Skip to content

S-CORE: Setup Dependency-Track

I would like to (slowly) get started with DependencyTrack via https://sbom.eclipse.org

Can you support me by setting up DependencyTrack and adding the required variables & secrets to otterdog?

Scenario:

  • many different repositories. Would like one entry for each.
  • those repositories change weekly. Would like to have no need for manual interaction
  • would like to upload daily/continuously?! and for all created tags.

In our internal instance we use

           curl -fsS --max-time 60 "$DTRACK_URL/api/v1/bom" \
            -H "X-Api-Key: $DTRACK_API_KEY" \
            -F "projectName=$DTRACK_PROJECT_NAME" \
            -F "projectVersion=$PROJECT_VERSION" \
            -F "autoCreate=true" \
            -F "bom=@releases/cyclonedx.node-modules.json"

but for eclipse we will use this, correct?!

eclipse-csi/workflows/.github/workflows/store-sbom-data.yml

It can be executed from any workflow? Do you have best practices how to avoid uploads from random PRs?

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent