Dependency-Track 简介
Dependency-Track 是 OWASP 的持续 SBOM 分析平台,它不是一次性扫描工具,而是"软件供应链风险持续治理平台",核心能力是:
- 接收 CycloneDX SBOM(来自构建流程或供应商)。
- 持续分析组件漏洞、许可证和策略风险。
- 通过通知与集成,把风险结果推送到研发与安全流程。
OIDC认证能力支持
Dependency-Track支持使用第三方OIDC认证,同时能够通过令牌中的groups信息实现Dependency-Track中不同项目的权限控制,这样能够简化Dependency-Track对用户的管理
Dependency-Track部署
本文通过kube-keeper来部署,首先通过kube-keeper创建两个命名空间,一个为dtrack用于部署dependency-track,另一个为postgres用于部署数据库postgres
- eauth中应用创建dependency-track应用,其中的回调地址为dtrack.efucloud.com//static/oid...
- 如果使用集群外的数据库则不需要创建命名空间postgres和部署postgres服务
yaml
---
# Source: dependency-track/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dtrack-dependency-track
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
annotations: {}
automountServiceAccountToken: false
---
# Source: custom/database-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: dtrack-database-secret
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
app.kubernetes.io/component: api-server
type: Opaque
stringData:
ALPINE_DATABASE_USERNAME: postgres
ALPINE_DATABASE_PASSWORD: EfuCloud@pwd
---
# Source: dependency-track/templates/api-server/service.yaml
apiVersion: v1
kind: Service
metadata:
name: dtrack-dependency-track-api-server
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-api-server
app.kubernetes.io/component: api-server
app.kubernetes.io/version: 4.14.0
spec:
type: "ClusterIP"
ports:
- name: web
port: 8080
targetPort: web
selector:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-api-server
app.kubernetes.io/component: api-server
---
# Source: dependency-track/templates/frontend/service.yaml
apiVersion: v1
kind: Service
metadata:
name: dtrack-dependency-track-frontend
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-frontend
app.kubernetes.io/component: frontend
app.kubernetes.io/version: 4.14.0
spec:
type: "ClusterIP"
ports:
- name: web
port: 8080
targetPort: web
selector:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-frontend
app.kubernetes.io/component: frontend
---
# Source: dependency-track/templates/api-server/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: dtrack-dependency-track-api-server
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-api-server
app.kubernetes.io/component: api-server
app.kubernetes.io/version: 4.14.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-api-server
app.kubernetes.io/component: api-server
template:
metadata:
labels:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-api-server
app.kubernetes.io/component: api-server
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: /metrics
spec:
enableServiceLinks: true
initContainers:
serviceAccountName: dtrack-dependency-track
securityContext:
fsGroup: 1000
containers:
- name: dependency-track-api-server
image: registry.cn-shenzhen.aliyuncs.com/efucloud-public/dependencytrack-apiserver:4.14.0
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
resources:
limits:
memory: 5Gi
requests:
cpu: "1"
memory: 1Gi
env:
- name: ALPINE_METRICS_ENABLED
value: "true"
- name: ALPINE_DATABASE_MODE
value: "external"
- name: ALPINE_DATABASE_URL
value: "jdbc:postgresql://postgres.postgres.svc.cluster.local:5432/dependencytrack"
- name: ALPINE_DATABASE_DRIVER
value: "org.postgresql.Driver"
- name: ALPINE_DATABASE_USERNAME
valueFrom:
secretKeyRef:
name: dtrack-database-secret
key: ALPINE_DATABASE_USERNAME
- name: ALPINE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: dtrack-database-secret
key: ALPINE_DATABASE_PASSWORD
# OIDC configuration placeholders (fill values as needed)
- name: ALPINE_OIDC_ENABLED
value: "true"
- name: ALPINE_OIDC_CLIENT_ID
value: "rot7giyv32yy5kkfpmemvlu56"
- name: ALPINE_OIDC_ISSUER
value: "https://eauth-demo.efucloud.com"
- name: ALPINE_OIDC_USERNAME_CLAIM
value: "username"
- name: ALPINE_OIDC_USER_PROVISIONING
value: "true"
- name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
value: "false"
- name: ALPINE_OIDC_TEAMS_CLAIM
value: "groups"
- name: ALPINE_OIDC_TEAMS_DEFAULT
value: "Administrators"
ports:
- name: web
containerPort: 8080
protocol: TCP
volumeMounts:
- name: data
mountPath: /data
- name: tmp
mountPath: /tmp
startupProbe:
httpGet:
scheme: HTTP
port: web
path: /health/started
failureThreshold: 30
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
livenessProbe:
httpGet:
scheme: HTTP
port: web
path: /health/live
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
scheme: HTTP
port: web
path: /health/ready
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
volumes:
- name: data
emptyDir: {}
- name: tmp
emptyDir: {}
---
# Source: dependency-track/templates/frontend/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: dtrack-dependency-track-frontend
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-frontend
app.kubernetes.io/component: frontend
app.kubernetes.io/version: 4.14.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-frontend
app.kubernetes.io/component: frontend
template:
metadata:
labels:
app.kubernetes.io/instance: dtrack
app.kubernetes.io/name: dependency-track-frontend
app.kubernetes.io/component: frontend
spec:
enableServiceLinks: true
initContainers:
serviceAccountName: dtrack-dependency-track
securityContext:
fsGroup: 1000
containers:
- name: dependency-track-frontend
image: registry.cn-shenzhen.aliyuncs.com/efucloud-public/dependencytrack-frontend:4.14.0
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
resources:
limits:
memory: 128Mi
requests:
cpu: 150m
memory: 64Mi
env:
- name: API_BASE_URL
value: ""
# OIDC configuration placeholders (fill values as needed)
- name: OIDC_ISSUER
value: "https://eauth-demo.efucloud.com"
- name: OIDC_CLIENT_ID
value: "rot7giyv32yy5kkfpmemvlu56"
- name: OIDC_SCOPE
value: "openid profile email"
- name: OIDC_FLOW
value: ""
- name: OIDC_LOGIN_BUTTON_TEXT
value: ""
ports:
- name: web
containerPort: 8080
protocol: TCP
volumeMounts:
- name: tmp
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTP
port: web
path: /
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
scheme: HTTP
port: web
path: /
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
volumes:
- name: tmp
emptyDir: {}
---
# Source: custom/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dtrack-dependency-track
namespace: dtrack
labels:
app.kubernetes.io/part-of: dependency-track
app.kubernetes.io/instance: dtrack
spec:
ingressClassName: nginx
tls:
- hosts:
- dtrack.efucloud.com
secretName: dtrack-tls
rules:
- host: dtrack.efucloud.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: dtrack-dependency-track-api-server
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: dtrack-dependency-track-frontend
port:
number: 8080Dependency-Track访问
- 浏览器打开dtrack.efucloud.com/ ,点击更多的选择,先使用
admin/admin登录,若直接使用OIDC登录则会出现下图的情形。
配置完成后,使用oidc登录后的页面如下
