The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

OWASP Dependency-Track Plugin

dependencyTrackPublisher: Publish BOM to Dependency-Track

  • artifact : String
    Specifies the artifact to upload. Dependency-Track supports uploading of CycloneDX bill-of-materials (BOM) formats.

    See Best Practices for additional information.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

  • synchronous : boolean

    Synchronous publishing mode uploads a BOM to Dependency-Track and waits for Dependency-Track to process and return results. The results returned are identical to the auditable findings but exclude findings that have previously been suppressed. Analysis decisions and vulnerability details are included in the response.

    This feature provides per-build results that display all finding details as well as interactive charts that display trending information.

    Synchronous mode is possible with Dependency-Track v3.3.1 and higher.

    The API key provided requires the VIEW_VULNERABILITY permission to use this feature with Dependency-Track v4.4 and newer!

  • autoCreateProjects : boolean (optional)
    Enable auto creation of projects when authentication is enabled on Dependency-Track and the API key provided has the PROJECT_CREATION_UPLOAD permission.
  • dependencyTrackApiKey : String (optional)
    When authentication is enabled on Dependency-Track, a valid API key will be required.
  • dependencyTrackConnectionTimeout : int (optional)
    Defines the maximum number of seconds to wait for connecting to Dependency-Track. Use 0 to disable this timeout (means infinite wait).
  • dependencyTrackFrontendUrl : String (optional)
    The alternative base URL to the Frontend of Dependency-Track v3 or higher. (i.e. http://hostname:port)

    Use this if you run backend and frontend on different servers. If omitted, "Dependency-Track Backend URL" will be used instead.

  • dependencyTrackPollingInterval : int (optional)
    Defines the number of seconds to wait between two checks for Dependency-Track to process a job (Synchronous Publishing Mode).
  • dependencyTrackPollingTimeout : int (optional)
    Defines the maximum number of minutes to wait for Dependency-Track to process a job (Synchronous Publishing Mode). When the time is exceeded, the job will be aborted. The default value is 5 minutes.
  • dependencyTrackReadTimeout : int (optional)
    Defines the maximum number of seconds to wait for Dependency-Track to respond. Use 0 to disable this timeout (means infinite wait).
  • dependencyTrackUrl : String (optional)
    The base URL to Dependency-Track Backend (i.e. http://hostname:port)
  • failOnViolationFail : boolean (optional)

    Marks the current build as unstable if there is at least one policy violation of severity failure.

    This setting applies only to synchronous publishing mode!

  • failedNewCritical : int (optional)
  • failedNewHigh : int (optional)
  • failedNewLow : int (optional)
  • failedNewMedium : int (optional)
  • failedNewUnassigned : int (optional)
  • failedTotalCritical : int (optional)
  • failedTotalHigh : int (optional)
  • failedTotalLow : int (optional)
  • failedTotalMedium : int (optional)
  • failedTotalUnassigned : int (optional)
  • overrideGlobals : boolean (optional)
    Allows to override global settings for "Auto Create Projects", "Dependency-Track URL", "Dependency-Track Frontend URL" and "API key".

    Can be ignored in pipelines, just set the properties dependencyTrackUrl, dependencyTrackFrontendUrl, dependencyTrackApiKey and autoCreateProjects as needed.

  • projectId : String (optional)
    Specifies the unique Project ID of the project to upload scan results to. The Project ID is a UUID with the following format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    If the list of projects are not displayed (such as an HTTP 403 response), ensure the API key specified in the global configuration has VIEW_PORTFOLIO permission in addition to BOM_UPLOAD and/or SCAN_UPLOAD. Permissions are defined in Dependency-Track.

  • projectName : String (optional)
    Specifies the name of the project for automatic creation of project during the upload process.

    This is an alternative to specifying the unique UUID. It must be used together with a project version.

    Ensure the API key specified in the global configuration has PROJECT_CREATION_UPLOAD permission and that you have enabled Auto Create Projects.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

  • projectProperties (optional)
    Set additional properties for the given project.

    The API key provided requires the PORTFOLIO_MANAGEMENT permission to use this feature!

      Nested Object
    • description : String (optional)
      The description to be set for the project.
    • group : String (optional)
      Specifies the value of "Namespace / Group / Vendor" to be set for the project.
    • parentId : String (optional)
      The ID (UUID) of the parent project.
    • parentName : String (optional)
      The name of the parent project.
    • parentVersion : String (optional)
      The version of the parent project.
    • swidTagId : String (optional)
      Specifies the SWID Tag ID to be set for the project.
    • tags : Object (optional)
      Specifies the list of tags to be set for the project. Separate multiple tags with spaces or put each tag on a separate line.

      All tags are automatically lowercased!

  • projectVersion : String (optional)
    Specifies the version of the project for automatic creation of project during the upload process.

    This is an alternative to specifying the unique UUID. It must be used together with a project name.

    Ensure the API key specified in the global configuration has PROJECT_CREATION_UPLOAD permission and that you have enabled Auto Create Projects.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

  • unstableNewCritical : int (optional)
  • unstableNewHigh : int (optional)
  • unstableNewLow : int (optional)
  • unstableNewMedium : int (optional)
  • unstableNewUnassigned : int (optional)
  • unstableTotalCritical : int (optional)
  • unstableTotalHigh : int (optional)
  • unstableTotalLow : int (optional)
  • unstableTotalMedium : int (optional)
  • unstableTotalUnassigned : int (optional)
  • warnOnViolationWarn : boolean (optional)

    Marks the current build as unstable if there is at least one policy violation of severity warning.

    This setting applies only to synchronous publishing mode!


Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.