feat: support custom dependency track via Lagoon api env vars (#450)

rocketeerbkw · web-flow · commit a0c15000d5fb · 2025-09-19T08:25:45.000+10:00
* fix: "gathering insights" logs out of order

* fix: supress notices of new trivy versions

📣 Notices:
  - Version 0.65.0 of Trivy is now available, current version is 0.63.0

* feat: support custom dependency track via Lagoon api env vars

* fix: errors thrown during insights gathering halt entire build

* feat: test custom dependency track credentials before configuring them
diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh
@@ -1754,20 +1754,23 @@ if [ "$(featureFlag INSIGHTS)" = enabled ]; then
   ##############################################
   ### RUN insights gathering and store in configmap
   ##############################################
+  set +e # Ensure failures in exec-generate-insights-configmap.sh don't halt the entire build
   INSIGHTS_WARNING_COUNT=0
   for IMAGE_NAME in "${!IMAGES_BUILD[@]}"
   do
     IMAGE_TAG="${IMAGE_TAG:-latest}"
     IMAGE_FULL="${REGISTRY}/${PROJECT}/${ENVIRONMENT}/${IMAGE_NAME}:${IMAGE_TAG}"
-    insightsOutput=$(. /kubectl-build-deploy/scripts/exec-generate-insights-configmap.sh)
+    insightsOutput=$(. /kubectl-build-deploy/scripts/exec-generate-insights-configmap.sh 2>&1)
     if (exit $?); then
       echo "${insightsOutput}"
     else
       ((++INSIGHTS_WARNING_COUNT))
       echo "> This insights run failed, this warning is for information only."
       echo "${insightsOutput}"
     fi
+    echo ""
   done
+  set -e
   if [[ "$INSIGHTS_WARNING_COUNT" -gt 0 ]]; then
     ((++BUILD_WARNING_COUNT))
     echo "##############################################"
diff --git a/legacy/scripts/exec-generate-insights-configmap.sh b/legacy/scripts/exec-generate-insights-configmap.sh
@@ -69,7 +69,7 @@ echo "Using image for scan ${IMAGECACHE_REGISTRY}${INSIGHTS_SCAN_IMAGE}"
 
 # Setting JAVAOPT to skip the java db update, as the upstream image comes with a pre-populated database
 JAVAOPT="--skip-java-db-update"
-docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ${IMAGECACHE_REGISTRY}${INSIGHTS_SCAN_IMAGE} image ${JAVAOPT} ${IMAGE_FULL} --format ${SBOM_OUTPUT} | gzip > ${SBOM_OUTPUT_FILE}
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ${IMAGECACHE_REGISTRY}${INSIGHTS_SCAN_IMAGE} image ${JAVAOPT} ${IMAGE_FULL} --format ${SBOM_OUTPUT} --skip-version-check | gzip > ${SBOM_OUTPUT_FILE}
 
 FILESIZE=$(stat -c%s "$SBOM_OUTPUT_FILE")
 echo "Size of ${SBOM_OUTPUT_FILE} = $FILESIZE bytes."
@@ -107,6 +107,27 @@ processSbom() {
         annotate configmap ${SBOM_CONFIGMAP} \
         lagoon.sh/branch=${BRANCH}
     fi
+    # Support custom Depdency Track integration.
+    local apiEndpoint
+    apiEndpoint=$(featureFlag INSIGHTS_DEPENDENCY_TRACK_API_ENDPOINT)
+    local apiKey
+    apiKey=$(featureFlag INSIGHTS_DEPENDENCY_TRACK_API_KEY)
+    local dtWarn
+    if [ -n "$apiEndpoint" ]; then
+      if [ -n "$apiKey" ]; then
+        # Test API access
+        local resp
+        if ! resp=$(curl -sSf -m 60 -H "X-Api-Key:${apiKey}" "${apiEndpoint}/api/v1/project?pageSize=1" 2>&1); then
+          dtWarn="\n\n**********\nCustom Dependency Track not enabled: API Error: ${resp}\n**********\n\n"
+        else
+          kubectl -n ${NAMESPACE} \
+            annotate configmap ${SBOM_CONFIGMAP} \
+            dependencytrack.insights.lagoon.sh/custom-endpoint="${apiEndpoint}"
+        fi
+      else
+        dtWarn="\n\n**********\nCustom Dependency Track not enabled: Missing LAGOON_FEATURE_FLAG_INSIGHTS_DEPENDENCY_TRACK_API_KEY\n**********\n\n"
+      fi
+    fi
     kubectl \
         -n ${NAMESPACE} \
         label configmap ${SBOM_CONFIGMAP} \
@@ -119,6 +140,11 @@ processSbom() {
         lagoon.sh/environmentType=${ENVIRONMENT_TYPE} \
         lagoon.sh/buildType=${BUILD_TYPE} \
         insights.lagoon.sh/type=sbom
+
+    if [ -n "$dtWarn" ]; then
+      printf '%b' "$dtWarn"
+      return 1
+    fi
   fi
 }
 
