Dependency Track v4 Release


Steve Springett

Friday, January 8, 2021

Over the last few years, the OWASP Dependency-Track project has led an industry shift towards framing open source risk as a subset of software supply chain risk. Dependency-Track was one of the first platforms to fully embrace Software Bill of Materials (SBOM) as a core tenant and design principal. The project is attributable to the creation of CycloneDX, an open source SBOM standard used by thousands of organizations, referenced by multiple RFCs and related supply chain initiatives.

Dependency-Track v3 has proven that SBOMs can be created, consumed, and analyzed at high-velocity in modern build pipelines. And its proven the value of full-stack transparency for IoT and embedded devices. Based on feedback from the community, from industry, and from government-led software transparency efforts, the project has made strategic enhancements to the software that sets the stage for future capabilities that are only achievable from the use of SBOMs.

A new year is an opportunity to rethink how to approach third-party, open source, and software supply chain risk. It’s an opportunity to try out the latest release, Dependency-Track v4.

With the release of Dependency-Track v4, the project has introduced:

  • Configurable policies and auditing workflow
  • Support for CycloneDX v1.2 and SPDX 2.2 SBOM formats
  • Support for SWID Tag IDs
  • Firmware and container component types
  • Many architectural and other enhancements

The remainder of the 4.x versions will focus on increasing the types of risk that can be identified, SBOM-specific capabilities, and increasing the number of solutions the platform integrates with.

Visit the Dependency-Track website for more information.