@dhelmr When BOMs are uploaded, they are processed and discarded, they are not saved. There is a REST endpoint that lets you export a project in CycloneDX format. This endpoint dynamically generates the BOM based on what’s in the current project.
You’re using project versions correctly. If theres a need to track individual releases of the same software, then the approach you’re taking is valid. If there is no need to track old versions, then you could either delete the old projects, or in v3.6 you’l be able to set projects as active or inactive. DependencyTrack/dependency-track#399
Eventually, when the UI gets a makeover, there will be a way in the UI to easily find a project and drill into all children thus removing the need to display all projects at once in a big table. DependencyTrack/dependency-track#84
processingwill be true if its still being worked on. The value will be false if processing is complete or the token is invalid. Once you get a false return value, you can then query the findings API (or vulnerability API) to retrieve the current results. This is essentually what the Jenkins plugin does with ‘synchronous processing mode’ is enabled.
Hi guys, anyone get managed to enable SSL/TLS on Application level? Similar to Jenkins way of doing it without the need of deploying any Apache or Nginx in front. I am using the embedded WAR and figured out its baked on Jetty, but the application seems not to provide any arguments or support for handling SSL/TLS.
Something like this Jenkins way will not work: owasp@ip:~$ java -Xmx8G --httpPort=-1 --httpsPort=8443 --httpsKeyStore=/usr/local/share/ca-certificates/sca.jks --httpsKeyStorePassword=xxxxxxx -jar dependency-track-embedded.war
Anyone and idea? Or do I need to deploy Apache/Nginx to enable HTTPS? Application is deployed on AWS EC2 instance, thanks for help.
@jonbrohauge A community developed Maven plugin already exists. A link to the repo is on the OWASP Dependency-Track wiki. https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
What does the version from Topdanmark do that is unique/different from the existing one?
I see some Maven issues related to xml-apis, anyone see these with the gradle plugin? CycloneDX: Creating BOM
:cyclonedxBom (Thread[Task worker for ':',5,main]) completed. Took 0.602 secs.
FAILURE: Build failed with an exception.