{"id":114,"date":"2023-05-03T09:28:00","date_gmt":"2023-05-03T09:28:00","guid":{"rendered":"https:\/\/cloudtechner.com\/blog\/?p=114"},"modified":"2024-06-13T11:08:03","modified_gmt":"2024-06-13T11:08:03","slug":"sbom-continuous-analysis-with-dependencytrack","status":"publish","type":"post","link":"https:\/\/cloudtechner.com\/blog\/sbom-continuous-analysis-with-dependencytrack\/","title":{"rendered":"SBOM \u2014 Continuous Analysis with DependencyTrack"},"content":{"rendered":"\n

Author : Sandeep Bajpai<\/a>, Senior Architect<\/p>\n\n\n

Operations<\/a>, <\/span>SBOM<\/a>, <\/span>Software Bill of Material<\/a>, <\/span>Software Inventory<\/a>, <\/span>Software Licenses<\/a>, <\/span>Software Supply Chain<\/a><\/div>\n\n\n
\n\n\n\n
\"\"\/
Dependency-Track<\/figcaption><\/figure>\n\n\n\n

\u201cWondering why are we here again to discuss SBOM ?\u201d<\/strong><\/p>\n\n\n\n

Till now we have covered half of the journey towards implementing the SBOM in our environment. In case you missed my previous blog \u2014 Please refer \u201cSBOM \u2014 A Way to increase Security, Transparency & Visibility into Software Supply chain<\/a>\u201d<\/p>\n\n\n\n

Your SBOM is ready \u2014 Whats Next ? Lets Inject it into \u201cContinuous SBOM Analysis Platform\u201c , One of the them is Dependency Track<\/a>.<\/p>\n\n\n\n

\u201cWhy Continuous Analysis of SBOM ?\u201d<\/strong><\/p>\n\n\n\n

Continuous Analysis refers to the practice of continuously monitoring, analyzing, and improving software code to ensure its quality, security, and reliability. This involves using a combination of automated tools and manual reviews to identify issues, vulnerabilities, and bugs in the code, and then taking corrective action to fix them.<\/p>\n\n\n\n

By combining Continuous Analysis with SBOM, organizations can improve their software security posture and reduce the risk of cyber attacks. Continuous Analysis can help identify vulnerabilities in software components, while SBOM provides a comprehensive inventory of all software components, making it easier to track and manage them.<\/p>\n\n\n\n

\u201cWhat is Dependency-Track ?\u201d<\/strong><\/p>\n\n\n\n

Dependency-Track is an open-source software composition analysis (SCA) tool that helps organizations identify and manage third-party software components and dependencies.<\/p>\n\n\n\n

Dependency-Track uses a combination of automated analysis, vulnerability intelligence, and real-time monitoring to provide comprehensive visibility into the software supply chain.<\/p>\n\n\n\n

Dependency-Track integrates with popular software development and DevOps tools, such as Jira, GitLab, Jenkins, and SonarQube, allowing organizations to incorporate SCA into their existing software development workflows.<\/p>\n\n\n\n

\u201cLets Setup Dependency-Track environment\u201d<\/strong><\/p>\n\n\n\n

Installation<\/strong> is easy and simple. Just download the Docker Compose file and run the Docker Compose command.<\/p>\n\n\n\n

curl -LO https:\/\/dependencytrack.org\/docker-compose.yml
docker-compose up -d<\/pre>\n\n\n\n
Login<\/strong> to http:\/\/abc.company.com:8080\/dashboard<\/a> using Username \u201cadmin\u201d and Password \u201cadmin\u201d , Reset the admin user password and you are all set to start the SBOM analysis.<\/p>\n\n\n\n
\"\"\/
Dependency-Track Home Screen<\/figcaption><\/figure>\n\n\n\n
Configure<\/strong> your Dependency-Track environment based on your needs. By default Internal Analyser,National Vulnerability Database <\/a>(NVD Vulnerability Sources and Repositories (
Python , Nuget , CPAN, etc ) are enabled to perfom the scan and analysis.<\/p>\n\n\n\n
\u201cLets inject our first SBOM into the Dependency-Track environment\u201d<\/strong><\/p>\n\n\n\n
In our previous blog topic we were able to generate the SBOM XML file in cyclone-dx format. We will inject the same file into our Depdency-Track environment. Follow the below steps :<\/p>\n\n\n\n
Login to \u201chttp:\/\/abc.company.com:8080\/projects<\/a>\u201d and Click on \u201cCreate Project\u201d<\/p>\n\n\n\n
Project Name -> \u201cMy-First-Project\u201d<\/p>\n\n\n\n
Version -> \u201c1.0\u201d<\/p>\n\n\n\n
Classifier -> \u201cOperating System\u201d<\/p>\n\n\n\n
Description -> \u201cAs your wish\u201d<\/p>\n\n\n\n
Click Create and \u201cMy-First-Project\u201d Project is created. Now we will Upload the SBOM Files under this project for analysis.<\/p>\n\n\n\n
\"\"\/
Create Project<\/figcaption><\/figure>\n\n\n\n
Click on \u201cMy-First-Project\u201d.<\/p>\n\n\n\n
\"\"\/
Choose Project<\/figcaption><\/figure>\n\n\n\n
Click on \u201cComponents\u201d Tab and Choose to Upload BOM.<\/p>\n\n\n\n
\"\"\/
Upload BOM<\/figcaption><\/figure>\n\n\n\n
You have done a-lot , Let Dependency-Track do some work . Take A Tea Break and back in 5 minutes \ud83d\ude09<\/p>\n\n\n\n
Go Back to your Project Dashboard Page , Click on \u201cMy-First-Projec\u201d and you can see the updated Project information. In Our case its indicating some High and Medium vulnerability.<\/p>\n\n\n\n
\"\"\/
Project-Analysis<\/figcaption><\/figure>\n\n\n\n
Now you can further navigate to \u201cAudit Vulnerability\u201d Tab and collect the detailed Analysis around the reported vulnerability , risk , severity and possible fix as well.<\/p>\n\n\n\n
\"\"\/
Audit Vulnerability<\/figcaption><\/figure>\n\n\n\n
\n
Conclusion<\/strong> \u2014 Overall, Dependency-Track is a powerful SCA tool that can help organisations improve their software security posture and mitigate risks associated with third-party software components and dependencies.<\/p>\n<\/blockquote>\n\n\n\n
Dependency-Track provides an easy and effective API Support \u2014 In Our next blog of this series we will Setup an automated SBOM Generation , Injection and Notification Framework.<\/p>\n\n\n\n
Till then Bye\u2026\u2026 !<\/em><\/p>\n\n\n\t
\n\t\t
Leave a Reply Cancel reply<\/a><\/small><\/h3>
Your email address will not be published.<\/span> Required fields are marked *<\/span><\/span><\/p>