OWASP Dependency-Track

Features

Features

• Component support for:
  • Applications
  • Libraries
  • Frameworks
  • Operating systems
  • Containers
  • Firmware
  • Files
  • Hardware
• Tracks component usage across every application in an organizations portfolio
• Quickly identify what is affected, and where
• Identifies multiple forms of risk including
  • Components with known vulnerabilities
  • Out-of-date components
  • Modified components
  • License risk
  • More coming soon…
• Integrates with multiple sources of vulnerability intelligence including:
  • National Vulnerability Database (NVD)
  • NPM Public Advisories
  • Sonatype OSS Index
  • VulnDB from Risk Based Security
  • More coming soon.
• Robust policy engine with support for global and per-project policies
  • Security risk and compliance
  • License risk and compliance
  • Operational risk and compliance
• Ecosystem agnostic with built-in repository support for:
  • Cargo (Rust)
  • Composer (PHP)
  • Gems (Ruby)
  • Hex (Erlang/Elixir)
  • Maven (Java)
  • NPM (Javascript)
  • NuGet (.NET)
  • Pypi (Python)
  • More coming soon.
• Identifies APIs and external service components including:
  • Service provider
  • Endpoint URIs
  • Data classification
  • Directional flow of data
  • Trust boundary traversal
  • Authentication requirements
• Includes a comprehensive auditing workflow for triaging results
• Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
• Supports standardized SPDX license ID’s and tracks license use by component
• Supports importing CycloneDX (recommended) and SPDX Software Bill of Materials (SBOM) formats
• Easy to read metrics for components, projects, and portfolio
• Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
• API-first design facilitates easy integration with other systems
• API documentation available in OpenAPI format
• OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
• Supports internally managed users, Active Directory/LDAP, and API Keys
• Simple to install and configure. Get up and running in just a few minutes

Integrations

Installation

Dependency-Track is distributed as Docker containers.

Docker Compose

curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d

Docker Swarm

curl -LO https://dependencytrack.org/docker-compose.yml
docker swarm init
docker stack deploy -c docker-compose.yml dtrack

News

• 2021/05/07 v4.2.2 Released
• 2021/03/20 v4.2.1 Released
• 2021/03/17 v4.2.0 Released
• 2021/02/09 v4.1.0 Released
• 2021/01/12 v4.0.1 Released
• 2021/01/03 v4.0.0 Released
• 2020/03/22 v3.8.0 Released
• 2020/01/07 v3.7.1 Released
• 2019/12/16 v3.7.0 Released
• 2019/10/01 v3.6.1 Released
• 2019/09/28 v3.6.0 Released
• 2019/07/17 v3.5.1 Released
• 2019/06/07 v3.5.0 Released
• 2019/04/16 v3.4.1 Released
• 2018/12/22 v3.4.0 Released
• 2018/11/13 v3.3.1 Released
• 2018/10/25 v3.3.0 Released
• 2018/10/02 v3.2.2 Released
• 2018/09/21 v3.2.1 Released
• 2018/09/06 v3.2.0 Released
• 2018/06/19 v3.1.0 Released
• 2018/05/02 v3.0.4 Released
• 2018/04/13 v3.0.3 Released
• 2018/03/30 v3.0.2 Released
• 2018/03/29 v3.0.1 Released
• 2018/03/27 v3.0.0 Released
• 2017/10/08 v3.0 Updates to community
• 2017/06/16 Presentation at OWASP Summit 2017

Supporters

Dependency-Track is developed by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on Dependency-Track:

• Risk Based Security