Cloud Services

DevOps Intelligence

Expand menu Collapse menu

Bring Your Own Dependency Check

Published On Jul 23, 2024 - 8:47 AM

Bring Your Own Dependency Check

Learn how to integrate Dependency Check tools to Kyndryl Modern Operations – DevOps Intelligence.

DevOps Intelligence Secure dashboard represents vulnerability details for static scan, license compliance, dependency check & container vulnerability scan.

Dependency check shows vulnerabilities
: The process of dependency check is crucial to identify vulnerabilities in our code that attackers could potentially exploit. To achieve this, we use various tools and APIs, including Bring Your Own DependencyCheck APIs, to perform vulnerability scans and gather information. One of the ways we can scan for vulnerabilities is through Dependency Track, which helps identify vulnerabilities in third-party tools and dependencies. Using the DevOps Intelligence tenant, users can share and analyze lists of vulnerabilities, allowing for the calculation of metrics related to the vulnerable components. This process enables us to proactively address potential security risks and ensure the safety of our code and systems.

Secure functionality is applicable only for the premium plans in DevOps Intelligence.

The following image shows how the Secure page looks when data is populated from secure tools.

Secure functionality is applicable only for premium plan in DevOps Intelligence.

The following image shows how the Secure page looks when data is populated from secure tools.

Bring Data into DevOps Intelligence

To bring your own Build tools, complete the following steps:

Go to the DevOps Intelligence Tools Configuration page and navigate to the Tokens tab.

Click on Create Token and give a unique Token name.

Select Token Type as Build, then click on the Create button.

A new entry will be added to the table in the table entry.

Click on the vertical ellipsis icon on the respective row and select the view/regenerate token option.

Copy that token by clicking copy icon in the token field.

To Post Data to the APIs mentioned below, Add the service Token (see: Create Service Token) to the Authorization
header of the request. See cURL Example for reference

Format

Step 1: TOKEN {the-service-token-from-step1}

Example :

TOKEN 74h5cR8sETSJRvOFkdbsISY3lsgfNGu_V5aNur4Pxu1Jh8kP0NQBJhuWQsRmGzTX

Step 2: API Reference

API : technical-services/dependency-check

URL : https://{devops-intelligence-host}/dash/api/build/v3/technical-services/dependency-check

Parameters

Parameter

Type

Explanation

Example Value

Authorization*

Header

Authorization has a service token

74h5cR8sETSJRvOFkdbsISY3lsgfNGu_V5aNur4Pxu1Jh8kP0NQBJhuWQsRmGzTX

VulnerabiltyScanDetails *

BODY

Scan Data in Json


{
 "component_name": "Comp1",
 "component_uuid": "12345",
 "endpoint_hostname": "MyOrg",
 "last_occurrence_time": "2022-12-15T07:20:50.52Z",
 "first_occurrence_time": "2022-12-15T07:20:50.52Z",
 "project_name": "myProj",
 "project_uuid": "98765",
 "provider_href": "http://www.mytest.com",
 "scanned_by": "BYOD",
 "technical_service": "BYOS",
 "technical_service_override": false,
 "technical_service_tag": {
   "additionalProp1": "string",
   "additionalProp2": "string",
   "additionalProp3": "string"
 },
 "vulnerabilities": [
   {
     "affectedProjectCount": 0,
     "cvssV2BaseScore": 0,
     "cvssV2ExploitabilitySubScore": 0,
     "cvssV2ImpactSubScore": 0,
     "cvssV2Vector": "string",
     "cvssV3BaseScore": 0,
     "cvssV3ExploitabilitySubScore": 0,
     "cvssV3ImpactSubScore": 0,
     "cvssV3Vector": "string",
     "dependencies": "string",
     "description": "string",
     "published": "2022-12-12T11:48:55.888Z",
     "references": "string",
     "riskscore": 10,
     "severity": "High",
     "sha256": "string",
     "source": "string",
     "title": "string",
     "updated": "2022-12-12T11:48:55.888Z",
     "url": "string",
     "uuid": "982233",
     "vulnId": "5555",
     "weakness": "string"
   }
 ]
}

cURL Example :

Request


curl -X 'POST' \
 'dash/api/dev_secops/v3/technical-services/dependency-check' \
 -H 'accept: application/json' \
 -H 'Authorization: Token _aKFE90h5_j5xqBMJijZv5qS_XZn1GnEIoFFgSaxJvlDmdJAlePpmBVR4vAwuty5' \
 -H 'Content-Type: application/json' \
 -d '{
 "component_name": "Comp1",
 "component_uuid": "12345",
 "endpoint_hostname": "MyOrg",
 "last_occurrence_time": "2022-12-15T07:20:50.52Z",
 "first_occurrence_time": "2022-12-15T07:20:50.52Z",
 "project_name": "myProj",
 "project_uuid": "98765",
 "provider_href": "http://www.mytest.com",
 "scanned_by": "BYOD",
 "technical_service": "BYOS",
 "technical_service_override": false,
 "technical_service_tag": {
   "additionalProp1": "string",
   "additionalProp2": "string",
   "additionalProp3": "string"
 },
 "vulnerabilities": [
   {
     "affectedProjectCount": 0,
     "cvssV2BaseScore": 0,
     "cvssV2ExploitabilitySubScore": 0,
     "cvssV2ImpactSubScore": 0,
     "cvssV2Vector": "string",
     "cvssV3BaseScore": 0,
     "cvssV3ExploitabilitySubScore": 0,
     "cvssV3ImpactSubScore": 0,
     "cvssV3Vector": "string",
     "dependencies": "string",
     "description": "string",
     "published": "2022-12-12T11:48:55.888Z",
     "references": "string",
     "riskscore": 10,
     "severity": "High",
     "sha256": "string",
     "source": "string",
     "title": "string",
     "updated": "2022-12-12T11:48:55.888Z",
     "url": "string",
     "uuid": "982233",
     "vulnId": "5555",
     "weakness": "string"
   },
 ],
}'

Response 200

"Total Number of records inserted successfully is 1"

Secure-Dependency-Check-vulnerability Request Body Explained

Field	Data Type	Explanation	Example Value
endpoint_hostname	string	Name of the endpoints	"myOrg/myRepo"
component_name *	string	Name of the component	"myRepo"
component_uuid *	string	UUID of the component	"56567656"
project_id	string	Name of the Project	"DevOpsIntelligence"
project_uuid	string	UUID of the project	"980022"
provider_href *	string	Provider URL on which vulnerability is scanned	"http://mytest.com
scannedby *	string	Tool which is used to scan the Vunerabilities of the repositories	"BYO",
last_occurrence_time*	string	Time of first occurrence in UTC	"2022-12-05T07:20:50.52Z"
first_occurrence_time *	string	Time of last occurrence scan in UTC	"2022-12-05T07:20:50.52Z"
technical_service *	string	Technical Service Name	"myservice"
technicalserviceoverride	boolean	Override flag for the service	true
vulnerabilities	Details of the fields
Severity *	string	Severity of Vulnerability	critical, high, low, medium
Updated	string	Date of update	"2022-12-05T07:20:50.52Z"
Published	string	Date of published	"2022-12-05T07:20:50.52Z"
dependencies	string	Dependencies for the vulnerability	"libecheck-1.2.1"
description	string	Description of the vulnerability	"For the BYO vulnerability
Sha256	string	SHA value	e958d6656281b0276597ac6d9453d6c5dbb6afc5
VulnID *	string	Vulnerability ID	6340a99cfc1262
UUID *	string	UUID of the component	4ca61bb22
weakness	string	Weakness	862 : Missing Authorization
Source	string	Source of vulnerability	NVD
RiskScore	int32	Risk score of the vulnerability	8
Title	string	Title of the vulnerability	"BYO dependency check vulnerabilities"
References	string	Reference for the vulnerability	ref:repo
URL	string	URL of the vulnerability	https://myrul.in
AffectedProjectCount	int	Count of the affected projects	6
CvssV2BaseScore	float64
CvssV2ImpactSubScore	float64
CvssV2ExploitabilitySubScore	float64
cvssV3Vector	string	CVSS V3 Vector
CvssV2Vector	string	CVSS V2 Vector
CvssV3ImpactSubScore	float64
CvssV3ExploitabilitySubScore	float64

Bring your own tools

Do you have two minutes for a quick survey?

Take Survey