Skip to content

jetstack/dependency-track-exporter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits

.github

.github

 
 

internal/exporter

internal/exporter

 
 

.gitignore

.gitignore

 
 

.goreleaser.yaml

.goreleaser.yaml

 
 

Dockerfile

Dockerfile

 
 

Dockerfile.goreleaser

Dockerfile.goreleaser

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

Repository files navigation

Dependency-Track Exporter

Exports Prometheus metrics for Dependency-Track.

Usage

usage: dependency-track-exporter [<flags>]

Flags:
  -h, --help                Show context-sensitive help (also try --help-long and --help-man).
      --web.config.file=""  [EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.
      --web.listen-address=":9916"
                            Address to listen on for web interface and telemetry.
      --web.metrics-path="/metrics"
                            Path under which to expose metrics
      --dtrack.address=DTRACK.ADDRESS
                            Dependency-Track server address (default: http://localhost:8080 or $DEPENDENCY_TRACK_ADDR)
      --dtrack.api-key=DTRACK.API-KEY
                            Dependency-Track API key (default: $DEPENDENCY_TRACK_API_KEY)
      --log.level=info      Only log messages with the given severity or above. One of: [debug, info, warn, error]
      --log.format=logfmt   Output format of log messages. One of: [logfmt, json]
      --version             Show application version.

The API key the exporter uses needs to have the following permissions:

  • VIEW_POLICY_VIOLATION
  • VIEW_PORTFOLIO

Metrics

Metric Meaning Labels
dependency_track_portfolio_inherited_risk_score The inherited risk score of the whole portfolio.
dependency_track_portfolio_vulnerabilities Number of vulnerabilities across the whole portfolio, by severity. severity
dependency_track_portfolio_findings Number of findings across the whole portfolio, audited and unaudited. audited
dependency_track_project_info Project information. uuid, name, version, active, tags
dependency_track_project_vulnerabilities Number of vulnerabilities for a project by severity. uuid, name, version, severity
dependency_track_project_policy_violations Policy violations for a project. uuid, name, version, state, analysis, suppressed
dependency_track_project_last_bom_import Last BOM import date, represented as a Unix timestamp. uuid, name, version
dependency_track_project_inherited_risk_score Inherited risk score for a project. uuid, name, version

Example queries

Retrieve the number of WARN policy violations that have not been analyzed or suppressed:

dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0

Exclude inactive projects:

dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0
and on(uuid) dependency_track_project_info{active="true"}

Only include projects tagged with prod:

dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0
and on(uuid) dependency_track_project_info{active="true",tags=~".*,prod,.*"}

Or, join the tags label into the returned series. Filtering on active/tag could then happen in alert routes:

(dependency_track_project_policy_violations{state="WARN",analysis!="APPROVED",analysis!="REJECTED",suppressed="false"} > 0)
* on (uuid) group_left(tags,active) dependency_track_project_info

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

18 stars

Watchers

10 watching

Forks

4 forks
Report repository

Releases 3

v0.1.2 Latest
Feb 6, 2023
+ 2 releases

Packages 1

 

Contributors 3

  •  
  •  
  •  

Languages