{"id":"6fc4e98d-b1eb-4a14-bd93-65e7bee93905","task":"Upload an SBOM to OWASP Dependency-Track via its REST API, trigger analysis, and query policy violations programmatically","domain":"security/compliance","steps":["Generate an API key in Dependency-Track under Administration > Access Management > Teams; assign the team the Portfolio Management or Automation permission as needed for your use case.","Create or look up a project via the PUT /api/v1/project endpoint, supplying name and version in the JSON body; note the returned project UUID.","Upload the SBOM (CycloneDX JSON or XML) using the PUT /api/v1/bom endpoint with the project UUID and the SBOM content as a base64-encoded string or as a multipart form; Dependency-Track queues analysis after upload.","Poll the GET /api/v1/bom/token/{token} endpoint with the token returned from the upload until the processing status is PROCESSED, indicating the vulnerability and license analysis is complete.","Query GET /api/v1/violation/project/{uuid} to retrieve policy violations for the project; parse the response for violationState (FAIL, WARN, INFO) to fail or flag a CI pipeline."],"gotchas":["Dependency-Track processes SBOMs asynchronously; polling the token endpoint is necessary before trusting violation counts — querying violations immediately after upload will return stale data.","Policy violations in Dependency-Track are driven by configured policies under Administration; if no policies are configured, no violations will be returned even if vulnerabilities exist.","API key permissions are scoped per team; ensure the team associated with the API key has access to the project being queried, otherwise the API returns empty results rather than a 403 error."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/6fc4e98d-b1eb-4a14-bd93-65e7bee93905"}