Commit af090093 authored by Marc Barussaud's avatar Marc Barussaud
Browse files

Merge branch '12-document-changes-in-dt-sbom-scanner-for-collection-project' into 'main' 

Resolve "Document changes in `dt-sbom-scanner` for collection project"

Closes #12

See merge request to-be-continuous/dependency-track!18
parents 7876514c 1a801787

README.md

+19 −14
Original line number Diff line number Diff line
@@ -97,6 +97,9 @@ That means: 


- The project structure in Dependency Track will always be two levels deep:

  - a _root_ project bearing the name of the GitLab project namespace,

    - it will be created as a [collection project](https://docs.dependencytrack.org/usage/collection-projects/) aggregating all its direct children (requires a Dependency Track version higher than 4.13.0)

      - `DEPTRACK_PARENT_COLLECTION_LOGIC` will set for which children statistics will be collected or disable the collection

      - `DEPTRACK_PARENT_COLLECTION_LOGIC_TAG` for the tag to match for if the `DEPTRACK_PARENT_COLLECTION_LOGIC` is set to `TAG`

  - and _leaf_ projects (hosting SBOM files) bearing the full path of the GitLab project as a name, suffixed with the

    SBOM file prefix and with project version matching either the Git branch name or the Git tag name (depending on the

    kind of pipeline that originated the SBOM file).
@@ -166,12 +169,14 @@ Examples: 
The Dependency Track template uses the following configuration.



| Input / Variable                                                       | Description                                                                                                                       | Default value                                                               |

| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------- |

| ---------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |

| `sbom-scanner-image` / `DEPTRACK_SBOM_SCANNER_IMAGE`                   | The container image with [Dependency Track SBOM Scanner](https://gitlab.com/to-be-continuous/tools/dt-sbom-scanner) tool          | `registry.gitlab.com/to-be-continuous/tools/dt-sbom-scanner:latest`         <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DEPTRACK_SBOM_SCANNER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DEPTRACK_SBOM_SCANNER_IMAGE) |

| `base-api-url` / `DEPTRACK_BASE_API_URL`                               | Dependency Track server base API url (includes `/api`)                                                                            | _none_ (required)                                                           |

| :lock: `DEPTRACK_API_KEY`                                              | Dependency Track API key                                                                                                          | _none_ (required)                                                           |

| `project-path` / `DEPTRACK_PROJECT_PATH`                               | Dependency Track target project path to publish SBOM files to                                                                     | `$CI_PROJECT_NAMESPACE//$CI_PROJECT_PATH-{file_prefix}@$CI_COMMIT_REF_NAME` |

| `path-separator` / `DEPTRACK_PATH_SEPARATOR`                           | Separator to use in project path                                                                                                  | `//`                                                                        |

| `parent-collection-logic` \ `DEPTRACK_PARENT_COLLECTION_LOGIC`         | Set up how the parent aggregates its direct children (ALL: all, TAG: with tag matching, LATEST: flagged as latest, NONE: disable) | `ALL`                                                                       |

| `parent-collection-logic-tag` \ `DEPTRACK_PARENT_COLLECTION_LOGIC_TAG` | Tag for aggregation parent-collection-logic is set to TAG                                                                         | _none_                                                                      |

| `tags` / `DEPTRACK_TAGS`                                               | Tags to attach to project (comma separeted list)                                                                                  | _none_                                                                      |

| `sbom-patterns` / `DEPTRACK_SBOM_PATTERNS`                             | SBOM file patterns to publish (supports glob patterns)                                                                            | `**/*.cyclonedx.json **/*.cyclonedx.xml`                                    |

| `merge` / `DEPTRACK_MERGE`                                             | Merge all SBOM files into one (default `false`)                                                                                   | _none_ (disabled)                                                           |

kicker.json

+9 −0
Original line number Diff line number Diff line
@@ -35,6 +35,15 @@ 
      "default": "//",

      "advanced": true

    },

    {

      "name": "DEPTRACK_PARENT_COLLECTION_LOGIC",

      "description": "Set up how the parent aggregates its direct children (ALL: all, TAG: with tag matching, LATEST: flagged as latest, NONE: disable)",

      "default": "ALL"

    },

    {

      "name": "DEPTRACK_PARENT_COLLECTION_LOGIC_TAG",

      "description": "Tag for aggregation parent-collection-logic is set to TAG"

    },

    {

      "name": "DEPTRACK_TAGS",

      "description": "Tags to attach to project (comma separeted list)"

templates/gitlab-ci-dependency-track.yml

+8 −0
Original line number Diff line number Diff line
@@ -27,6 +27,12 @@ spec: 
    path-separator:

      description: Separator to use in project path

      default: '//'

    parent-collection-logic:

      description: Set up how the parent aggregates its direct children (ALL=all, TAG=with tag matching, LATEST=flagged as latest, NONE=disable)

      default: 'ALL'

    parent-collection-logic-tag:

      description: Tag for aggregation parent-collection-logic is set to TAG

      default: ''

    tags:

      description: Tags to attach to project (comma separeted list)

      default: ''
@@ -124,6 +130,8 @@ variables: 
  DEPTRACK_BASE_API_URL: $[[ inputs.base-api-url ]]

  DEPTRACK_PROJECT_PATH: $[[ inputs.project-path ]]

  DEPTRACK_PATH_SEPARATOR: $[[ inputs.path-separator ]]

  DEPTRACK_PARENT_COLLECTION_LOGIC: $[[ inputs.parent-collection-logic ]]

  DEPTRACK_PARENT_COLLECTION_LOGIC_TAG: $[[ inputs.parent-collection-logic-tag ]]

  DEPTRACK_TAGS: $[[ inputs.tags ]]

  DEPTRACK_MERGE: $[[ inputs.merge ]]

  DEPTRACK_MERGE_OUTPUT: $[[ inputs.merge-output ]]