> User Documentation Home

User Handbook
Tutorials
Resources

The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

OWASP Dependency-Track Plugin

View this plugin on the Plugins site

dependencyTrackPublisher: Publish BOM to Dependency-Track

  • artifact
    Specifies the artifact to upload. Dependency-Track supports uploading of CycloneDX bill-of-materials (BOM) formats.

    See Best Practices for additional information.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

    • Type: String
  • synchronous

    Synchronous publishing mode uploads a BOM to Dependency-Track and waits for Dependency-Track to process and return results. The results returned are identical to the auditable findings but exclude findings that have previously been suppressed. Analysis decisions and vulnerability details are included in the response.

    This feature provides per-build results that display all finding details as well as interactive charts that display trending information.

    Synchronous mode is possible with Dependency-Track v3.3.1 and higher.

    • Type: boolean
  • autoCreateProjects (optional)
    Enable auto creation of projects when authentication is enabled on Dependency-Track and the API key provided has the PROJECT_CREATION_UPLOAD permission.
    • Type: boolean
  • dependencyTrackApiKey (optional)
    When authentication is enabled on Dependency-Track, a valid API key will be required.
    • Type: String
  • dependencyTrackFrontendUrl (optional)
    The alternative base URL to the Frontend of Dependency-Track v3 or higher. (i.e. http://hostname:port)

    Use this if you run backend and frontend on different servers. If omitted, "Dependency-Track Backend URL" will be used instead.

    • Type: String
  • dependencyTrackUrl (optional)
    The base URL to Dependency-Track Backend (i.e. http://hostname:port)
    • Type: String
  • failedNewCritical (optional)
    • Type: int
  • failedNewHigh (optional)
    • Type: int
  • failedNewLow (optional)
    • Type: int
  • failedNewMedium (optional)
    • Type: int
  • failedTotalCritical (optional)
    • Type: int
  • failedTotalHigh (optional)
    • Type: int
  • failedTotalLow (optional)
    • Type: int
  • failedTotalMedium (optional)
    • Type: int
  • overrideGlobals (optional)
    Allows to override global settings for "Auto Create Projects", "Dependency-Track URL", "Dependency-Track Frontend URL" and "API key".

    Can be ignored in pipelines, just set the properties dependencyTrackUrl, dependencyTrackFrontendUrl, dependencyTrackApiKey and autoCreateProjects as needed.

    • Type: boolean
  • projectId (optional)
    Specifies the unique Project ID of the project to upload scan results to. The Project ID is a UUID with the following format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    If the list of projects are not displayed (such as an HTTP 403 response), ensure the API key specified in the global configuration has VIEW_PORTFOLIO permission in addition to BOM_UPLOAD and/or SCAN_UPLOAD. Permissions are defined in Dependency-Track.

    • Type: String
  • projectName (optional)
    Specifies the name of the project for automatic creation of project during the upload process.

    This is an alternative to specifying the unique UUID. It must be used together with a project version.

    Ensure the API key specified in the global configuration has PROJECT_CREATION_UPLOAD permission and that you have enabled Auto Create Projects.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

    • Type: String
  • projectProperties (optional)
    Set additional properties for the given project.

    The API key provided requires the PORTFOLIO_MANAGEMENT permission to use this feature!

      Nested Object
    • description (optional)
      The description to be set for the project.
      • Type: String
    • group (optional)
      Specifies the value of "Namespace / Group / Vendor" to be set for the project.
      • Type: String
    • swidTagId (optional)
      Specifies the SWID Tag ID to be set for the project.
      • Type: String
    • tags (optional)
      Specifies the list of tags to be set for the project. Separate multiple tags with spaces or put each tag on a separate line.

      All tags are automatically lowercased!

      • Type: Object
  • projectVersion (optional)
    Specifies the version of the project for automatic creation of project during the upload process.

    This is an alternative to specifying the unique UUID. It must be used together with a project name.

    Ensure the API key specified in the global configuration has PROJECT_CREATION_UPLOAD permission and that you have enabled Auto Create Projects.

    The value can contain environment variables in the form of ${VARIABLE_NAME} which are resolved.

    • Type: String
  • unstableNewCritical (optional)
    • Type: int
  • unstableNewHigh (optional)
    • Type: int
  • unstableNewLow (optional)
    • Type: int
  • unstableNewMedium (optional)
    • Type: int
  • unstableTotalCritical (optional)
    • Type: int
  • unstableTotalHigh (optional)
    • Type: int
  • unstableTotalLow (optional)
    • Type: int
  • unstableTotalMedium (optional)
    • Type: int

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.