search

OWASP Dependency-track

Installation an example usages

Add dependency-track helm repository

helm repo add dependency-track https://dependencytrack.github.io/helm-charts

Deploy depencency-track helm chart, hostname is my minikube instance. Use the appropiate hostname for your environment

helm upgrade --install dtrack dependency-track/dependency-track \
  --set ingress.enabled=true \
  --set ingress.hostname=dtrack.$(minikube ip).nip.io

Browse to your ingress kubectl get ingress -o yaml | awk '/host/ {print$3}'

Default username and password are admin/admin, you must change them before do anything

Create a new team at <URL>/admin/accessManagement/teams

On the new team generate an API KEY

Add required permissions, at least BOM upload

Download an example git repository

git clone https://github.com/xNaaro/vulnerable_python.git
cd vulnerable_python

Install syft to create an example SBOM of the above repository

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/

Create an SBOM of the example repository

/tmp/syft . -o cyclonedx-json > cyclonedx.json
 ✔ Indexed file system                                                                     .
 ✔ Cataloged contents              cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82  
   ├── ✔ Packages                        [1 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [0 executables]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID

Upload SBOM to dependency-check

Now in your frontend server should have a project called vulnerablepython with flask as vulnerable package

First installation of dependency-track may take for a while to update vulnerabilities lists

PreviousZarf - Airgap deployment in kubernetesNextOpenDaylight in a Docker

Last updated