https://github.com/jetstack/dependency-track-exporter
https://github.com/jetstack/dependency-track-exporter
Last synced: 7 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/jetstack/dependency-track-exporter
- Owner: jetstack
- License: apache-2.0
- Created: 2022-03-17T16:35:23.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-08-03T21:37:44.000Z (over 1 year ago)
- Last Synced: 2025-04-14T05:06:10.630Z (9 months ago)
- Language: Go
- Homepage:
- Size: 156 KB
- Stars: 24
- Watchers: 10
- Forks: 6
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Dependency-Track Exporter
Exports Prometheus metrics for [Dependency-Track](https://dependencytrack.org/).
## Usage
```
usage: dependency-track-exporter []
Flags:
-h, --help Show context-sensitive help (also try --help-long and --help-man).
--web.config.file="" [EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.
--web.listen-address=":9916"
Address to listen on for web interface and telemetry.
--web.metrics-path="/metrics"
Path under which to expose metrics
--dtrack.address=DTRACK.ADDRESS
Dependency-Track server address (default: http://localhost:8080 or $DEPENDENCY_TRACK_ADDR)
--dtrack.api-key=DTRACK.API-KEY
Dependency-Track API key (default: $DEPENDENCY_TRACK_API_KEY)
--log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error]
--log.format=logfmt Output format of log messages. One of: [logfmt, json]
--version Show application version.
```
The API key the exporter uses needs to have the following permissions:
- `VIEW_POLICY_VIOLATION`
- `VIEW_PORTFOLIO`
## Metrics
| Metric | Meaning | Labels |
| ----------------------------------------------- | --------------------------------------------------------------------- | ------------------------------------------------ |
| dependency_track_portfolio_inherited_risk_score | The inherited risk score of the whole portfolio. | |
| dependency_track_portfolio_vulnerabilities | Number of vulnerabilities across the whole portfolio, by severity. | severity |
| dependency_track_portfolio_findings | Number of findings across the whole portfolio, audited and unaudited. | audited |
| dependency_track_project_info | Project information. | uuid, name, version, active, tags |
| dependency_track_project_vulnerabilities | Number of vulnerabilities for a project by severity. | uuid, name, version, severity |
| dependency_track_project_policy_violations | Policy violations for a project. | uuid, name, version, state, analysis, suppressed |
| dependency_track_project_last_bom_import | Last BOM import date, represented as a Unix timestamp. | uuid, name, version |
| dependency_track_project_inherited_risk_score | Inherited risk score for a project. | uuid, name, version |
## Example queries
Retrieve the number of `WARN` policy violations that have not been analyzed or
suppressed:
```
dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0
```
Exclude inactive projects:
```
dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0
and on(uuid) dependency_track_project_info{active="true"}
```
Only include projects tagged with `prod`:
```
dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0
and on(uuid) dependency_track_project_info{active="true",tags=~".*,prod,.*"}
```
Or, join the tags label into the returned series. Filtering on active/tag could
then happen in alert routes:
```
(dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0)
* on (uuid) group_left(tags,active) dependency_track_project_info
```