Project create / update

[xpicio]

Hello, i'm evaluating dependency track and dependency track jenkins plugin to collect and analyze vulnerable components for docker images and node, python, .net core, java applications. At the moment i'm facing with an issue on how to handle project updates when a CI pipeline run.

My idea is to handle a project for each deployment environment with his own version. Something like this:

project	version
demo-test	0.1.0-alpha.11-12
demo-stg	0.1.0-rc-8.13
demo-prod	0.1.0-12

However with the actual behaviour of the jenkins plugin i can not obtain that kind of projects organization, but i have something like this:

project	version
demo-test	0.1.0-alpha.11-12
demo-test	0.1.0-alpha.13-13
demo-test	0.1.0-alpha.17-14
demo-stg	0.1.0-rc-8.13
demo-prod	0.1.0-12

Is there any way to configure the plugin to will work with the following steps?

• find project by name
• if exist get the uuid -> upload the bom -> patch the version of the project
• if not exist upload the bom with project name, project version and create project set to true

Thanks in advance

[sephiroth-j]

This has nothing to do with the plugin. It is about how Dependency-Track itself works. Every combination of name and version is treated as a new project in Dependency-Track.

You can implement the steps you want yourself using a scripted pipeline. You have everything you need. You have the API key and you have the plugin to perform the upload. The rest is just two more API calls you need to make.

Another option is to use the stage name as the version, for example name="demo" and version="prod". This is not ideal, as it only makes sense if only one version of demo can be active per stage at a time.

[xpicio]

Thanks for your reply. I can understand the use case where is important keep tracked each version as new project, but in my case only the latest version for each environment is important.

I implemented a function sbomUpload to conditionally upload the SBOM trought dependencyTrackPublisher, and when it's needs i patched the project with REST API.

import groovy.xml.*
import groovy.json.JsonSlurper
import com.domain.Settings

def getProjectId(projectName) {
  def id = null

  echo "[DependencyTrack] Check if project with name \"${projectName}\" already exists"
      
  withCredentials([string(credentialsId: 'dependency-track-credentials', variable: 'token')]) {
    def response =  httpRequest customHeaders: [[maskValue: true, name: 'X-API-Key', value: token]],
      acceptType: 'APPLICATION_JSON',
      url: "${Settings.dependencyTrackUrl}/api/v1/project?name=${projectName}"
      
    if (response.status == 200) {
      def data = new JsonSlurper().parseText(response.content)
      
      if (data.size() == 1) {
        id = data[0].uuid 
        
        echo "[DependencyTrack] Project with name \"${projectName}\" already exists with uuid \"${id}\""
      }
    }
  }
    
  return id
}

def patchProjectVersion(projectId, projectVersion) {
  echo "[DependencyTrack] Patch project with name \"${projectId}\" updating version to \"${projectVersion}\""
  
  withCredentials([string(credentialsId: 'dependency-track-credentials', variable: 'token')]) {
    def body = """
      {"version": "${projectVersion}"}
    """
    
    httpRequest customHeaders: [[maskValue: true, name: 'X-API-Key', value: token]],
      acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON',
      url: "${Settings.dependencyTrackUrl}/api/v1/project/${projectId}",
      httpMode: 'PATCH', requestBody: body
  }
}

def patchProject(id, version, classifier) {
  echo "[DependencyTrack] Patch project with name \"${id}\" updating version to \"${version}\""
  
  withCredentials([string(credentialsId: 'dependency-track-credentials', variable: 'token')]) {
    def body = """
      "version": "${version}"
    """

    if (classifier) {
      body = """
        ${body}, "classifier": "${classifier}"
      """
    }
    
    body = """
        { ${body} }
    """

    httpRequest customHeaders: [[maskValue: true, name: 'X-API-Key', value: token]],
      acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON',
      url: "${Settings.dependencyTrackUrl}/api/v1/project/${id}",
      httpMode: 'PATCH', requestBody: body
  }
}

// classifier valid values: "APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "OPERATING_SYSTEM", "DEVICE", "FIRMWARE", "FILE"
def sbomUpload(path, projectName, projectVersion, tags = [], classifier = null) {
  def projectId = getProjectId(projectName)
  
  withCredentials([string(credentialsId: 'dependency-track-credentials', variable: 'token')]) {
    if (projectId == null) {
      dependencyTrackPublisher artifact: path, autoCreateProjects: true, dependencyTrackApiKey: token,
        dependencyTrackUrl: Settings.dependencyTrackUrl, synchronous: true,
        projectName: projectName, projectVersion: projectVersion, projectProperties: [tags: tags]
    } else {
      dependencyTrackPublisher artifact: path, dependencyTrackApiKey: token,
        dependencyTrackUrl: Settings.dependencyTrackUrl, synchronous: true,
        projectId: projectId, projectProperties: [tags: tags]
    }
  }
  
  if (projectId != null) {
    patchProject(projectId, projectVersion, classifier)
  }
}

Have a nice day 👋