/dependency-track-maven-plugin

Maven plugin that integrates with a Dependency Track server to submit dependency manifests and optionally fail execution when vulnerable dependencies are found.

Primary LanguageJavaApache License 2.0Apache-2.0

Build Status Maven Central Sonarcloud Status Sonarcloud Status Codacy Badge

dependency-track-maven-plugin

Maven plugin to integrate with a Dependency-Track server to submit dependency manifests and gather project metrics. Can be used within build pipelines to analyse the current project and optionally fail the build if vulnerabilities are found.

Usage

This maven plugin provides various functions relating to Dependency-Track, from uploading the Bill of Material, to checking for 3rd party dependencies with vulnerabilities in your Maven POM. Common configuration can be provided in the pluginManagement section of your POM to avoid repetition.

Plugin Configuration

<pluginManagement>
    <plugins>
        <plugin>
            <groupId>io.github.pmckeown</groupId>
            <artifactId>dependency-track-maven-plugin</artifactId>
            <version>${dependency-track-maven-plugin.version}</version>
            <configuration>
                <dependencyTrackBaseUrl>http://localhost:8081</dependencyTrackBaseUrl>
                <apiKey>API_KEY</apiKey>
            </configuration>
        </plugin>
    </plugins>
</pluginManagement>

IMPORTANT Dependency Track includes a front-end and an api-server component on different ports (defaulting to 8080 and 8081 respectively). You must ensure that you target the api server component (8081) and not the front-end component URL in the dependencyTrackBaseUrl property.

Polling Configuration

The plugin is configured to poll for results from the Dependency-Track server by default. The polling configuration can be changed by modifying the pollingConfig element in the plugin configuration. The available options are:

Property Required Default Value Support Values
enabled false true
pause false 1
attempts false 20
timeUnit false SECONDS MILLIS / SECONDS

XML Configuration Example

<configuration>
    <pollingConfig>
        <enabled>true</enabled>
        <pause>500</pause>
        <attempts>40</attempts>
        <timeUnit>MILLIS</timeUnit>
    </pollingConfig>
</configuration>

To set these options on the Command Line, you need to set the PollingConfig in your POM file to be set by a property when running a command.

Note that when doing this, the defaults are change to the primitive defaults, so polling is not enabled unless you provide these properties.

XML Configuration Example

<project>
    <build>
        <plugins>
            <plugin>
                <groupId>io.github.pmckeown</groupId>
                <artifactId>dependency-track-maven-plugin</artifactId>
                <version>${dependency-track-maven-plugin.version}</version>
                <inherited>false</inherited>
                <configuration>
                    <dependencyTrackBaseUrl>${env.DEPENDENCY_TRACK_BASE_URL}</dependencyTrackBaseUrl>
                    <apiKey>${env.DEPENDENCY_TRACK_API_KEY}</apiKey>
                    <pollingConfig>
                        <enabled>${polling.enabled}</enabled>
                        <attempts>${polling.attempts}</attempts>
                        <pause>${polling.pause}</pause>
                        <timeUnit>${polling.timeUnit}</timeUnit>
                    </pollingConfig>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

Then in your mvn command, you can override the default values for polling like this:

mvn io.github.pmckeown:dependency-track-maven-plugin:findings \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY} \
  -Dpolling.enabled=false \
  -Dpolling.attempts=100 \
  -Dpolling.pause=2 \
  -Dpolling.timeUnit=MILLIS

Dependency-Track Configuration

Your Dependency-Track server must be configured with an Automation team whose API Key should be provided in the apiKey configuration parameter to this plugin.

The Automation team needs the following permissions:

  • In Dependency Track v4.3.x and earlier:

    • BOM_UPLOAD
    • PORTFOLIO_MANAGEMENT
    • PROJECT_CREATION_UPLOAD
    • VIEW_PORTFOLIO
    • VULNERABILITY_ANALYSIS
  • In Dependency Track v4.4.x and later:

    • BOM_UPLOAD
    • PORTFOLIO_MANAGEMENT
    • PROJECT_CREATION_UPLOAD
    • VIEW_PORTFOLIO
    • VIEW_VULNERABILITY

The following options are common to all goals and can be declared centrally in the plugin management definition of this plugin:

Property Required Default Value
dependencyTrackBaseUrl true N/A
apiKey true N/A
projectName false ${project.artifactId}
projectVersion false ${project.version}
failOnError false false
skip false false
verifySsl false true

The skip property has more than two possible values:

  • true: will skip as usual
  • releases: will skip if current version of the project is a release
  • snapshots: will skip if current version of the project is a snapshot
  • any other values will be considered as false

Features

  • Upload Bill of Material - Create/modify a project on the Dependency-Track server, as well as set additional information such as description, group, PURL via the updateProjectInfo option
  • Get Project Findings - Returns vulnerability findings on a project, useful for CI/CD quality control
  • Policy Violations - Returns policy findings on a project, useful for CI/CD quality control
  • Get Inherited Risk Score - Useful for CI/CD quality control
  • Get Metrics - Useful for CI/CD quality control
  • Delete Project - Deletes a project from the Dependency-Track server

Upload Bill of Material

Upload a Bill of Material (BOM) to a Dependency-Track server. By default this uploads the bom.xml and creates (or updates if already present) a project on the Dependency-Track server with the name and version that map to the current maven project artifactId and version. Set the projectName or projectVersion properties if you want to override the project name or version.

POM Usage

Binds by default to the Verify Phase in the Maven lifecycle in line with cyclonedx-maven-plugin.

Direct Usage

mvn io.github.pmckeown:dependency-track-maven-plugin:upload-bom \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}

Direct Usage with Overrides

mvn io.github.pmckeown:dependency-track-maven-plugin:upload-bom \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY} \
  -Ddependency-track.projectName=arbitrary-name 
  -Ddependency-track.projectVersion=99.99

Dependencies

Needs to be used in conjunction with the cyclonedx-maven-plugin which will generate a bom.xml file from the declared and transitive dependencies in your POM.

If both the cyclonedx-maven-plugin and this plugin are run in the same phase, the cyclonedx-maven-plugin should be declared first in your POM to ensure that it runs first.

Configuration

By default, the plugin will poll the Dependency-Track server after a BOM upload to ensure it has been completed before continuing with plugin execution. This can be disabled by updating the Polling Configuration.

The BOM Location can be modified if you generate it to a folder that is not the default of target/.

When setting updateProjectInfo to true, an attempt will be made to update the following project information in Dependency-Track based on the metadata present in the BOM:

  • Author - Alice Bravo
  • Publisher - Company Inc
  • Description - An example project from department Foo
  • Classifier - Library
  • Group (Namespace, group, or vendor) - tld.company.foo
  • PURL (Package URL) - pkg:maven/tld.company.foo/project@1.0.0?type=jar
  • CPE (Common Platform Enumeration) - cpe:2.3:a:company:project:1.0.0:ga:*:*:*:*:*:*
  • SWID Tag Id (Software Identification Tag Id) - <SoftwareIdentity name="project" ...

Notes:

  • This requires a CycloneDX BOM using Schema 1.2 or later.
  • Not all information is visible in the Dependency-Track server UI.

From Dependency-Track server 4.8.0 onwards, you can set the project parent by setting updateParent to true. The parent name will be defaulted to that POM's project parent name. If you wish to override that value, or there is no parent set within the pom.xml, then explicitly set parentName and parentVersion. projectVersion is optional Dependency-Track, so this has no default to allow for blank values.

Note: If the parent cannot be found on the Dependency-Track server, the BOM upload will not be attempted in order to prevent a project being incorrectly created or updated the server.

Property Required Default Value Example Values
bomLocation false target/bom.xml target/custom-bom.xml
updateProjectInfo false false false
updateParent false false true
parentName false ${project.parent.name} my-name-override
parentVersion false ${project.parent.version}

Get Project Findings

After a BOM upload, the best way to determine if there are any vulnerabilities is to use the findings goal which is usable immediately after an upload. Other goals, such as metrics and score pull down information from the Dependency-Track server that is analysed asynchronously and as such may not be available when invoked immediately after a BOM upload.

The findings goal prints out some details of all the current issues found in the scan, including: component details, vulnerability description and suppression status.

The findings goal can be configured to fail the build if the number of findings in a given category are higher than the threshold set for that category.

Note that each severity category is assessed independently of the others. So a medium threshold of 0 with a findings results containing 1 high finding will not fail.

When using this goal independently, remember that the default behaviour of the plugin is to not fail when findings are found, use the dependency-track.failOnError command line property to configure this.

POM Usage

Binds by default to the Verify Phase in the Maven lifecycle in line with cyclonedx-maven-plugin.

Direct Usage

mvn io.github.pmckeown:dependency-track-maven-plugin:findings \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}

Direct Usage with Overrides

mvn io.github.pmckeown:dependency-track-maven-plugin:findings \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}
  -Ddependency-track.projectName=arbitrary-name 
  -Ddependency-track.projectVersion=99.99

Dependencies

Depends on a project existing in the Dependency-Track server that matches the current project artifactId and version or whatever overridden values that are supplied.

Configuration

The findings goal supports the following XML configuration in the POM:

Property Required Default Value Description
findingThresholds false N/A If not set or no child elements set then no policy will be applied and the goal will always succeed
findingThresholds.critical false 0 The build will fail if the issue count is higher than the configured threshold value for this category
findingThresholds.high false 0 The build will fail if the issue count is higher than the configured threshold value for this category
findingThresholds.medium false 0 The build will fail if the issue count is higher than the configured threshold value for this category
findingThresholds.low false 0 The build will fail if the issue count is higher than the configured threshold value for this category
findingThresholds.unassigned false 0 The build will fail if the issue count is higher than the configured threshold value for this category

The findings goal also supports the following command line options however XML configuration takes precedence if set:

Property Required Example Value
findingThresholds.critical false 0
findingThresholds.high false 3
findingThresholds.medium false 10
findingThresholds.low false 50
findingThresholds.unassigned false 0

Examples

The following configuration will cause the build to fail if there are any critical or high issues found, more than 5 medium issues or more than 10 low issues.

<findingThresholds>
    <critical>0</critical>
    <high>0</high>
    <medium>5</medium>
    <low>10</low>
</findingThresholds>

You can enable the build to fail on any issues in any category by using the following configuration:

<findingThresholds />

The following CLI execution will fail if there are any findings with a severity rating of HIGH:

mvn io.github.pmckeown:dependency-track-maven-plugin:findings \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY} \
  -Ddependency-track.failOnError=true \
  -DfindingThresholds.high=0

The following CLI execution will fail if there are any findings in any category:

mvn io.github.pmckeown:dependency-track-maven-plugin:findings \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY} \
  -Ddependency-track.failOnError=true \
  -DfindingThresholds.critical=0 \
  -DfindingThresholds.high=0 \
  -DfindingThresholds.medium=0 \
  -DfindingThresholds.low=0 \
  -DfindingThresholds.unassigned=0

Policy Violations

Dependency Track supports the definition of Policies which can be applied to Projects, Components or the entire portfolio.

Policies are applied when an SBOM is uploaded and can target various attributes about the software component's dependencies including but not limited to specific versions of packages, linked vulnerabilities over a given severity threshold and which license they are distributed under.

Policies can be given a Violation State that indicates the severity if that policy is violated.

This goal checks the supplied Project for any Policy Violations. This plugin honours the Violation State defined in a Policy and so when a Policy is violated the plugin behaviour is as follows:

  • FAIL - the build will fail unless the Global failOnError option is set to true
  • WARN - the build will pass unless the failOnWarn option for this goal is set to true
  • INFO - the build will pass

Additional Permissions

Policy Violation requires your Automation Team to have additional permissions:

  • In Dependency Track v4.4.x and earlier:

  • In Dependency Track v4.5.x and later:

    • VIEW_POLICY_VIOLATION

Policy Configuration

Property Required Default Value
failOnWarn false false

Behaviour

The Policy Violations associated with a Project is refreshed and up to date after a SBOM upload and after a periodic server-side data refresh.

It is recommended to generate and upload an SBOM when retrieving Policy Violations so that the Project is evaluated against the most recent SBOM. If the Policy has changed since the last SBOM upload for the Project, the data from the API may be inconsistent and result in null values in the printed output and reports due to data changes since the policy was last applied.

Get Inherited Risk Score

Get the Inherited Risk Score from the Dependency-Track server for the current project or any arbitrary project. The Risk Score per vulnerability tells you about a specific vulnerability in a dependency in your application and how vulnerable you are to exploit and how bad the impact could be. The Inherited Risk Score provides a summation of those Risk Scores into a single value.

The Inherited Risk Score as a single value is useful if you only want to have coarse grained checks in your build, such failing on a score greater than zero.

If the inheritedRiskScoreThreshold parameter is set, then the build will fail if the Inherited Risk Score is greater than the threshold.

POM Usage

Binds by default to the Verify Phase in the Maven lifecycle. This goal should be run after the upload-bom goal with enough time for the server to compute the new score if it has changed.

Ideally upload-bom would run during the validate phase and score in the verify phase.

Direct Usage

mvn io.github.pmckeown:dependency-track-maven-plugin:score \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}

Dependencies

Depends on a project existing in the Dependency-Track server that matches the current project artifactId and version or whatever overridden values that are supplied.

Configuration

Property Required Default Value
inheritedRiskScoreThreshold false N/A

Get Metrics

Get and print all metrics from the Dependency-Track server for the current project or any arbitrary project. Optionally define thresholds for each category of issue found to allow finer grained control over build failure.

POM Usage

Binds by default to the Verify Phase in the Maven lifecycle. This goal should be run after the upload-bom goal with enough time for the server to compute the new score if it has changed.

Ideally upload-bom would run during the validate phase and metrics in the verify phase.

Direct Usage

mvn io.github.pmckeown:dependency-track-maven-plugin:metrics \  
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}

Dependencies

Depends on a project existing in the Dependency-Track server that matches the current project artifactId and version or whatever overridden values that are supplied.

Configuration

Property Required Default Value Description
metricsThresholds false N/A If present with no child elements, any issues found in any category will cause the build to fail
metricsThresholds.critical false 0 The build will fail if the issue count is higher than the configured threshold value for this category
metricsThresholds.high false 0 The build will fail if the issue count is higher than the configured threshold value for this category
metricsThresholds.medium false 0 The build will fail if the issue count is higher than the configured threshold value for this category
metricsThresholds.low false 0 The build will fail if the issue count is higher than the configured threshold value for this category

Note that this goal does not yet support command line threshold options.

Examples

The following configuration will cause the build to fail if there are any critical or high issues found, more than 5 medium issues or more than 10 low issues.

<metricsThresholds>
    <critical>0</critical>
    <high>0</high>
    <medium>5</medium>
    <low>10</low>
</metricsThresholds>

You can enable the build to fail on any issues in any category by using the following configuration:

<metricsThresholds />

Delete Project

Delete the current or any arbitrary project from the Dependency-Track server.

POM Usage

Does not bind by default to any Phase in the Maven lifecycle. This goal can be run independently any time to delete a project.

Expected usage is for temporary scans of short-lived branch code that need to be cleaned up from the server once the score has been determined.

Direct Usage

mvn io.github.pmckeown:dependency-track-maven-plugin:delete-project \
  -Ddependency-track.dependencyTrackBaseUrl=${DEPENDENCY_TRACK_BASE_URL} \
  -Ddependency-track.apiKey=${DEPENDENCY_TRACK_API_KEY}

Dependencies

Depends on a project existing in the Dependency-Track server that matches the current project artifactId and version or whatever overridden values that are supplied.

Configuration

See common configuration above

Documentation

Further docs can be found in doc/: