Merge branch 'feat/show-findings' into 'main' (611044bf) · Commits · to be continuous... / Dependency-Track

README.md

+5 −3

Original line number	Diff line number	Diff line
		@@ -56,6 +56,7 @@ Here are some details about mandatory and optional permissions used by the templ
		\| ------------------------------------------- \| ------------- \| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `BOM_UPLOAD` \| mandatory \| Required to publish SBOM files to the Dependency Track server \|
		\| `PROJECT_CREATION_UPLOAD` \| optional \| This is required if you want to automatically create the project while uploading the SBOM files when the project does not exist (but the parent project must exist) \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_PORTFOLIO` and `PORTFOLIO_MANAGEMENT` \| optional \| Required if you want to automatically create one or several project ancestors prior to uploading the SBOM files.<br/>Granting those permissions is not recommended in the general case as they virtually give administration rights to the API Key owner \|

		### Multiple SBOM strategy
		@@ -175,6 +176,7 @@ The Dependency Track template uses the following configuration.
		\| `merge` / `DEPTRACK_MERGE` \| Merge all SBOM files into one (default `false`) \| _none_ (disabled) \|
		\| `merge-output` / `DEPTRACK_MERGE_OUTPUT` \| Output merged SBOM file (only used with merge enabled) - _for debugging purpose_ \| `reports/deptrack-merged.cyclonedx.json` \|
		\| `purl-max-len` / `DEPTRACK_PURL_MAX_LEN` \| PURLs max length (`-1`: auto, `0`: no trim, `>0`: trim to size - default: `-1`) \| `-1` (auto) \|
		\| `show-findings` / `DEPTRACK_SHOW_FINDINGS` \| Wait for analysis and display found vulnerabilities in logs \| _none_ (disabled) \|

		### Secrets management

kicker.json

+6 −0

Original line number	Diff line number	Diff line
		@@ -59,6 +59,12 @@
		"description": "SBOM file patterns to publish (supports glob patterns)",
		"default": "*/.cyclonedx.json */.cyclonedx.xml",
		"advanced": true
		},
		{
		"name": "DEPTRACK_SHOW_FINDINGS",
		"description": "Wait for analysis and display found vulnerabilities in logs",
		"type": "boolean",
		"default": "false"
		}
		],
		"variants": [

templates/gitlab-ci-dependency-track.yml

+5 −0

Original line number	Diff line number	Diff line
		@@ -41,6 +41,10 @@ spec:
		sbom-patterns:
		description: SBOM file patterns to publish (supports glob patterns)
		default: '*/.cyclonedx.json */.cyclonedx.xml'
		show-findings:
		description: Wait for analysis and display found vulnerabilities in logs
		type: boolean
		default: false
		---
		# default workflow rules: Merge Request pipelines
		workflow:
		@@ -79,6 +83,7 @@ variables:
		DEPTRACK_MERGE_OUTPUT: $[[ inputs.merge-output ]]
		DEPTRACK_PURL_MAX_LEN: $[[ inputs.purl-max-len ]]
		DEPTRACK_SBOM_PATTERNS: $[[ inputs.sbom-patterns ]]
		DEPTRACK_SHOW_FINDINGS: $[[ inputs.show-findings ]]

		# default production ref name (pattern)
		PROD_REF: '/^(master\|main)$/'

Original line number	Diff line number	Diff line
		@@ -56,6 +56,7 @@ Here are some details about mandatory and optional permissions used by the templ
		\| ------------------------------------------- \| ------------- \| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `BOM_UPLOAD` \| mandatory \| Required to publish SBOM files to the Dependency Track server \|
		\| `PROJECT_CREATION_UPLOAD` \| optional \| This is required if you want to automatically create the project while uploading the SBOM files when the project does not exist (but the parent project must exist) \|
		\| `VIEW_VULNERABILITY` and `VIEW_PORTFOLIO` \| optional \| Required if you want to display found vulnerabilities after SBOM analysis.<br/>Granting those permissions without enabling [Portfolio ACLs](https://github.com/DependencyTrack/dependency-track/issues/1127) is not recommended in the general case as it gives a read access to all projects \|
		\| `VIEW_PORTFOLIO` and `PORTFOLIO_MANAGEMENT` \| optional \| Required if you want to automatically create one or several project ancestors prior to uploading the SBOM files.<br/>Granting those permissions is not recommended in the general case as they virtually give administration rights to the API Key owner \|

		### Multiple SBOM strategy
		@@ -175,6 +176,7 @@ The Dependency Track template uses the following configuration.
		\| `merge` / `DEPTRACK_MERGE` \| Merge all SBOM files into one (default `false`) \| _none_ (disabled) \|
		\| `merge-output` / `DEPTRACK_MERGE_OUTPUT` \| Output merged SBOM file (only used with merge enabled) - _for debugging purpose_ \| `reports/deptrack-merged.cyclonedx.json` \|
		\| `purl-max-len` / `DEPTRACK_PURL_MAX_LEN` \| PURLs max length (`-1`: auto, `0`: no trim, `>0`: trim to size - default: `-1`) \| `-1` (auto) \|
		\| `show-findings` / `DEPTRACK_SHOW_FINDINGS` \| Wait for analysis and display found vulnerabilities in logs \| _none_ (disabled) \|

		### Secrets management