It should be useful to have ability to filter result of dtrack-audit sync by severity of findings.

It would be great to have an option to check for policy violations instead of findings.

To decrease amount of errors with spaces, NL etc. in params

It's not obvious to me how to run the program locally:

$ git clone https://github.com/ozonru/dtrack-audit.git
Cloning into 'dtrack-audit'...
remote: Enumerating objects: 104, done.
remote: Counting objects: 100% (104/104), done.
remote: Compressing objects: 100% (49/49), done.
remote: Total 104 (delta 39), reused 79 (delta 24), pack-reused 0
Receiving objects: 100% (104/104), 29.85 KiB | 5.97 MiB/s, done.
Resolving deltas: 100% (39/39), done.

$ go run cmd/dtrack-audit/main.go
package command-line-arguments
	cmd/dtrack-audit/main.go:6:2: use of internal package github.com/ozonru/dtrack-audit/internal/dtrack not allowed

Maybe I don't know something, but it's the thing I want to understand. Maybe you changed your local $GOPATH and have a special directory structure for this project?

In case of CI/CD and using of exit code to break current job it's important to consider that dtrack-audit use non-zero code only for reporting findings.

Common case for microservices world is when you have tons of it and want to integrate SCA security control for all of them. You can add manually each or make single and mandatory CI/CD step/job for all services. To make it works we need to implement auto-registration of projects with algorithm like:

1. Search in DTrack for project with name PROJECT_NAME
2. If it is already exists then use it ID
3. If new one then register with PROJECT_NAME and optionally additional information (e.g. Slack channel for alerts)
4. Run Dtrack in the job in async mode by default and give developers opportunity to switch on sync mode with breaking pipeline exit code.

command used:
Users/thinksabin/go/bin/dtrack-audit -a -i bom.xml -k PBohV8SZab8Rel5j1FEHZEI9wjDMdC1g -u http://192.168.43.221:8080

error:

Send SBOM file to Dependency Track for audit.

Usage of program: ...... 
Fields marked with (*) are required.

Environment variable DTRACK_AUTO_CREATE_PROJECT is already set.
Help required. thanks.

I propose to add a new environment, DTRACK_PROJECT_TAGS.

Setting it to tag1 tag2 would call:

PATCH /api/v1/project/<UUID>
{"tags": [{"name": "tag1"}, {"name": "tag2"}]}

after creating or updating the project.

How to reproduce:

docker run -it --rm node:lts-alpine /bin/sh
apk add --no-cache git go
export GOROOT=/usr/lib/go
export GOPATH=/go
export PATH=/go/bin:$PATH
go install github.com/ozontech/dtrack-audit/cmd/dtrack-audit@latest

Go version: 1.17.4-r0

Error:

go: downloading github.com/ozontech/dtrack-audit v1.0.0
go install: github.com/ozontech/dtrack-audit/cmd/dtrack-audit@latest: github.com/ozontech/[email protected]: parsing go.mod:
	module declares its path as: github.com/ozonru/dtrack-audit
	        but was required as: github.com/ozontech/dtrack-audit

Following command works:

go install github.com/ozonru/dtrack-audit/cmd/dtrack-audit@latest

Dependency Track v3.2.0 introduced the PROJECT_CREATION_UPLOAD permission that reduced the access that PORTFOLIO_MANAGEMENT gave. I get the following error upon upload of a BOM for a non-existing project:

$ dtrack-audit -a -n $PROJECT_NAME -k $DTRACK_KEY -u $DTRACK_URL -i bom.xml
[Dtrack Audit Error]: Permission error. Check that you have all required permissions

I am using dtrack-audit v1.0.0 and Dependency Track v4.3.4.

It looks like dtrack-audit is querying for a project, then trying to create a new one if it doesn't exist. This will fail if the key only had PROJECT_CREATION_UPLOAD permission.

Steps to reproduce:

1. Add new team into Dtrack with empty permissions
2. Try to upload via dtrack-audit bom file

Current result:
EOF error

Expected result:
Informative error message from Dtrack API

By including the project's UUID in the console output, a direct link to the project in Dependency Track can be easily constructed. This link can be, for example, added as a note to a merge request, where developers can triage issues found.

Like for https://github.com/securego/gosec