feat: implement parent collection logic (1a801787) · Commits · to be continuous... / Dependency-Track

README.md

+19 −14

Original line number	Diff line number	Diff line
		@@ -97,6 +97,9 @@ That means:

		- The project structure in Dependency Track will always be two levels deep:
		- a _root_ project bearing the name of the GitLab project namespace,
		- it will be created as a [collection project](https://docs.dependencytrack.org/usage/collection-projects/) aggregating all its direct children (requires a Dependency Track version higher than 4.13.0)
		- `DEPTRACK_PARENT_COLLECTION_LOGIC` will set for which children statistics will be collected or disable the collection
		- `DEPTRACK_PARENT_COLLECTION_LOGIC_TAG` for the tag to match for if the `DEPTRACK_PARENT_COLLECTION_LOGIC` is set to `TAG`
		- and _leaf_ projects (hosting SBOM files) bearing the full path of the GitLab project as a name, suffixed with the
		SBOM file prefix and with project version matching either the Git branch name or the Git tag name (depending on the
		kind of pipeline that originated the SBOM file).
		@@ -166,12 +169,14 @@ Examples:
		The Dependency Track template uses the following configuration.

		\| Input / Variable \| Description \| Default value \|
		\| -------------------------------------------------------- \| ------------------------------------------------------------------------------------------------------------------------ \| --------------------------------------------------------------------------- \|
		\| ---------------------------------------------------------------------- \| --------------------------------------------------------------------------------------------------------------------------------- \| --------------------------------------------------------------------------- \|
		\| `sbom-scanner-image` / `DEPTRACK_SBOM_SCANNER_IMAGE` \| The container image with [Dependency Track SBOM Scanner](https://gitlab.com/to-be-continuous/tools/dt-sbom-scanner) tool \| `registry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DEPTRACK_SBOM_SCANNER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DEPTRACK_SBOM_SCANNER_IMAGE) \|
		\| `base-api-url` / `DEPTRACK_BASE_API_URL` \| Dependency Track server base API url (includes `/api`) \| _none_ (required) \|
		\| :lock: `DEPTRACK_API_KEY` \| Dependency Track API key \| _none_ (required) \|
		\| `project-path` / `DEPTRACK_PROJECT_PATH` \| Dependency Track target project path to publish SBOM files to \| `$CI_PROJECT_NAMESPACE//$CI_PROJECT_PATH-{file_prefix}@$CI_COMMIT_REF_NAME` \|
		\| `path-separator` / `DEPTRACK_PATH_SEPARATOR` \| Separator to use in project path \| `//` \|
		\| `parent-collection-logic` \ `DEPTRACK_PARENT_COLLECTION_LOGIC` \| Set up how the parent aggregates its direct children (ALL: all, TAG: with tag matching, LATEST: flagged as latest, NONE: disable) \| `ALL` \|
		\| `parent-collection-logic-tag` \ `DEPTRACK_PARENT_COLLECTION_LOGIC_TAG` \| Tag for aggregation parent-collection-logic is set to TAG \| _none_ \|
		\| `tags` / `DEPTRACK_TAGS` \| Tags to attach to project (comma separeted list) \| _none_ \|
		\| `sbom-patterns` / `DEPTRACK_SBOM_PATTERNS` \| SBOM file patterns to publish (supports glob patterns) \| `*/.cyclonedx.json */.cyclonedx.xml` \|
		\| `merge` / `DEPTRACK_MERGE` \| Merge all SBOM files into one (default `false`) \| _none_ (disabled) \|

kicker.json

+9 −0

Original line number	Diff line number	Diff line
		@@ -35,6 +35,15 @@
		"default": "//",
		"advanced": true
		},
		{
		"name": "DEPTRACK_PARENT_COLLECTION_LOGIC",
		"description": "Set up how the parent aggregates its direct children (ALL: all, TAG: with tag matching, LATEST: flagged as latest, NONE: disable)",
		"default": "ALL"
		},
		{
		"name": "DEPTRACK_PARENT_COLLECTION_LOGIC_TAG",
		"description": "Tag for aggregation parent-collection-logic is set to TAG"
		},
		{
		"name": "DEPTRACK_TAGS",
		"description": "Tags to attach to project (comma separeted list)"

templates/gitlab-ci-dependency-track.yml

+8 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,12 @@ spec:
		path-separator:
		description: Separator to use in project path
		default: '//'
		parent-collection-logic:
		description: Set up how the parent aggregates its direct children (ALL=all, TAG=with tag matching, LATEST=flagged as latest, NONE=disable)
		default: 'ALL'
		parent-collection-logic-tag:
		description: Tag for aggregation parent-collection-logic is set to TAG
		default: ''
		tags:
		description: Tags to attach to project (comma separeted list)
		default: ''
		@@ -124,6 +130,8 @@ variables:
		DEPTRACK_BASE_API_URL: $[[ inputs.base-api-url ]]
		DEPTRACK_PROJECT_PATH: $[[ inputs.project-path ]]
		DEPTRACK_PATH_SEPARATOR: $[[ inputs.path-separator ]]
		DEPTRACK_PARENT_COLLECTION_LOGIC: $[[ inputs.parent-collection-logic ]]
		DEPTRACK_PARENT_COLLECTION_LOGIC_TAG: $[[ inputs.parent-collection-logic-tag ]]
		DEPTRACK_TAGS: $[[ inputs.tags ]]
		DEPTRACK_MERGE: $[[ inputs.merge ]]
		DEPTRACK_MERGE_OUTPUT: $[[ inputs.merge-output ]]