Dependency-Track logo

Components with known vulnerabilities used in a supply chain represent significant risk to projects that have a dependency on them. However, the use of components which do not have known vulnerabilities but are not the latest release, also represent risk in the following ways:

By keeping components consistently updated, organizations are better prepared to respond with urgency when a vulnerability affecting a component becomes known.

Dependency-Track supports identification of outdated components by leveraging tight integration with APIs available from various repositories. Dependency-Track relies on Package URL (PURL) to identify the ecosystem a component belongs to, the metadata about the component, and uses that data to query the various repositories capable of supporting the components ecosystem. Refer to Repositories for further information.