OWASP Dependency-Track
Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.
Features
- Tracks application, library, framework, operating system, and hardware components
- Tracks component usage across all version of every application in an organizations portfolio
- Identifies multiple forms of risk including
- Components with known vulnerabilities
- Out-of-date components
- Modified components
- License risk
- More coming soon…
- Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- NPM Public Advisories
- Sonatype OSS Index
- VulnDB from Risk Based Security
- More coming soon.
- Ecosystem agnostic with built-in repository support for:
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- NuGet (.NET)
- Pypi (Python)
- More coming soon.
- Includes a comprehensive auditing workflow for triaging results
- Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports importing CycloneDX and SPDX Software Bill-of-Materials (SBOM) formats
- Easy to read metrics for components, projects, and portfolio
- Native support for Kenna Security, Fortify SSC, and ThreadFix
- API-first design facilitates easy integration with other systems
- API documentation available in OpenAPI format
- Supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes
Integrations
News
- 2020/01/07 v3.7.1 Released
- 2019/12/16 v3.7.0 Released
- 2019/10/01 v3.6.1 Released
- 2019/09/28 v3.6.0 Released
- 2019/07/17 v3.5.1 Released
- 2019/06/07 v3.5.0 Released
- 2019/04/16 v3.4.1 Released
- 2018/12/22 v3.4.0 Released
- 2018/11/13 v3.3.1 Released
- 2018/10/25 v3.3.0 Released
- 2018/10/02 v3.2.2 Released
- 2018/09/21 v3.2.1 Released
- 2018/09/06 v3.2.0 Released
- 2018/06/19 v3.1.0 Released
- 2018/05/02 v3.0.4 Released
- 2018/04/13 v3.0.3 Released
- 2018/03/30 v3.0.2 Released
- 2018/03/29 v3.0.1 Released
- 2018/03/27 v3.0.0 Released
- 2017/10/08 v3.0 Updates to community
- 2017/06/16 Presentation at OWASP Summit 2017
Supporters
Dependency-Track is developed by a worldwide team of volunteers.
But we have also been helped by many organizations, either financially or by encouraging their employees to work on Dependency-Track:
Project Classification
