OWASP Dependency Tracker - Jenkins build error

Question

I am Getting 403 Forbidden error while testing OWASP Dependency Tracker integration with Jenkins build.

[DependencyTrack] Publishing artifact to Dependency-Track - http://localhost:8080
[DependencyTrack] The artifact was successfully published - 9812e933-6bc1-4453-951f-9a75a7d693d4
[DependencyTrack] Polling Dependency-Track for BOM processing status
[DependencyTrack] Processing findings
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline

org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while retrieving findings - HTTP response code: 403 Forbidden
    at org.jenkinsci.plugins.DependencyTrack.ApiClient.getFindings(ApiClient.java:95)
Caused: org.jenkinsci.plugins.DependencyTrack.ApiClientException: An error occurred while retrieving findings
    at org.jenkinsci.plugins.DependencyTrack.ApiClient.getFindings(ApiClient.java:98)
    at org.jenkinsci.plugins.DependencyTrack.DependencyTrackPublisher.perform(DependencyTrackPublisher.java:230)
    at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
    at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
    at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
Finished: FAILURE

Jenkinsfile

pipeline {
    agent any
    stages {
        stage ('Build') {
            steps {
                sh 'mvn clean package'
            }
        }
        stage ('Generate BOM') {
            steps {
                sh 'mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom'
            }
        }
        stage ('Dependency Tracker') {
            steps {
                dependencyTrackPublisher artifact: 'target/bom.xml', projectId: '9812e933-6bc1-4453-951f-9a75a7d693d4', synchronous: true
            }
        }
    }
}

Dependency tracker Jenkins plugin is configured properly with ApiKey

Did I miss any other configuration? Please suggest.

Answer 1

From version v4.4 of DependencyTrack, you may face the exact same issue if you are using Synchronous mode and missing the permission VIEW_VULNERABILITY on the API-Key used by Jenkins.

Quote from: https://plugins.jenkins.io/dependency-track/#plugin-content-job-configuration

Enable synchronous publishing mode: Uploads a SBOM to Dependency-Track and waits for Dependency-Track to process and return results. The results returned are identical to the auditable findings but exclude findings that have previously been suppressed. Analysis decisions and vulnerability details are included in the response. Synchronous mode is possible with Dependency-Track v3.3.1 and higher. The provided API key requires the VIEW_VULNERABILITY permission to use this feature with Dependency-Track v4.4 and newer!

Also, i find the following Permissions Overview table very useful. https://plugins.jenkins.io/dependency-track/#plugin-content-permission-overview

Answer 2

I was able to resolve the issue by assigning VULNERABILITY_ANALYSIS permission to the token used by Jenkins

Tokens and their permissions can be accessed using Administration -> Access Management -> Teams menu option