Azure Devops & Code dependency track integration

Question

Trying to integrate Dependency track with azure devops and currently we are using bitbucket to dependency track.

I have installed the https://marketplace.visualstudio.com/items?itemName=GSoft.dependency-track-vsts this extension already in my project.

Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.

Regards, Shan

Installed extension in azure devops project and trying to find the BOM file and YML file to make use of this extension.

Dependency track - https://docs.dependencytrack.org/usage/cicd/

Answer 1

Not sure where i can find the extension in azure devops and not sure how to use this extension and complete my integration with Azure Devops.

It's a pipeline task extension, it adds the "Upload a BOM file to Dependency Track" task to DevOps. You can find the task when creating a pipeline.

For the inputs, you can reference the Parameters descripted in the extension overview page or this GitHub page.

For the usages, you can reference the pipeline samples mentioned in the extension overview page or this GitHub page.

Basic Usage Example:

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install -g @cyclonedx/cyclonedx-npm
  displayName: 'npm install'

- script: |
    cyclonedx-npm --version
    cyclonedx-npm --output-file '$(Agent.TempDirectory)/bom.xml'
  displayName: 'Create BOM'

- task: upload-bom-dtrack-task@1
  displayName: 'Upload BOM to https://dtrack.example.com/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjId: '00000000-0000-0000-0000-000000000000'
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'https://dtrack.example.com/'

To understand the Dependency-Track you can reference the following threads:

• Dependency-Track Introduction
• Dependency Track: Analyze your vulnerabilities from the use of third-party components

UPDATE:

I created a C# project and referenced the vulnerable nuget package [email protected]. The vulnerability can be seen after the bom file is uploaded to DT. You can have a try for that.

Yaml for your reference:

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: UseDotNet@2
  inputs:
    packageType: 'sdk'
    version: '8.x'
- task: DotNetCoreCLI@2
  displayName: Install CycloneDX
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global CycloneDX'
- task: DotNetCoreCLI@2
  displayName: Create BOM File
  inputs:
   command: 'custom'
   custom: 'CycloneDX'
   arguments: '-d $(Build.Repository.LocalPath)/WebApplication/WebApplication.sln -o $(Agent.TempDirectory)'
- task: upload-bom-dtrack-task@1
  displayName: 'Upload BOM to http://xxx/'
  inputs:
    bomFilePath: '$(Agent.TempDirectory)/bom.xml'
    dtrackProjName: 'WebAPP'
    dtrackProjVersion: 'v1.2'
    dtrackProjAutoCreate: true
    dtrackAPIKey: '$(dtrackAPIKey)'
    dtrackURI: 'http://xxxx:8081'