Use in CI pipeline (maven plugin) via token/chainIdentifier

[sculeb]

Context: We want to use dependency track in our CI pipeline in a way that builds fail in case certain thresholds are hit. So a colleague wrote a maven plugin that works similar to the Jenkins plugin. We upload the bom, receive the token and poll the token to see if all tasks are finished. When that's the case we request the project's findings and metrics to decide whether the build fails/passes.

But it seems that when the /bom/token/{uuid} endpoint returns false - indicating that all tasks are finished - the project's findings and metrics are not yet updated.
I had a look at the sources and while I see the chainIdentifier being set on the VulnerabilityAnalysisEvent in BomUploadProcessingTask, I didn't see the chainIdentifier being passed on to the subsequent Events in the VulnerabilityAnalysisTask.

Am I missing something or does the chaining really stop there?
If that's the case: What's the reason for that? And would it be possible to extend the chaining to have the /bom/token/{uuid} endpoint return false only after project's findings and metrics are updated? Would be happy to help with a PR.

[stevespringett]

All tasks in DT are async. When a BOM is uploaded and a token returned, it's for the action that just occurred, which was the upload. Once the BOM has been processed, the bom processing task is complete.

If there are analyzers enabled (internal, oss index, npm, vulndb), then a separate task is executed for each one. Each independent analysis is also async and not guaranteed to execute right away. After the completion of each analyzer, dependency metrics, component metrics, and project metrics are updated. So if all analyzers are enabled, you'll get a 12 metrics updates. But everything happens async. There are no guarantees that metric updates will happen immediately. For example, if DT suddenly get 100 boms published to it due to nightly builds, metrics could take awhile to be processed.

What you're asking for is understandable, but not in the current design. An extra flag might need to be added when a bom is uploaded to indicate the token should carry through to all processing tasks. Keep in mind that in the future, this will also involve license checks, policy violations, and additional analyzers, so the wait time will increase over time. But I think it's doable. Given the amount of enhancement requests and priority for those, I don't envision me being able to get to this until next year sometime. If this is something you'd like added sooner, I'd recommend submitting a PR which maintains API compatibility while providing the option for token pass through.

[stevespringett]

One note, the relevance of token pass through becomes less important the more components are added to the global inventory.

For example, if component A is used by project 1, and project 2 just adds it, once the token for the bom upload for project 2 is complete, DT will already have the correct vulnerability intelligence for project 2. Token pass through is only relevant when new component versions are introduced which have not previously been in the global inventory.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.