Dependencymanager

Dependency Manager Integrations

Introduction

By default, Metaport will attempt to query its own database for dependencies and vulnerabilities with data derived from agents configured to periodically report-in. However, Metaport is also capable of querying alternative backend systems such as Dependabot+Github and DependencyTrack.

Note

Backend configuration is done at the Metaport team level. If your "real world team" manages applications differently within the selected backend, you'll need to create a new corresponding Metaport team and configure it as appropriate.

Setup

Navigate to the Metaport teams' "Settings" screen and expand the "Dependency Manager Settings" accordion. If there's a connection error with a backend system, the dependency manager icon changes from having a green tick (check) to a red cross. Mousing over it, will show "Connection: Error".

Metaport

No further configuration is necessary as Metaport is the system-wide default.

DependencyTrack

DependencyTrack requires a team identifier to be set in your Metaport team records and an application identifier to be set on each application record.

The Metaport team-level settings are as follows:

Host field: e.g. https://dependencytrack.yourorg.org:8443
API Key or Token field: Use a valid team-level API token
Team Identifier field: Use the DependencyTrack team's UUID

The Metaport application-level settings are as follows:

Dependency Manager Project ID field: Use the DependencyTrack project's UUID

Dependabot+Github

Dependabot is part of Github's API. It doesn't require a team identifier to be set, but an application identifier is required on each application record.

The Metaport team-level settings are as follows:

Host field: https://api.github.com/<org_name>
API Key or Token field: Use a valid Github API token
Team Identifier field: Leave this blank

The Metaport application-level settings are as follows:

Dependency Manager Project ID field: Use the repository name i.e. https://github.com//