Cloud Services

DevOps Intelligence

Bring Your Own Dependency Check
Published On Aug 27, 2024 - 10:12 AM

Bring Your Own Dependency Check

Learn how to integrate Dependency Check tools to Kyndryl Modern Operations – DevOps Intelligence.
DevOps Intelligence Secure dashboard represents vulnerability details for static scan, license compliance, dependency check & container vulnerability scan.
Dependency check shows vulnerabilities
: The process of dependency check is crucial to identify vulnerabilities in our code that attackers could potentially exploit. To achieve this, we use various tools and APIs, including Bring Your Own DependencyCheck APIs, to perform vulnerability scans and gather information. One of the ways we can scan for vulnerabilities is through Dependency Track, which helps identify vulnerabilities in third-party tools and dependencies. Using the DevOps Intelligence tenant, users can share and analyze lists of vulnerabilities, allowing for the calculation of metrics related to the vulnerable components. This process enables us to proactively address potential security risks and ensure the safety of our code and systems.
Secure functionality is applicable only for the premium plans in DevOps Intelligence.
The following image shows how the Secure page looks when data is populated from secure tools.
Secure functionality is applicable only for premium plan in DevOps Intelligence.
The following image shows how the Secure page looks when data is populated from secure tools.

Bring Data into DevOps Intelligence

To bring your own Build tools, complete the following steps:
  1. Go to the DevOps Intelligence Tools Configuration page and navigate to the Tokens tab.
  2. Click on Create Token and give a unique Token name.
  3. Select Token Type as Build, then click on the Create button.
  4. A new entry will be added to the table in the table entry.
  5. Click on the vertical ellipsis icon on the respective row and select the view/regenerate token option.
  6. Copy that token by clicking copy icon in the token field.
To Post Data to the APIs mentioned below, Add the service Token (see: Create Service Token) to the
Authorization
header of the request. See cURL Example for reference

Format

Step 1: TOKEN {the-service-token-from-step1}
Example :
TOKEN 74h5cR8sETSJRvOFkdbsISY3lsgfNGu_V5aNur4Pxu1Jh8kP0NQBJhuWQsRmGzTX
Step 2:  API Reference
API : technical-services/dependency-check
URL : https://{devops-intelligence-host}/dash/api/build/v3/technical-services/dependency-check
Parameters
Parameter
Type
Explanation
Example Value
Authorization*
Header
Authorization has a service token
74h5cR8sETSJRvOFkdbsISY3lsgfNGu_V5aNur4Pxu1Jh8kP0NQBJhuWQsRmGzTX
VulnerabiltyScanDetails *
BODY
Scan Data in Json
{ "component_name": "Comp1", "component_uuid": "12345", "endpoint_hostname": "MyOrg", "last_occurrence_time": "2022-12-15T07:20:50.52Z", "first_occurrence_time": "2022-12-15T07:20:50.52Z", "project_name": "myProj", "project_uuid": "98765", "provider_href": "http://www.mytest.com", "scanned_by": "BYOD", "technical_service": "BYOS", "technical_service_override": false, "technical_service_tag": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" }, "vulnerabilities": [ { "affectedProjectCount": 0, "cvssV2BaseScore": 0, "cvssV2ExploitabilitySubScore": 0, "cvssV2ImpactSubScore": 0, "cvssV2Vector": "string", "cvssV3BaseScore": 0, "cvssV3ExploitabilitySubScore": 0, "cvssV3ImpactSubScore": 0, "cvssV3Vector": "string", "dependencies": "string", "description": "string", "published": "2022-12-12T11:48:55.888Z", "references": "string", "riskscore": 10, "severity": "High", "sha256": "string", "source": "string", "title": "string", "updated": "2022-12-12T11:48:55.888Z", "url": "string", "uuid": "982233", "vulnId": "5555", "weakness": "string" } ] }

cURL Example :

Request
curl -X 'POST' \ 'dash/api/dev_secops/v3/technical-services/dependency-check' \ -H 'accept: application/json' \ -H 'Authorization: Token _aKFE90h5_j5xqBMJijZv5qS_XZn1GnEIoFFgSaxJvlDmdJAlePpmBVR4vAwuty5' \ -H 'Content-Type: application/json' \ -d '{ "component_name": "Comp1", "component_uuid": "12345", "endpoint_hostname": "MyOrg", "last_occurrence_time": "2022-12-15T07:20:50.52Z", "first_occurrence_time": "2022-12-15T07:20:50.52Z", "project_name": "myProj", "project_uuid": "98765", "provider_href": "http://www.mytest.com", "scanned_by": "BYOD", "technical_service": "BYOS", "technical_service_override": false, "technical_service_tag": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" }, "vulnerabilities": [ { "affectedProjectCount": 0, "cvssV2BaseScore": 0, "cvssV2ExploitabilitySubScore": 0, "cvssV2ImpactSubScore": 0, "cvssV2Vector": "string", "cvssV3BaseScore": 0, "cvssV3ExploitabilitySubScore": 0, "cvssV3ImpactSubScore": 0, "cvssV3Vector": "string", "dependencies": "string", "description": "string", "published": "2022-12-12T11:48:55.888Z", "references": "string", "riskscore": 10, "severity": "High", "sha256": "string", "source": "string", "title": "string", "updated": "2022-12-12T11:48:55.888Z", "url": "string", "uuid": "982233", "vulnId": "5555", "weakness": "string" }, ], }'
Response 200
"Total Number of records inserted successfully is 1"

Secure-Dependency-Check-vulnerability Request Body Explained

Field
Data Type
Explanation
Example Value
endpoint_hostname
string
Name of the endpoints
"myOrg/myRepo"
component_name *
string
Name of the component
"myRepo"
component_uuid *
string
UUID of the component
"56567656"
project_id
string
Name of the Project
"DevOpsIntelligence"
project_uuid
string
UUID of the project
"980022"
provider_href *
string
Provider URL on which vulnerability is scanned
"http://mytest.com
scannedby *
string
Tool which is used to scan the Vunerabilities of the repositories
"BYO",
last_occurrence_time*
string
Time of first occurrence in UTC
"2022-12-05T07:20:50.52Z"
first_occurrence_time *
string
Time of last occurrence scan in UTC
"2022-12-05T07:20:50.52Z"
technical_service *
string
Technical Service Name
"myservice"
technicalserviceoverride
boolean
Override flag for the service
true
vulnerabilities
Details of the fields
Severity *
string
Severity of Vulnerability
critical, high, low, medium
Updated
string
Date of update
"2022-12-05T07:20:50.52Z"
Published
string
Date of published
"2022-12-05T07:20:50.52Z"
dependencies
string
Dependencies for the vulnerability
"libecheck-1.2.1"
description
string
Description of the vulnerability
"For the BYO vulnerability
Sha256
string
SHA value
e958d6656281b0276597ac6d9453d6c5dbb6afc5
VulnID *
string
Vulnerability ID
6340a99cfc1262
UUID *
string
UUID of the component
4ca61bb22
weakness
string
Weakness
862 : Missing Authorization
Source
string
Source of vulnerability
NVD
RiskScore
int32
Risk score of the vulnerability
8
Title
string
Title of the vulnerability
"BYO dependency check vulnerabilities"
References
string
Reference for the vulnerability
ref:repo
URL
string
URL of the vulnerability
https://myrul.in
AffectedProjectCount
int
Count of the affected projects
6
CvssV2BaseScore
float64
CvssV2ImpactSubScore
float64
CvssV2ExploitabilitySubScore
float64
cvssV3Vector
string
CVSS V3 Vector
CvssV2Vector
string
CVSS V2 Vector
CvssV3ImpactSubScore
float64
CvssV3ExploitabilitySubScore
float64
Do you have two minutes for a quick survey?
Take Survey