Obtain an API key from Dependency-Track by navigating to Administration > Access Management > Teams, creating a team with BOM_UPLOAD permission, and copying the generated API key
Base64-encode the CycloneDX SBOM file: B64=$(base64 -w 0 sbom.cdx.json) and then POST to https://<DT_HOST>/api/v1/bom with headers X-Api-Key: YOUR_TOKEN and Content-Type: application/json, with body {"project": "<PROJECT_UUID>", "bom": "<B64_ENCODED_BOM>"}
Alternatively, use the multipart upload endpoint: POST to /api/v1/bom with Content-Type: multipart/form-data, form fields project=<UUID> and bom=@sbom.cdx.json for larger files
Poll the upload token status using GET /api/v1/bom/token/<TOKEN> until the processing field is false, indicating the BOM has been analyzed and vulnerability matching is complete
Query the resulting findings using GET /api/v1/finding/project/<PROJECT_UUID> which returns an array of vulnerability findings with severity, component, and advisory details
Known gotchas
The project UUID must exist before uploading; create the project and version first via POST /api/v1/project, then use the returned uuid — submitting a BOM for a non-existent project UUID returns a 404
Dependency-Track processes BOMs asynchronously using an internal queue; uploading a BOM returns an upload token immediately, but findings are not available until processing completes — always poll the token endpoint before querying findings
Dependency-Track natively ingests CycloneDX; SPDX is supported via a conversion layer but may lose some metadata fidelity — prefer CycloneDX uploads when both formats are available
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp