OWASP Dependency Track check: how to use it in Maven projects
This Github action generates a BoM (Bill Of Materials) of your project and uploads it to an OWASP Dependency Track instance to perform a vulnerability check.
This video shows how to install the "cyclonedx-maven-plugin" into your Java Maven project, as well as the action itself in your Github repository.
For supported languages other than Maven projects just skip the plugin installation step.
https://github.com/marketplace/actions/owasp-dependency-track-check
One of the main advantages is that you can customize the vulnerability check sources Dependency Track will use, you can easily check the project status of the different versions using the Dependency Track WUI and you can also check the licenses of the different libraries you project is using.
The project will be uploaded to the OWASP Dependency Track server using the repository name as project and the branch or tag name as version. Its BoM Format, no matter which language it is, will be v1.2, supported by Dependecy Track v4.0.0 and higher. The conversion is made possible thanks to CycloneDX CLI convert tool, which generates v1.2 BoM Formats both from languages plugins/modules which yet do not generate v1.2 BoM Formats, as well as from those languages which just generate v1.3 BoM Formats (not supported by our DT version).
We recommend to use the version tags to chose the specific action version which works fine in your workflow and OWASP Dependency Track version. However the main branch can also be used since we are not expecting to include breaking changes in future versions.
OWASP Dependency Track v4.0.1 has been successfully tested with tags v.1, v1.0,v1.1 and 1.2.
Feedback, contributions, bug reports and improvements issues are really welcome.
Music provided by www.bensound.com
This video shows how to install the "cyclonedx-maven-plugin" into your Java Maven project, as well as the action itself in your Github repository.
For supported languages other than Maven projects just skip the plugin installation step.
https://github.com/marketplace/actions/owasp-dependency-track-check
One of the main advantages is that you can customize the vulnerability check sources Dependency Track will use, you can easily check the project status of the different versions using the Dependency Track WUI and you can also check the licenses of the different libraries you project is using.
The project will be uploaded to the OWASP Dependency Track server using the repository name as project and the branch or tag name as version. Its BoM Format, no matter which language it is, will be v1.2, supported by Dependecy Track v4.0.0 and higher. The conversion is made possible thanks to CycloneDX CLI convert tool, which generates v1.2 BoM Formats both from languages plugins/modules which yet do not generate v1.2 BoM Formats, as well as from those languages which just generate v1.3 BoM Formats (not supported by our DT version).
We recommend to use the version tags to chose the specific action version which works fine in your workflow and OWASP Dependency Track version. However the main branch can also be used since we are not expecting to include breaking changes in future versions.
OWASP Dependency Track v4.0.1 has been successfully tested with tags v.1, v1.0,v1.1 and 1.2.
Feedback, contributions, bug reports and improvements issues are really welcome.
Music provided by www.bensound.com
Тэги:
#github #owasp #cyclonedx #Java_MavenКомментарии:
Visite du ghetto de Freetown réservé aux colons (encore habité) - SIERRA LEONE - T. AFRIQUE ep.26
Odyssées D'architectures
Типичная ситуация на повестку из военкомата.
Игорь Гаврилюк
Metro City - Treat Her Like A Lady
greekaterina
УГАДАЙ КОНТЕЙНЕР ЗАБЕРИ ТАЧКУ Стилов Булкин Подписчик Юра Волков Илья KICKDOWN и другие
Жекич Дубровский
3 месяца назад
