SP-2933_dependency-track

* Added dependency track integration
* Upgraded scanoss-py version to v1.40.1

Author: Alex-1089

CHANGELOG.md

@@ -9,10 +9,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Changes...
 
+## [1.2.0] - 2025-11-7
+### Added
+- Added dependency track integration
+### Changed
+- Upgraded scanoss-py version to v1.40.1
+
 ## [1.1.0] - 2025-10-22
 ### Added
 - Added raw results conversion to CycloneDX, SPDXLite and CSV
 ### Changed
 - Upgraded scanoss-py version to v1.37.1
 
-[1.1.0]: https://github.com/scanoss/ado-code-scan/compare/v1.0.3...v1.1.0
+[1.1.0]: https://github.com/scanoss/ado-code-scan/compare/v1.0.3...v1.1.0
+[1.2.0]: https://github.com/scanoss/ado-code-scan/compare/v1.1.0...v1.2.0

OVERVIEW.md

@@ -149,8 +149,14 @@ When the pipeline is manually triggered or runs on a schedule, the results are u
 | dependenciesScope        | Gets development or production dependencies (scopes: dev - prod )                                                                                        | Optional       | -                                    |                       
 | dependenciesScopeInclude | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list.                                                               | Optional       | -                                    |
 | dependenciesScopeExclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list.                                                               | Optional       | -                                    |
-| policies                 | List of policies separated by commas, options available are: copyleft, undeclared.                                                                       | Optional       | -                                    |
+| policies                 | List of policies separated by commas, options available are: copyleft, undeclared, deptrack.                                                             | Optional       | -                                    |
 | policiesHaltOnFailure    | Halt check on policy failure. If set to false checks will not fail.                                                                                      | Optional       | `true`                               |
+| depTrackEnabled          | Enable or disable Dependency Track SBOM upload and status reporting.                                                                                     | Optional       | `false`                              |
+| depTrackUrl              | Dependency Track server URL (e.g., https://deptrack.example.com).                                                                                        | Optional       | -                                    |
+| depTrackApikey           | Dependency Track API key for authentication.                                                                                                             | Optional       | -                                    |
+| depTrackProjectId        | UUID of an existing Dependency Track project (alternative to name/version).                                                                              | Optional       | -                                    |
+| depTrackProjectName      | Dependency Track project name (required if projectId not provided).                                                                                      | Optional       | -                                    |
+| depTrackProjectVersion   | Dependency Track project version (required if projectId not provided).                                                                                   | Optional       | -                                    |
 | apiUrl                   | SCANOSS API URL                                                                                                                                          | Optional       | `https://api.osskb.org/scan/direct`  |
 | apiKey                   | SCANOSS API Key                                                                                                                                          | Optional       | -                                    |
 | runtimeContainer         | Runtime URL                                                                                                                                              | Optional       | `ghcr.io/scanoss/scanoss-py:v1.37.1` |
@@ -164,21 +170,73 @@ When the pipeline is manually triggered or runs on a schedule, the results are u
 | debug                    | Enable debugging                                                                                                                                         | Optional       | `false`                              |
 
 ## Policy Checks
-The SCANOSS Code Scan Task includes two configurable policies:
+The SCANOSS Code Scan Task includes three configurable policies:
 
-1. Copyleft: This policy checks if any component or code snippet is associated with a copyleft license. If such a
+1. **Copyleft**: This policy checks if any component or code snippet is associated with a copyleft license. If such a
    license is detected, the pull request (PR) is rejected. The default list of Copyleft licenses is defined in the following [file](https://github.com/scanoss/ado-code-scan/blob/1218c4fe2dcda5f807b505e271096b1ec0afd8a9/codescantask/utils/license.utils.ts#L4).
 
-2. Undeclared: This policy compares the components detected in the repository against those declared in the scanoss.json
+2. **Undeclared**: This policy compares the components detected in the repository against those declared in the scanoss.json
    file. If there are undeclared components, the PR is rejected.
 
+3. **Dependency Track** (deptrack): This policy integrates with a Dependency Track server to check for policy violations including security vulnerabilities, license violations, and compliance issues as configured in your Dependency Track policies. The policy check queries an existing Dependency Track project for violations and reports them in the pipeline.
+
+   **Requirements:**
+   - Dependency Track server URL and API key
+   - Either a project UUID or project name/version
+   - The policy runs even if SBOM upload is disabled, but will show warnings if checking against potentially stale data
+
+   **Configuration Example:**
+   ```yaml
+   inputs:
+     policies: copyleft,undeclared,deptrack
+     depTrackEnabled: true
+     depTrackUrl: 'https://deptrack.example.com'
+     depTrackApikey: $(DEPTRACK_API_KEY)
+     depTrackProjectName: 'my-project'
+     depTrackProjectVersion: '1.0.0'
+   ```
+
 Additionally, if it is a Pull Request, a comment with a summary of the report will be automatically generated.
 
 ![Comments on PR Undeclared Components](https://github.com/scanoss/integration-azure-DevOps/blob/main/.github/assets/pr_comment_undeclared_components.png?raw=true)
 
 
 ![Comments on PR Copyleft licenses](https://github.com/scanoss/integration-azure-DevOps/blob/main/.github/assets/pr_comment_copyleft.png?raw=true)
 
+## Dependency Track Integration
+
+The SCANOSS Code Scan Task integrates with Dependency Track to provide enhanced vulnerability tracking and policy enforcement. This integration consists of two main features:
+
+### 1. SBOM Upload Status Check
+
+When `depTrackEnabled` is set to `true`, the task will automatically upload a CycloneDX SBOM to your Dependency Track server and report the upload status as a separate PR status check. This status check provides:
+
+- **Success/Failure status**: Visual indicator of whether the SBOM was successfully uploaded
+- **Upload details**: Information about the uploaded SBOM including:
+  - Project name and version
+  - Number of components analyzed
+  - File size and upload time
+  - Direct link to the project in Dependency Track
+- **PR comments**: Detailed success or failure messages posted as PR comments
+- **Troubleshooting guidance**: If upload fails, helpful error messages with configuration tips
+
+**Note**: The SBOM upload status check runs independently from the policy checks. You can enable SBOM upload without enabling the Dependency Track policy check.
+
+**Configuration Example:**
+```yaml
+inputs:
+  depTrackEnabled: true
+  depTrackUrl: 'https://deptrack.example.com'
+  depTrackApikey: $(DEPTRACK_API_KEY)
+  depTrackProjectName: 'my-project'
+  depTrackProjectVersion: '1.0.0'
+```
+
+### 2. Dependency Track Policy Check
+
+The Dependency Track policy check (enabled by adding `deptrack` to the `policies` parameter) queries your Dependency Track server for policy violations and fails the build if violations are found. This is separate from the upload functionality and can be used independently.
+
+See the **Policy Checks** section above for detailed information about the Dependency Track policy check.
 
 ## Artifacts
 The scan results and policy check outcomes are uploaded to the artifacts folder of the specific run of the pipeline.

codescantask/app.input.ts

@@ -34,10 +34,33 @@ export const API_URL = tl.getInput('apiUrl');
 export const OUTPUT_FILEPATH = tl.getInput('outputFilepath') || "scanoss-raw.json";
 export const REPO_DIR = tl.getVariable('Build.Repository.LocalPath') || ''; // Get repository path
 export const POLICIES_HALT_ON_FAILURE = tl.getInput('policiesHaltOnFailure') === 'true';
-export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.37.1";
+export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.40.1";
 export const SKIP_SNIPPETS = tl.getInput('skipSnippets') === 'true';
 export const SCAN_FILES = tl.getInput('scanFiles') === 'true';
 export const SCANOSS_SETTINGS = tl.getInput('scanossSettings') === 'true';
 export const SETTINGS_FILE_PATH = tl.getInput('settingsFilepath') || 'scanoss.json';
 export const EXECUTABLE = 'docker';
-export const DEBUG = tl.getInput('debug') === 'true';
+export const DEBUG = tl.getInput('debug') === 'true';
+
+// ============================================================================
+// Dependency Track Configuration
+// ============================================================================
+export const DEPENDENCY_TRACK_ENABLED = tl.getInput('depTrackEnabled') === 'true';
+export const DEPENDENCY_TRACK_URL = tl.getInput('depTrackUrl');
+export const DEPENDENCY_TRACK_API_KEY = tl.getInput('depTrackApikey');
+/**
+ * UUID of an existing project in Dependency Track.
+ * Used for uploading to a specific project. Optional if project name/version provided.
+ */
+export let DEPENDENCY_TRACK_PROJECT_ID = tl.getInput('depTrackProjectId');
+export const DEPENDENCY_TRACK_PROJECT_NAME = tl.getInput('depTrackProjectName');
+export const DEPENDENCY_TRACK_PROJECT_VERSION = tl.getInput('depTrackProjectVersion');
+
+export let DEPENDENCY_TRACK_UPLOAD_TOKEN: string | undefined;
+
+export const setDependencyTrackUploadToken = (token: string) => {
+    DEPENDENCY_TRACK_UPLOAD_TOKEN = token;
+};
+export const setDependencyTrackProjectId = (id: string) => {
+    DEPENDENCY_TRACK_PROJECT_ID = id;
+};

codescantask/index.ts

@@ -25,6 +25,11 @@ import tl = require('azure-pipelines-task-lib/task');
 import { ScanService } from './services/scan.service';
 import { scanossService } from "./services/scanoss.service";
 import { policyManager } from './policies/policy.manager';
+import { DependencyTrackService } from './services/dependency-track.service';
+import { DependencyTrackStatusService } from './services/dependency-track-status.service';
+import { DepTrackPolicyCheck } from './policies/dep-track-policy-check';
+import {DEPENDENCY_TRACK_ENABLED, setDependencyTrackProjectId, setDependencyTrackUploadToken} from "./app.input";
+
 async function run() {
     try {
             console.log("Starting scan");
@@ -38,18 +43,36 @@ async function run() {
             await scanossService.reformatScanResults(format);
         }
 
-        // run policies
+        // Dependency Track Upload
+        let uploadAttempted = false;
+        if (DEPENDENCY_TRACK_ENABLED) {
+            const dtService = new DependencyTrackService();
+            const uploadResult = await dtService.uploadToDependencyTrack();
+            const dtStatusService = new DependencyTrackStatusService();
+            await dtStatusService.reportUploadStatus(uploadResult);
+            // Set flag for policy check to know upload was attempted
+            uploadAttempted = uploadResult.enabled;
+            if (uploadResult.success && uploadResult.uploadToken && uploadResult.projectId) {
+                // Store upload token and project ID for policy check
+                setDependencyTrackUploadToken(uploadResult.uploadToken);
+                setDependencyTrackProjectId(uploadResult.projectId);
+            }
+        }
+
+        // Run policies
         for (const policy of policies) {
+            // If this is a Dependency Track policy, set the upload attempted flag
+            if (policy instanceof DepTrackPolicyCheck) {
+                policy.setUploadAttempted(uploadAttempted);
+            }
             await policy.run();
         }
 
-    }
-    catch (err:any) {
+    } catch (err:any) {
         tl.setResult(tl.TaskResult.Failed, err.message);
     }
 }
-
-
-
-
-run();
+run().catch((err) => {
+    tl.setResult(tl.TaskResult.Failed, err.message || 'Unknown error occurred');
+    process.exit(1);
+});

codescantask/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-integration",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "",
   "main": "index.js",
   "scripts": {