MedUnes/dtrack-cli: A Go-based CLI tool to automate the upload and lifecycle management of Software Bill of Materials (SBOM) in OWASP Dependency-Track. (opens in new tab)

Dependency-Track Lifecycle CLI

A Go-based CLI tool to automate the upload and lifecycle management of Software Bill of Materials (SBOM) in OWASP Dependency-Track.

This tool bridges the gap between simple API uploads and full CI/CD lifecycle management by handling version sprawl, active states, and latest version tagging in a single execution.

🚀 Why this tool? (The Gap)

If you simply use curl to upload an SBOM to Dependency-Track, you encounter two major problems over time. These are well-documented pain points in the community:

1. The "Version Sprawl" Problem

Every CI build creates a new version. If you have 100 builds, you have 100 "Active" versions. Dependency-Track monitors all active versions for vulnerabilities, meaning you will receive alerts for vulnerabilities in old, undeployed versions.

• Community Validation: Users have explicitly requested an isActiveExclusively flag to solve this, noting that "Over time there will be hundreds of ‘active’ versions, even though they are actually not ‘active’".
• Current Workaround: Teams currently resort to manual housekeeping or complex scripts to set "dirty tags to inactive" to avoid polluting their risk score.
• Our Solution: The -clean flag automatically iterates through project versions and sets old ones to active: false.

2. The "Latest Version" Ambiguity

Dependency-Track attempts to guess the "latest" version, but it is not always accurate (e.g., when patching older release branches or dealing with pre-releases).

• Community Validation: Users have reported issues where Dependency-Track incorrectly identifies pre-release versions as "latest," skewing "Outdated Component" analysis metrics.
• Our Solution: The -latest flag explicitly forces the version you are currently uploading to be marked isLatest=true, ensuring your "Outdated Component" metrics are calculated against the correct baseline.

3. Missing Auto-Purge/Cleanup

There is no built-in native feature to "keep only the last X versions" or "purge old versions" during upload.

• Community Validation: Feature requests for "automatic purging of projects" have been raised by users who find it "hard to do this manually" for projects with many releases.
• Our Solution: While we don’t delete data (auditors hate that!), our tool effectively "archives" old versions by deactivating them, solving the noise issue without destroying history.

🧠 Concepts: Active vs. Latest

Understanding these flags is critical for a clean dashboard: