A CLI for CI/CD usage.
pip install owasp-dependency-track-cliexport OWASP_DTRACK_URL="http://localhost:8081"
export OWASP_DTRACK_VERIFY_SSL="False"
export OWASP_DTRACK_API_KEY="xyz"
export SEVERITY_THRESHOLD_HIGH="3"
owasp-dtrack-cli test --project-name webapp --auto-create test/files/test.sbom.xmlAs Container runtime:
podman|docker \
run --rm -v"$(pwd):$(pwd)" \
-eOWASP_DTRACK_URL="http://192.168.1.100:8081" \
-eOWASP_DTRACK_VERIFY_SSL="false" \
-eOWASP_DTRACK_API_KEY="xyz" \
ghcr.io/mreiche/owasp-dependency-track-cli:latest test --project-name webapp2 --auto-create "$(pwd)/test/files/test.sbom.xml"test: Uploads a SBOM, analyzes and reports the according projectupload: Uploads a SBOM onlyanalyze: Analyzes and reports a projectreport: Creates a report onlymetrics prometheus: Provides Prometheus metrics asowasp_dtrack_cvss_scoreandowasp_dtrack_violationsGauge seriesproject upsert: Upserts a project by file or JSON stringproject remove-property: Removes a property from a projectproject activate: Activates a project and adds thekeepActivepropertyproject deactivate: Deactivates a project and removes thekeepActiveproperty
owasp-dtrack-cli upload --parent-name "MyGroup" /path/to/sbom.json
owasp-dtrack-cli analyze --project-name "My project" --latest
owasp-dtrack-cli test --auto-create /path/to/sbom.json
owasp-dtrack-cli metrics prometheus --serve
owasp-dtrack-cli project upsert --json '{ "name": "My project" }'OWASP_DTRACK_URL="http://localhost:8081" # Base-URL to OWASP Dependency Track
OWASP_DTRACK_VERIFY_SSL="False" # Do not verify SSL
OWASP_DTRACK_API_KEY="xyz" # Your OWASP Dependency Track API Key (see below)
SEVERITY_THRESHOLD_[CRITICAL|HIGH|MEDIUM|LOW|UNASSIGNED]="-1" # Threshold for findings severity
VIOLATION_THRESHOLD_[FAIL|WARN|INFO]="-1" # Threshold for policy violations
CVSS_V3_THRESHOLD="-1" # Threshold for cumulated CVSS V3
CVSS_V2_THRESHOLD="-1" # Threshold for cumulated CVSS V2
ANALYZE_TIMEOUT_SEC="300" # Timeout for analyzation in seconds
PROJECT_TIMEOUT_SEC="20" # Timeout for searching the project by name in seconds
HTTPS_PROXY="" # URL for HTTP(S) proxy
LOG_LEVEL="info" # Logging verbosity (optional)
HTTPX_LOG_LEVEL="warning" # Log level of the httpx framework (optional)Setup a user with API key and the following permissions:
- Goto Teams -> Automation
- Add API-Key
- Add Permissions
- SBOM_UPLOAD
- PROJECT_CREATION_UPLOAD (for the auto-create feature)
- VIEW_VULNERABILITY
- VIEW_POLICY_VIOLATION
- PORTFOLIO_MANAGEMENT (for modifying projects)
sequenceDiagram
actor User
User->>CLI: Provide SBOM
CLI->>+OWASP DT: Clone project as new version
OWASP DT->>-CLI: New project version
CLI->>+OWASP DT: Upload and analyze SBOM
OWASP DT->>-CLI: Return findings
CLI->>OWASP DT: Deactivate older versions
CLI->>+CLI: Generate findings report
CLI->>+CLI: Analyze thresholds
CLI->>User: Print findings report
Explanation of implementation behaviour.
Every patch activates the project, to keep it deactivated, add to your patch:
{ "active": false }or use the project deactivate command afterwards.
The upload and test commands behave like the following:
- If the
--auto-create=true, a new--project-versionis provided and a previous uploaded version exists, it will be cloned as new version including properties and audit trail unless--clone=false - All other project versions without
keepActiveproperty will be deactivated unless--deactivate-others=false. This property can be added manually or via theproject activatecommand - If
--latestis set, this new project version will be marked as Latest
cd test
podman|docker compose up- Preconfigured user:
admin:admin2 - Preconfigured API key: see
test/test.env
podman run -it --rm --network=test_default -v "$(pwd)/test:/test" postgres:17-alpine pg_dump -h postgres -d dtrack -U "dtrack" -p "5432" -f "/test/postgres-init/init.sql"This library is part of a wider OWASP Dependency Track tool chain:
- OWASP Dependency Track Python API client: https://github.com/mreiche/owasp-dependency-track-python-client
- OWASP Dependency Track CLI: https://github.com/mreiche/owasp-dependency-track-cli