Finding Vulnerable Libraries in Projects using Dependency-Track's API

[robdollard]

Hello! I want to find vulnerable libraries in projects using Dependency-Track's API. I'm looking for a way to determine if a specific vulnerable library is present in any of the projects. I've been trying to use Dependency-Track's API to retrieve a list of projects, but I need an efficient method to check if the vulnerable library is present in each project.

I am trying to create a script but it is not working as the API does not provide such data from this method. Does anyone have any ideas on how to do this?
I need everything to be displayed as in the interface, but through the API, is this even possible?

Script --

 import requests

# Replace with your Dependency-Track URL and API key
dependency_track_url = "https://dependencytrack/api/v1"
api_key = "ig"

# Enter the vulnerable library name
vulnerable_library_name = input("Enter the vulnerable library name: ")

# Define request parameters
params = {
    "limit": 1000,  # Maximum number of results
    # Other parameters, if needed
}

# Headers for authentication
headers = {
    "X-Api-Key": api_key
}

# Execute the request
response = requests.get(f"{dependency_track_url}/project", headers=headers, params=params)

if response.status_code == 200:
    projects = response.json()

    # Process the results
    vulnerable_projects = []
    for project in projects:
        project_name = project["name"]
        project_version = project["version"]
        evidence_details = project.get("evidenceDetails", [])

        for evidence in evidence_details:
            if evidence["name"] == vulnerable_library_name:
                vulnerable_projects.append((project_name, project_version))
                break

    if vulnerable_projects:
        print(f"Projects containing the vulnerable library {vulnerable_library_name}:")
        for project_name, project_version in vulnerable_projects:
            print(f"Project: {project_name}, Version: {project_version}")
    else:
        print(f"The vulnerable library {vulnerable_library_name} was not found in any projects.")

else:
    print(f"Failed to retrieve the list of projects. Status code: {response.status_code}")

# Output the response body in case of an error
if response.status_code == 500:
    print(response.text)

[robdollard]

This can be done in the interface

[nscuro]

Project objects returned by the API do not have the evidenceDetails field. Where did you get this field name from?

As for your original use case, you can search for components across all projects using the /api/v1/component/identity endpoint. This is also the endpoint being used by the UI view you shared.

There are multiple options to query component identities by:

dependency-track/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java

Lines 163 to 176 in 2836593

	public Response getComponentByIdentity(@ApiParam(value = "The group of the component")
	@QueryParam("group") String group,
	@ApiParam(value = "The name of the component")
	@QueryParam("name") String name,
	@ApiParam(value = "The version of the component")
	@QueryParam("version") String version,
	@ApiParam(value = "The purl of the component")
	@QueryParam("purl") String purl,
	@ApiParam(value = "The cpe of the component")
	@QueryParam("cpe") String cpe,
	@ApiParam(value = "The swidTagId of the component")
	@QueryParam("swidTagId") String swidTagId,
	@ApiParam(value = "The project the component belongs to")
	@QueryParam("project") String projectUuid) {

For example:

curl -H 'X-Api-Key: YOUR_KEY' 'http://dtrack.example.com/api/v1/component/identity?name=vulnerableLibraryName'

[robdollard]

Yes thank you! It worked! The script below displays projects that have a vulnerable library and creates an Excel table with them!
But as I understand it, there is a withdrawal limit of 1000, how can I get around it? use pagination?

import requests
import pandas as pd

dependency_track_url = "https://dependencytrack/api/v1" 
api_key = "ig" 

vulnerable_library_name = input("Enter the vulnerable library name: ")


params = {
    "name": vulnerable_library_name
}


headers = {
    "X-Api-Key": api_key
}


response = requests.get(f"{dependency_track_url}/component/identity", headers=headers, params=params)

if response.status_code == 200:
    components = response.json()

    if not components:
        print(f"No projects found with the vulnerable library {vulnerable_library_name}")
    else:
        project_data = []

        for component in components:
            project_name = component.get("project", {}).get("name", "")
            component_name = component.get("name", "")
            component_version = component.get("version", "")

            project_data.append([project_name, component_name, component_version])

        if project_data:
            df = pd.DataFrame(project_data, columns=["Project Name", "Library Name", "Library Version"])
            df.to_excel("vulnerable_projects.xlsx", index=False)
            print("Vulnerable projects data saved to vulnerable_projects.xlsx")
        else:
            print(f"No projects found with the vulnerable library {vulnerable_library_name}")
else:
    print(f"Failed to get projects list. Status code: {response.status_code}")
if response.status_code == 500:
    print(response.text)

[nscuro]

You can use the pageNumber and pageSize parameters to advance pagination. Responses will have a X-Total-Count header that tells you how many items across all pages are there.

Start with pageNumber=1&pageSize=1000, then pageNumber=2&pageSize=1000, and so on.

[robdollard]

Thanks for the tips! Now everything works.
We enter the library and version, then check to see if it exists, check for duplication, and add everything to the Excel table, thank you!

import requests
import pandas as pd

dependency_track_url = "https://dependencytrack/api/v1"
api_key = "ig"

vulnerable_library_name = input("Enter the vulnerable library name: ")

vulnerable_library_version = input("Enter the vulnerable library version: ")

params = {
    "name": vulnerable_library_name,
    "version": vulnerable_library_version,
    "pageSize": 1000 
}

headers = {
    "X-Api-Key": api_key
}

seen_projects = set()

project_data = []

while True:
    response = requests.get(f"{dependency_track_url}/component/identity", headers=headers, params=params)

    if response.status_code == 200:
        components = response.json()

        if not components:
            break

        for component in components:
            project_name = component.get("project", {}).get("name", "")
            component_name = component.get("name", "")
            component_version = component.get("version", "")

            
            project_identifier = (project_name, component_name, component_version)
            if project_identifier not in seen_projects:
                project_data.append([project_name, component_name, component_version])
                seen_projects.add(project_identifier)

       
        params["page"] = params.get("page", 1) + 1

    else:
        print(f"Failed to get projects list. Status code: {response.status_code}")
        break

if project_data:
    df = pd.DataFrame(project_data, columns=["Project Name", "Library Name", "Library Version"])
    df.to_excel("vulnerable_projects.xlsx", index=False)
    print("Vulnerable projects data saved to vulnerable_projects.xlsx")
else:
    print(f"No projects found with the vulnerable library {vulnerable_library_name} (Version: {vulnerable_library_version})")

if response.status_code == 500:
    print(response.text)