Dependency-Track logov4.10

Summary #

BOMs are a statement of facts, and the type of facts a BOM has will greatly impact how effective the system will be when performing component risk analysis.

Generating and Obtaining BOMs #

Summary #

The ability for an organization to generate a complete bill-of-material during continuous integration is one of many maturity indicators. BOMs are increasingly required for various compliance, regulatory, legal, or economic reasons.

Analyzers #

Data Sources #

Summary #

Sonatype OSS Index provides accurate vulnerability information for application dependencies. All components in the portfolio should have valid Package URLs to take advantage of OSS Index and GitHub Advisories. Non-application dependencies such as operating systems, hardware, firmware, etc, should have valid CPEs to take advantage of the internal CPE analyzer.

Leverage APIs and Integrations #

Summary #

Findings in Dependency-Track are intended to be a source-of-truth, but they’re not meant to be kept in a silo. Dependency-Track has an API-first design intended to promote integration with other systems. By leveraging these capabilities, organizations benefit from increased software transparency and ultimately reduce risk to stakeholders.