Dependency-Track logov4.2

Importing and Using BOMs


BOMs are a statement of facts, and the type of facts a BOM has will greatly impact how effective the system will be when performing component risk analysis.

SPDX BOM format v2.1 and previous do not support Package URL. When importing SPDX BOMs, ensure the format is version 2.2 or higher and contains valid Package URLs for each component.

Generating and Obtaining BOMs


The ability for an organization to generate a complete bill-of-material during continuous integration is one of many maturity indicators. BOMs are increasingly required for various compliance, regulatory, legal, or economic reasons.



Sonatype OSS Index and NPM Audit provides accurate vulnerability information for application dependencies. All components in the portfolio should have valid Package URLs to take advantage of OSS Index and NPM Audit. Non-application dependencies such as operating systems, hardware, firmware, etc, should have valid CPEs to take advantage of the internal CPE analyzer.

Leverage APIs and Integrations


Findings in Dependency-Track are intended to be a source-of-truth, but they’re not meant to be kept in a silo. Dependency-Track has an API-first design intended to promote integration with other systems. By leveraging these capabilities, organizations benefit from increased software transparency and ultimately reduce risk to stakeholders.