Verified steps

Obtain a Dependency-Track API key from the Administration panel under Access Management → Teams
Create a project via `POST /api/v1/project` with `{name, version, classifier}` and capture the returned `uuid`
Upload the SBOM via `PUT /api/v1/bom` with `multipart/form-data` fields `project=<uuid>` and the BOM file as `bom`
Poll `GET /api/v1/bom/token/<token>` until `processing: false` to confirm ingestion completed
Retrieve the project metrics with `GET /api/v1/metrics/project/<uuid>/current` and check `inheritedRiskScore`

Known gotchas

Dependency-Track processes BOM uploads asynchronously; querying findings immediately after upload may return an empty or stale result set
The API key must belong to a team with the `BOM_UPLOAD` and `VIEW_PORTFOLIO` permissions; the default `Automation` team does not have all permissions by default
Component PURL accuracy determines how many vulnerabilities are matched; components without a valid PURL are enriched by name/version heuristics which can produce false positives

docs.dependencytrack.org · 5 steps · unrated

Ingest an SBOM into Dependency-Track and review policy violations

dependencytrack.org · 6 steps · unrated

Generate a CycloneDX SBOM with full component and dependency graph including BOM-Ref identifiers

cyclonedx.org · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Ingest a CycloneDX SBOM into OWASP Dependency-Track and retrieve the current risk score

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes