Feedback

Chat Icon

DevSecOps in Practice

A Hands-On Guide to Operationalizing DevSecOps at Scale

Software Bill of Materials and Supply Chain Security
77%

Syft and OWASP DependencyTrack: Putting SBOMs to Work

As seen, a simple -o cyclonedx command generates a CycloneDX SBOM. This SBOM can be uploaded to a tool like DependencyTrack for continuous monitoring and vulnerability management.

Dependency-Track is a powerful Component Analysis platform designed to enhance software supply chain security by leveraging SBOM and vulnerability management. Unlike traditional Software Composition Analysis (SCA) tools, Dependency-Track continuously monitors component usage across all versions of applications. The platform integrates with leading vulnerability intelligence sources like NVD, Sonatype OSS Index, GitHub Advisories, Snyk, OSV, and VulnDB. It helps organizations track security, license, and operational risks in open-source and proprietary components. With an API-first design, the integration into CI/CD pipelines is direct and developer-friendly. It also supports a wide range of ecosystems including Java, Python, JavaScript, .NET, Ruby, and more. It also includes policy enforcement, private vulnerability databases, compliance tracking, and automated notifications via platforms like Slack, Microsoft Teams, and Jira.

The goal of this section is to show how to integrate a CycloneDX SBOM generated by Syft with DependencyTrack. To proceed, we need to generate a CycloneDX SBOM:

# Generate CycloneDX SBOM for the menu-service image
syft registry.gitlab.com/restqr/restqr/menu-service:v0.1.0 \
    -o cyclonedx > $HOME/menu-service-bom.xml

Next, we need to install DependencyTrack. The easiest way to do this is using Docker Compose:

# Create a directory for DependencyTrack
mkdir $HOME/RestQR/deploy/dependencytrack

# Download the Docker Compose file
curl -L \
    https://dependencytrack.org/docker-compose.yml \
    -o $HOME/RestQR/deploy/dependencytrack/docker-compose.yml

Edit the docker-compose.yml file to change variables like:

  • API_BASE_URL: The base URL of the DependencyTrack instance (use the external IP or domain).

Example:

[...]
  frontend:
    image: dependencytrack/frontend
    depends_on:
      apiserver:
        condition: service_healthy
    environment:
      # The base URL of the API server.
      # NOTE:
      #   * This URL must be reachable by the browsers of your users.
      #   * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
      #   * When deploying to dedicated servers, please use the external IP or domain of the API server.
      API_BASE_URL: "http://161.35.75.172:8081/"
      # OIDC_ISSUER: ""
      # OIDC_CLIENT_ID: ""
      # OIDC_SCOPE: ""
      # OIDC_FLOW: ""
      # OIDC_LOGIN_BUTTON_TEXT: ""
      # volumes:
      # - "/host/path/to/config.json:/app/static/config.json"
    ports:
      - "8080:8080"
    restart: unless-stopped

[...]
  • EXTRA_JAVA_OPTIONS: Additional Java options like -Xmx4G to set the maximum heap size.

Example:

[...]
  apiserver:
    image: dependencytrack/apiserver
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      ALPINE_DATABASE_MODE:

DevSecOps in Practice

A Hands-On Guide to Operationalizing DevSecOps at Scale

Enroll now to unlock all content and receive all future updates for free.

Unlock now ($29.99) Learn More
Previous Next