This post is about adding a widget to your Azure DevOps Dashboard showing the Dependency Track information on one or more of your projects.
If you are unaware what a great product Dependency Track is, I would suggest a detour and read up on it here: https://dependencytrack.org/
OWASP Dependency Track software is described as a “Software Supply Chain Component Analysis platform. It allows organizations to identify and reduce risk from the use of third-party and open source components. It usually starts with software creating a Bill of Material of all components used and this Bill of Material is then inspected and analyzed for known vulnerabilities.
What the widget does
The Dependency Track software itself has excellent dashboards and reports, but we need a simple way to notify the team on the status of the most recent analysis. We can of course setup email alerts for this (and we should), but we can also hint at the status by showing it on one of our Team Dashboards:
Adding the widget
Adding the widget is easy as it is available through the Marketplace: https://marketplace.visualstudio.com/items?itemName=yuriburgernet.dependencytrackwidget
If you install it in your tenant, you can add it to one of your dashboards:
After this, you need to configure the widget with three parameters:
- A project tag: this can be any tag that is used by Dependency Track projects;
- A Dependency Track Url: this is the Url to your Dependency Track instance. Usually something like: https://servername/api/v1/project/tag/
- A Dependency Track API key: the API key with at least the ‘VIEW_PORTFOLIO’ and ‘VULNERABILITY_ANALYSIS’ permissions. See the official Dependency Track docs for more information.
Note: you need to configure your Dependency Track projects with a tag to be able to query them using this widget. This is done through the Project Details page. See the official Dependency Track docs if you need more information.
Any feedback is welcome, and if you want to peek at the code you will find the GitHub repo here: https://github.com/yuriburger/dependency-track-widget