Bring your own dependency check
learn how to integrate dependency check tools to kyndryl modern operations – secure dashboard represents vulnerability details for static scan, license compliance, dependency check & container vulnerability scan dependency check shows vulnerabilities the process of dependency check is crucial to identify vulnerabilities in our code that attackers could potentially exploit to achieve this, we use various tools and apis, including bring your own dependencycheck apis, to perform vulnerability scans and gather information one of the ways we can scan for vulnerabilities is through dependency track, which helps identify vulnerabilities in third party tools and dependencies using the tenant, users can share and analyze lists of vulnerabilities, allowing for the calculation of metrics related to the vulnerable components this process enables us to proactively address potential security risks and ensure the safety of our code and systems secure functionality is applicable only for the premium plans in the following image shows how the secure page looks when data is populated from secure tools note secure functionality is applicable only for premium plan in devops intelligence the following image shows how the secure page looks when data is populated from secure tools bringing data into to bring your own build tools, complete the following steps go to the tools configuration page and navigate to the tokens tab click on create token and give a unique token name select token type as build, then click on the create button a new entry will be added to the table in the table entry click on the vertical ellipsis icon on the respective row and select the view/regenerate token option copy that token by clicking copy icon in the token field note to post data to the apis mentioned below, add the service token (see bring your own tools docid\ j2wcdgqowtc5mnoocztya to the authorization header of the request see curl example for reference format step 1 token {the service token from step1} example token 74h5cr8setsjrvofkdbsisy3lsgfngu v5anur4pxu1jh8kp0nqbjhuwqsrmgztx step 2 api reference api technical services/dependency check url https //{devops intelligence host}/dash/api/build/v3/technical services/dependency check parameters parameter type explanation example value authorization header authorization has a service token 74h5cr8setsjrvofkdbsisy3lsgfngu v5anur4pxu1jh8kp0nqbjhuwqsrmgztx vulnerabiltyscandetails body scan data in json { "component name" "comp1", "component uuid" "12345", "endpoint hostname" "myorg", "last occurrence time" "2022 12 15t07 20 50 52z", "first occurrence time" "2022 12 15t07 20 50 52z", "project name" "myproj", "project uuid" "98765", "provider href" "http //www mytest com", "scanned by" "byod", "technical service" "byos", "technical service override" false, "technical service tag" { "additionalprop1" "string", "additionalprop2" "string", "additionalprop3" "string" }, "vulnerabilities" \[ { "affectedprojectcount" 0, "cvssv2basescore" 0, "cvssv2exploitabilitysubscore" 0, "cvssv2impactsubscore" 0, "cvssv2vector" "string", "cvssv3basescore" 0, "cvssv3exploitabilitysubscore" 0, "cvssv3impactsubscore" 0, "cvssv3vector" "string", "dependencies" "string", "description" "string", "published" "2022 12 12t11 48 55 888z", "references" "string", "riskscore" 10, "severity" "high", "sha256" "string", "source" "string", "title" "string", "updated" "2022 12 12t11 48 55 888z", "url" "string", "uuid" "982233", "vulnid" "5555", "weakness" "string" } ] } curl example request curl x 'post' \\ 'dash/api/dev secops/v3/technical services/dependency check' \\ h 'accept application/json' \\ h 'authorization token akfe90h5 j5xqbmjijzv5qs xzn1gneioffgsaxjvldmdjaleppmbvr4vawuty5' \\ h 'content type application/json' \\ d '{ "component name" "comp1", "component uuid" "12345", "endpoint hostname" "myorg", "last occurrence time" "2022 12 15t07 20 50 52z", "first occurrence time" "2022 12 15t07 20 50 52z", "project name" "myproj", "project uuid" "98765", "provider href" "http //www mytest com", "scanned by" "byod", "technical service" "byos", "technical service override" false, "technical service tag" { "additionalprop1" "string", "additionalprop2" "string", "additionalprop3" "string" }, "vulnerabilities" \[ { "affectedprojectcount" 0, "cvssv2basescore" 0, "cvssv2exploitabilitysubscore" 0, "cvssv2impactsubscore" 0, "cvssv2vector" "string", "cvssv3basescore" 0, "cvssv3exploitabilitysubscore" 0, "cvssv3impactsubscore" 0, "cvssv3vector" "string", "dependencies" "string", "description" "string", "published" "2022 12 12t11 48 55 888z", "references" "string", "riskscore" 10, "severity" "high", "sha256" "string", "source" "string", "title" "string", "updated" "2022 12 12t11 48 55 888z", "url" "string", "uuid" "982233", "vulnid" "5555", "weakness" "string" }, ], }' response 200 "total number of records inserted successfully is 1" secure dependency check vulnerability request body explained field data type explanation example value endpoint hostname string name of the endpoints "myorg/myrepo" component name string name of the component "myrepo" component uuid string uuid of the component "56567656" project id string name of the project "devopsintelligence" project uuid string uuid of the project "980022" provider href string provider url on which vulnerability is scanned "http //mytest com scannedby string tool which is used to scan the vunerabilities of the repositories "byo", last occurrence time string time of first occurrence in utc "2022 12 05t07 20 50 52z" first occurrence time string time of last occurrence scan in utc "2022 12 05t07 20 50 52z" technical service string technical service name "myservice" technicalserviceoverride boolean override flag for the service true vulnerabilities details of the fields severity string severity of vulnerability critical, high, low, medium updated string date of update "2022 12 05t07 20 50 52z" published string date of published "2022 12 05t07 20 50 52z" dependencies string dependencies for the vulnerability "libecheck 1 2 1" description string description of the vulnerability "for the byo vulnerability sha256 string sha value e958d6656281b0276597ac6d9453d6c5dbb6afc5 vulnid string vulnerability id 6340a99cfc1262 uuid string uuid of the component 4ca61bb22 weakness string weakness 862 missing authorization source string source of vulnerability nvd riskscore int32 risk score of the vulnerability 8 title string title of the vulnerability "byo dependency check vulnerabilities" references string reference for the vulnerability ref\ repo url string url of the vulnerability https //myrul in affectedprojectcount int count of the affected projects 6 cvssv2basescore float64 cvssv2impactsubscore float64 cvssv2exploitabilitysubscore float64 cvssv3vector string cvss v3 vector cvssv2vector string cvss v2 vector cvssv3impactsubscore float64 cvssv3exploitabilitysubscore float64