Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.
Features #
- Consumes and produces CycloneDX Software Bill of Materials (SBOM)
- Consumes and produces CycloneDX Vulnerability Exploitability Exchange (VEX)
- Component support for:
- Applications
- Libraries
- Frameworks
- Operating systems
- Containers
- Firmware
- Files
- Hardware
- Services
- Tracks component usage across every application in an organizations portfolio
- Quickly identify what is affected, and where
- Identifies multiple forms of risk including
- Components with known vulnerabilities
- Out-of-date components
- Modified components
- License risk
- More coming soon…
- Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- GitHub Advisories
- Sonatype OSS Index
- Snyk
- Trivy
- OSV
- VulnDB from Risk Based Security
- More coming soon.
- Helps to prioritize mitigation by incorporating support for the Exploit Prediction Scoring System (EPSS)
- Maintain a private vulnerability database of vulnerability components
- Robust policy engine with support for global and per-project policies
- Security risk and compliance
- License risk and compliance
- Operational risk and compliance
- Ecosystem agnostic with built-in repository support for:
- Cargo (Rust)
- Composer (PHP)
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- NuGet (.NET)
- PyPI (Python)
- More coming soon.
- Identifies APIs and external service components including:
- Service provider
- Endpoint URIs
- Data classification
- Directional flow of data
- Trust boundary traversal
- Authentication requirements
- Includes a comprehensive auditing workflow for triaging results
- Configurable notifications supporting Slack, Microsoft Teams, Mattermost, Webhooks, Email and Jira
- Supports standardized SPDX license ID’s and tracks license use by component
- Easy to read metrics for components, projects, and portfolio
- Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
- API-first design facilitates easy integration with other systems
- API documentation available in OpenAPI format
- OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
- Supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes