-python-client
- OWASP Dependency Track CLI: https://github.com/mreiche/owasp-dependency-track-cli
- OWASP Dependency Track Azure DevOps Sync: https://github.com/mreiche/owasp-dependency-track-azure-devops
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file owasp_dependency_track_cli-1.0.9.tar.gz.
File metadata
- Download URL: owasp_dependency_track_cli-1.0.9.tar.gz
- Upload date:
- Size: 17.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
56921974454dd10741a9704ee1b32630a7691138fedeeb78c214186c8cd554f9
|
|
| MD5 |
3cdac44506cd254ad90ddb8a67a1682c
|
|
| BLAKE2b-256 |
ef75d3e28f0a3ca544d3d9e90eecae03be9681bdc5a6acf65daf96d64d36ff35
|
File details
Details for the file owasp_dependency_track_cli-1.0.9-py3-none-any.whl.
File metadata
- Download URL: owasp_dependency_track_cli-1.0.9-py3-none-any.whl
- Upload date:
- Size: 18.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fc2d75c7e39691bccd777d48939ee7067168ee5e7e89deb8fa062a0aa9b4db0e
|
|
| MD5 |
3422a4e769a9bfb118da6d0f378ad6ca
|
|
| BLAKE2b-256 |
d5c3610f5bf7170ae212cd42aa498d717facd16e832309a2cf0213cb3e80bb57
|
