Integrating OWASP Dependency-Track into GitLab CI/CD Pipeline

Question

Who can help me?

1. I want to implement uploading SBOM-file xxxx.xml to Dependency Track in GitLab СI/СD pipeline
2. Global idea (next step): at the start of the build (beginning of the pipeline), create a SBOM-file and upload it to Dependency Track, now I use a manually created SBOM-file.

With the following composition of gitlab-ci.yml:

DT_SCA:
     stage: test
     script:
       - git clone https://gitlab.com/.../test.git
       - cd test/
       - curl
         -X "PUT" "http://х.х.х.х:8080/api/v1/bom"
         -H "X-API-Key:xxxx"
         -H "Content-Type:multipart/form-data" /// option 2. -H "Content-Type:application/json'
         -d @хххх.xml /// option 2. -d @хххх.json

I get a 500 error (Internal Server Error).

Tried different variations, always different errors.

At the same time, there is no official possibility of integration. Help me please.

Is there a ready solution? Thank you!

Answer 1

As I generate my SBOM with trivy this is how I send its result to Dependency Track:

dt-import-sbom-scan:
  extends: .dt-upload
  needs: ["trivy-fs-sbom-scan"]
  script:
    - |    
      curl -X "POST" "http://<YOUR_URL>/api/v1/bom" \
        -H 'Content-Type: application/json' \
        -H "X-Api-Key: $DT-API-KEY" \
        -F "autoCreate=true" \
        -F "projectName=$CI_PROJECT_NAME" \
        -F "projectVersion=$CI_COMMIT_BRANCH" \
        -F "[email protected]"
  rules:
    - if: $TRIVY_FS_SBOM == "false"
      when: never

For .dt-upload I used this:

.dt-upload:
  stage: .post
  image: docker:stable
  services:
    - name: docker:dind
  before_script:
    - apk add --update curl