OWASP Dependency-Track
For more details about Dependency-Track see the projects website at dependencytrack.org
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.
Features
Features
- Component support for:
- Applications
- Libraries
- Frameworks
- Operating systems
- Containers
- Firmware
- Files
- Hardware
- Tracks component usage across every application in an organizations portfolio
- Quickly identify what is affected, and where
- Identifies multiple forms of risk including
- Components with known vulnerabilities
- Out-of-date components
- Modified components
- License risk
- More coming soon…
- Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- NPM Public Advisories
- Sonatype OSS Index
- VulnDB from Risk Based Security
- More coming soon.
- Robust policy engine with support for global and per-project policies
- Security risk and compliance
- License risk and compliance
- Operational risk and compliance
- Ecosystem agnostic with built-in repository support for:
- Cargo (Rust)
- Composer (PHP)
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- NuGet (.NET)
- Pypi (Python)
- More coming soon.
- Identifies APIs and external service components including:
- Service provider
- Endpoint URIs
- Data classification
- Directional flow of data
- Trust boundary traversal
- Authentication requirements
- Includes a comprehensive auditing workflow for triaging results
- Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports importing CycloneDX (recommended) and SPDX Software Bill of Materials (SBOM) formats
- Easy to read metrics for components, projects, and portfolio
- Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
- API-first design facilitates easy integration with other systems
- API documentation available in OpenAPI format
- OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
- Supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes
Integrations
Installation
Dependency-Track is distributed as Docker containers.
Docker Compose
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
Docker Swarm
curl -LO https://dependencytrack.org/docker-compose.yml
docker swarm init
docker stack deploy -c docker-compose.yml dtrack
News
- 2021/03/17 v4.2.0 Released
- 2021/02/09 v4.1.0 Released
- 2021/01/12 v4.0.1 Released
- 2021/01/03 v4.0.0 Released
- 2020/03/22 v3.8.0 Released
- 2020/01/07 v3.7.1 Released
- 2019/12/16 v3.7.0 Released
- 2019/10/01 v3.6.1 Released
- 2019/09/28 v3.6.0 Released
- 2019/07/17 v3.5.1 Released
- 2019/06/07 v3.5.0 Released
- 2019/04/16 v3.4.1 Released
- 2018/12/22 v3.4.0 Released
- 2018/11/13 v3.3.1 Released
- 2018/10/25 v3.3.0 Released
- 2018/10/02 v3.2.2 Released
- 2018/09/21 v3.2.1 Released
- 2018/09/06 v3.2.0 Released
- 2018/06/19 v3.1.0 Released
- 2018/05/02 v3.0.4 Released
- 2018/04/13 v3.0.3 Released
- 2018/03/30 v3.0.2 Released
- 2018/03/29 v3.0.1 Released
- 2018/03/27 v3.0.0 Released
- 2017/10/08 v3.0 Updates to community
- 2017/06/16 Presentation at OWASP Summit 2017
Supporters
Dependency-Track is developed by a worldwide team of volunteers.
But we have also been helped by many organizations, either financially or by encouraging their employees to work on Dependency-Track: