Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 22 14:08
    mookkiah opened #59
  • Jan 22 12:08
    mookkiah commented #58
  • Jan 22 12:07
    mookkiah opened #58
  • Jan 21 11:14

    dependabot-preview[bot] on maven

    (compare)

  • Jan 21 11:14
    dependabot-preview[bot] closed #31
  • Jan 21 11:14
    dependabot-preview[bot] commented #31
  • Jan 21 11:14
    dependabot-preview[bot] labeled #32
  • Jan 21 11:14
    dependabot-preview[bot] opened #32
  • Jan 21 11:14

    dependabot-preview[bot] on maven

    Bump unirest-java from 2.3.17 t… (compare)

  • Jan 14 11:15

    dependabot-preview[bot] on maven

    (compare)

  • Jan 14 11:15
    dependabot-preview[bot] closed #28
  • Jan 14 11:15
    dependabot-preview[bot] commented #28
  • Jan 14 11:15
    dependabot-preview[bot] labeled #31
  • Jan 14 11:15
    dependabot-preview[bot] opened #31
  • Jan 14 11:15

    dependabot-preview[bot] on maven

    Bump unirest-java from 2.3.17 t… (compare)

  • Jan 09 06:19
    Muzamri closed #57
  • Jan 09 06:19
    Muzamri commented #57
  • Jan 08 18:39
    dnozay closed #56
  • Jan 08 18:39
    dnozay commented #56
  • Jan 07 10:42
    Muzamri opened #57
Terror
@mterron
1) It depends if you have persistent storage or not I guess. It is updated periodically. 2) Yes
Robb Hill
@vortextube
On #1, any way to see the frequency of updates or know when it does update? I can't see any settings or events in the application that indicates activity.
On #2 are there any details anywhere or app code I can take a look at that would help me understand the applications expected behavior?
Terror
@mterron
@vortextube Yes to both. DT is hosted on github and also there's a full blown documentation website.
Jon Brohauge
@jonbrohauge
Anybody have an example of how to implement pagination via the component API?
Steve Springett
@stevespringett
@jonbrohauge you can use page/size as query strings, or offset/limit as query string.
Terror
@mterron
Can I define more than 1 server on LDAP_URL to use for failover purposes?
Steve Springett
@stevespringett
@mterron No, that’s currently not possible and will likely not be a roadmap item. The next auth enhancments will be around oauth with oidc.
Jon Brohauge
@jonbrohauge
Couldn't find a maven plugin for Dependency-Track, so we made our own and open sourced it. https://github.com/topdanmark/dependency-track-maven-plugin
Steve Springett
@stevespringett

@jonbrohauge A community developed Maven plugin already exists. A link to the repo is on the OWASP Dependency-Track wiki. https://www.owasp.org/index.php/OWASP_Dependency_Track_Project

https://github.com/pmckeown/dependency-track-maven-plugin

What does the version from Topdanmark do that is unique/different from the existing one?

Jon Brohauge
@jonbrohauge
@stevespringett Thanks for the heads up, I was not aware of the plugin. Must have missed it somehow when searching for a plugin. Will definitely take a closer look to see if it serves our needs.
Jon Brohauge
@jonbrohauge
If the commit dates are correct, it looks like we started our plugins at the same time, more or less.
Robb Hill
@vortextube

I see some Maven issues related to xml-apis, anyone see these with the gradle plugin? CycloneDX: Creating BOM

:cyclonedxBom (Thread[Task worker for ':',5,main]) completed. Took 0.602 secs.

FAILURE: Build failed with an exception.

  • What went wrong:
    Execution failed for task ':cyclonedxBom'.

    org/w3c/dom/ElementTraversal

Anyone else run into this issue?
Barath Subramaniam
@baraths84
@stevespringett - Need some inputs to understand on VulnDB through RiskBasedSecurity "Dependency-Track can leverage VulnDB by incorporating the entire contents of the VulnDB service. In doing so, VulnDB data becomes a first-class citizen in Dependency-Track working alongside other sources of data to identify risk."
Does it mean it erases the current data feed "Which shows 130495 counts "on the UI "Vulnerabilities" and brings complete new set from VulnDB
Steve Springett
@stevespringett
Enabling VulnDB will import over 200K new vulnerabilities. All exising vulns from NVD, NPM, etc remain unchanged. VulnDB would be really good for asset vulnerabilities (applications, operating systems, servers, etc). I don’t think it will be overly valuable for libraries at this point, since VulnDB does not support PackageURL
I think they have over 60K vulns that are not listed in the NVD
Also, if you’re only showing 130495 vulns, that is incomplete. Can’t remember exactly, but there are over 160K in the NVD. You can force a reimport by wiping out the ~/.dependency-track/nist directory. The next time the server starts (or the next time it syncs - which is every 24 hours) it will grab all vulns from NVD giving you the complete list
Barath Subramaniam
@baraths84
Thank you @stevespringett for your inputs on VulnDb and I will cleanup wipe directory to fix the count. Are all feeds extracted from this location and imported to platform > https://nvd.nist.gov/vuln/data-feeds . ( JSON feeds) . I am thinking if there is a way to see if i can parse the count and always ensure if the count is accurate in deployed track platform ( possibly developing a utility) . My Depdency Track is up and running for last few weeks, i am not sure why big count difference.. or if its a one off interim sync up issue
Barath Subramaniam
@baraths84
@stevespringett - like to confirm with you on the Vulnerability count. Even after force reimport - i still see the count to be 130797 . Can you please suggest any other steps - if there is anything i am missing to get this fixed. Dependency Check is Disabled - does it have any impact to this count.
Steve Springett
@stevespringett
My fault. That number is correct. I’ve been working with VulnDB for so long that I got used to having a much larger count. 130k is correct
Barath Subramaniam
@baraths84
@stevespringett np thanks for confirming !
Patrick Dwyer
@patros
Anyone here with LDAP experience? I have it all working except mapped LDAP groups. I can see a list of groups, and can add a group as a mapped group. But I don't get any of the permissions of that team when I login. I'm using Okta (doco https://help.okta.com/en/prod/Content/Topics/Directory/LDAP_Using_the_LDAP_Interface.htm). And my configured settings (some values replaced with "*")...
{
"name": "ALPINE_LDAP_ATTRIBUTE_MAIL",
"value": "email",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_ATTRIBUTE_NAME",
"value": "uid",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_AUTH_USERNAME_FORMAT",
"value": "%s",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_BASEDN",
"value": "dc=*,dc=okta-emea,dc=com",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_BIND_PASSWORD",
"value": "=*",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_BIND_USERNAME",
"value": "uid==*,dc==*,dc=okta-emea,dc=com",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_ENABLED",
"value": "true",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_GROUPS_FILTER",
"value": "(&(objectClass=groupOfUniqueNames))",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_GROUPS_SEARCH_FILTER",
"value": "(&(objectClass=groupOfUniqueNames)(cn={SEARCH_TERM}))",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_SECURITY_AUTH",
"value": "simple",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_SERVER_URL",
"value": "ldaps://=*.ldap.okta-emea.com:636",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_USER_GROUPS_FILTER",
"value": "(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))",
"slotSetting": false
},
{
"name": "ALPINE_LDAP_USERS_SEARCH_FILTER",
"value": "(&(objectClass=inetOrgPerson)(cn={SEARCH_TERM}))",
"slotSetting": false
},
Steve Springett
@stevespringett
@patros Okta LDAP may or may not work. It was not tested nor do I have a way to test. You might want to set the logging level to DEBUG to provide more information. Also, the Slack channel has a lot more members if you want to reach out there as well.
Patrick Dwyer
@patros
Thanks @stevespringett. I'll repost in Slack after getting a bit more logging output. Meanwhile, that Slack invite link no longer works.
Terror
@mterron
@stevespringett can you open invites to Slack? I can't join
Steve Springett
@stevespringett
It seems the OWASP invites have expired - they do occassionly. I’m waiting for an OWASP Slack admin to regenerate a new invite code. Other projects have recently complained of the issue as well.
Steve Springett
@stevespringett
OWASP admins have regenerated a new invite code. https://dependencytrack.org/slack/invite should now work again
Barath Subramaniam
@baraths84
@stevespringett /All - reported a bug under sonatype for a finding which i observed via dependency track - OSSIndex/vulns#35 thought of sharing with you for any inputs/suggestions on this. Thank you!
Jon Brohauge
@jonbrohauge
We're using dependency-track in docker. Is there a description as to how to enable https?
Or put in another way, which webserver is dependency-track running on in the container?
Steve Springett
@stevespringett
Dependency-Track uses an embedded Jetty instance. It’s a similar approach to what Spring Boot does. Certs are not configurable. Most folks put nginx (or similar) in front of these types of containers to enable https.
Jon Brohauge
@jonbrohauge
@steve thx for the info.
Cameronwyatt
@Cameronwyatt
I've been searching but haven't found much in the way of answers - is there a (hopefully easy) way to change where dependency track downloads the CVE definitions? We're working in a mostly disconnected environment and would like to load the definitions into a tool like nexus or artifactory and point dependency track there, instead of trying to expose it to the internet
Steve Springett
@stevespringett
@Cameronwyatt DT is not designed to work in a disconnected environment. Access to the NVD, NPM, and OSS Index are required for vulnerability analysis (npm audit and ossindex are apis and cannot be downloaded). Access to external repos are required for out-of-date analysis (internal repos by definition are not the source of truth). Future forms of analysis (decentralized vulnerability intel and project health) will also require external access.
I think the only forms of analysis that may be able to be performed in a disconnected environment is CPE analysis of asset componentns (applications, operating systems, and hardware). But you’d have to do some DNS trickery to fool DT into downloaded from an internal mirror as opposed to the NVD itself. The URLs are not configurable.
Cameronwyatt
@Cameronwyatt
@stevespringett thank you for the prompt and informative response. Is getting DT to work in a disconnected environment something that you're/the community is interested in eventually implementing, or is it outside the scope of this tool?
Steve Springett
@stevespringett
I think it’s largely out of scope. DT is agnostic with regard to providers of vulnerability intelligence and uses multiple sources. This will be increasing over time. DT currently supports NVD, VulnDB, NPM audit, and OSS Index, and will be expanding this to support Snyk, Nexus IQ, and GitHub advisories in the future. So if anything, the reliance on external sources will increase over time.
Nille af Ekenstam
@nille
New to Dependency-Track and looking for information on what our options are for user provisioning/SSO. I can see from the documentation that LDAP is supported but unfortunately internal policies here prohibits that as an option for us. Does anybody know if, for an example SAML SSO via Azure is on the project roadmap? Or anything else, such as github auth or similar? Much appreciated and sorry if this question has been answered before – I tried the search function here but couldn't find anything.
Steve Springett
@stevespringett
@nille refer to stevespringett/Alpine#10 the feature didn’t make it into the 1.6.0 milestone.
Nille af Ekenstam
@nille
@stevespringett Ah, thanks! Looks like it may end up in a future major release then. This is good enough for us.
David J. M. Karlsen
@davidkarlsen
@stevespringett Any thoughts on https://issues.jenkins-ci.org/browse/JENKINS-60643 ?
David J. M. Karlsen
@davidkarlsen
running the cyclonedx plugin to generate aggregateBom, and it hangs forever at:
21:38:03 [ERROR] I/O error opening Json TOC URL, using local TOC file
21:40:10 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:42:17 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:44:24 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:46:30 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:48:36 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:50:43 [WARNING] Unable to open SPDX listed license model.  Using local file copy for SPDX listed licenses
21:52:49 [ERROR] I/O error opening Json TOC URL, using local TOC file
Jon Brohauge
@jonbrohauge
We are preparing to upgrade dependency-track from 3.6.0 to 3.7.1. We are running docker, is there any way to preserve the API-keys generated? Are they saved in the database?
Steve Springett
@stevespringett
@jonbrohauge API keys are stored in the database. Upgrading to 3.7.1 will have no affect on them. However, please review the upgrade notes for 3.7.0 as some of the changes might be important to you. https://docs.dependencytrack.org/changelog/
Jon Brohauge
@jonbrohauge
@stevespringett Thanks for the heads up. Will review the changelog. Luckily I didn't find any relevant API changes.
David J. M. Karlsen
@davidkarlsen
@stevespringett any idea https://issues.jenkins-ci.org/browse/JENKINS-60643 ? there is a “double up” config screen