{"id":18419486,"url":"https://github.com/liftric/dependency-track-companion-plugin","last_synced_at":"2025-04-07T13:31:37.041Z","repository":{"id":178233377,"uuid":"639795618","full_name":"Liftric/dependency-track-companion-plugin","owner":"Liftric","description":"[gradle-plugin] Common tasks for Dependency Track interaction, like SBOM upload or VEX Generation","archived":false,"fork":false,"pushed_at":"2025-03-26T12:46:23.000Z","size":414,"stargazers_count":9,"open_issues_count":2,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-31T03:30:00.249Z","etag":null,"topics":["bom","dependency","gradle","plugin","sbom","track","vex"],"latest_commit_sha":null,"homepage":"","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Liftric.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-12T08:43:20.000Z","updated_at":"2025-03-25T16:13:17.000Z","dependencies_parsed_at":"2024-02-01T12:28:45.978Z","dependency_job_id":"7dc6051b-554e-4039-ae18-de4d2fb268ce","html_url":"https://github.com/Liftric/dependency-track-companion-plugin","commit_stats":null,"previous_names":["liftric/dependency-track-companion-plugin"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Liftric%2Fdependency-track-companion-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Liftric%2Fdependency-track-companion-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Liftric%2Fdependency-track-companion-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Liftric%2Fdependency-track-companion-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Liftric","download_url":"https://codeload.github.com/Liftric/dependency-track-companion-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247661748,"owners_count":20975110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","dependency","gradle","plugin","sbom","track","vex"],"created_at":"2024-11-06T04:17:11.487Z","updated_at":"2025-04-07T13:31:35.203Z","avatar_url":"https://github.com/Liftric.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Gradle Dependency Track Companion w Plugin\n\nThis Gradle plugin is designed to ease the process of working with [Dependency Track](https://dependencytrack.org/), a Continuous SBOM Analysis Platform. With this plugin, you can automate the upload process of SBOM files, generate Vex files for component or vulnerability suppression, and more.\nThis plugin internally applies the [CycloneDX Gradle plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin), so you don't need to manually include it in your project.\n\n## Features\n\nThe plugin offers several tasks:\n\n- `createProject`: Creates a Project\n- `generateSbom`: Generates the SBOM (Runs \"cyclonedxBom\" from [cyclonedx-gradle-plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) under the hood)\n- `uploadSbom`: Uploads SBOM file.\n- `generateVex`: Generates VEX file.\n- `uploadVex`: Uploads VEX file.\n- `analyzeProject`: Triggers Vulnerability Analysis on a specific project\n- `riskScore`: Gets risk score. If the risk score is higher than the specified value, the task will fail.\n- `getOutdatedDependencies`: Gets outdated dependencies.\n- `getSuppressedVuln`: Gets suppressed vulnerabilities.\n- `runDepTrackWorkflow`: Runs `generateSbom`, `uploadSbom`, `generateVex` and `uploadVex` tasks for CI/CD.\n\n### Task Configuration\n\nEach task requires certain inputs which are to be specified in your `build.gradle.kts`. The configuration for each task is as follows:\n\n#### createProject\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `projectName`: The Name of the Project you want to create\n- `projectVersion`: *Optional* - The Version of the Project you want to create\n- `projectActive`: *Optional* - default is true, set to false to create an inactive Project\n- `projectTags`: *Optional* - add Tags to your Project\n- `parentUUID`: *Optional* - Used for creating in a parent project\n- `ignoreProjectAlreadyExists`: *Optional* - default is false, set to true to ignore \"Project already exist\" error\n\n#### uploadSbom\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `inputFile`: *Optional* - Default: build/reports/bom.json\n- `autoCreate`: *Optional* - Default: false\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n- `parentUUID`: *Optional* - Used for creating in a parent project \n- `parentName`: *Optional* - Used for creating in a parent project \n- `parentVersion`: *Optional* - Used for creating in a parent project\n\n#### generateVex\n\n- `vexComponent`: *Optional* - For suppressing vulnerabilities in one component\n- `vexVulnerability`: *Optional* - For suppressing vulnerabilities in all components\n- `inputFile`: *Optional* - Default: build/reports/bom.json\n- `outputFile`: *Optional* - Default: build/reports/vex.json\n\n#### uploadVex\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `outputFile`: *Optional* (Default \"build/reports/vex.json\")\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n\n#### riskScore\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n- `riskScore`: *Optional* - Used for failing the task if the risk score is higher than the specified value.\n   - `timeout`: *Optional* - If specified, the task will wait for the risk score to be calculated. Default: 0 seconds\n   - `maxRiskScore`: *Optional* - If specified, the task will fail if the risk score is higher than the specified value.\n\n#### analyzeProject\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n\n#### getOutdatedDependencies\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n\n#### getSuppressedVuln\n\n- `url`: Dependency Track API URL\n- `apiKey`: Dependency Track API KEY\n- `projectUUID`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectName`: *Optional* - You need to set UUID or projectName and projectVersion\n- `projectVersion`: *Optional* - You need to set UUID or projectName and projectVersion\n\n## Example Configuration\n\nHere's how you can configure all tasks:\n\n```kotlin\nimport com.liftric.dtcp.extensions.*\nimport org.cyclonedx.model.vulnerability.Vulnerability\n\nval version: String by project\nval name: String by project\ndependencyTrackCompanion {\n    url.set(\"https://api.dtrack.example.com\")\n    apiKey.set(System.getenv(\"DT_API_KEY\"))\n    autoCreate.set(true)\n    projectName.set(name)\n    projectVersion.set(version)\n    parentName.set(name)\n    riskScore{\n        timeout.set(20.seconds)\n        maxRiskScore.set(7.0)\n    }\n    vexComponent {\n        purl.set(\"pkg:maven/org.eclipse.jetty/jetty-http@9.4.49.v20220914?type=jar\")\n        vulnerability {\n            id.set(\"CVE-2023-26048\")\n            source.set(\"NVD\")\n            analysis.set(Vulnerability.Analysis.State.FALSE_POSITIVE)\n        }\n    }\n    vexVulnerability {\n        id.set(\"CVE-2020-8908\")\n        source.set(\"NVD\")\n        analysis.set(Vulnerability.Analysis.State.RESOLVED)\n        detail.set(\"This is resolved\")\n    }\n}\n```\n\n## License\n\nThis Gradle Dependency Track Plugin is released under MIT License.\n\nThis project is not a derivative of [Dependency Track](https://dependencytrack.org/), but a tool that interacts with it. Please note that Dependency Track is released under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0). Refer to their respective licenses for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliftric%2Fdependency-track-companion-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fliftric%2Fdependency-track-companion-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliftric%2Fdependency-track-companion-plugin/lists"}