Dependency-Track logo

Dependency-Track has the ability to maintain it’s own repository of internally managed vulnerabilities. The private repository behaves identical to other sources of vulnerability intelligence such as the NVD.

add vulnerability

There are three primary use cases for the private vulnerability repository.

Vulnerabilities tracked in the private vulnerability repository have a source of ‘INTERNAL’. Like all vulnerabilities in the system, a unique VulnID is required to help uniquely identify each one. It’s recommended that organizations follow patterns to help identify the source. For example, vulnerabilities in the NVD all start with ‘CVE-‘. Likewise an organization tracking their own may opt to use something like ‘ACME-‘ or ‘INT-‘ or use multiple qualifiers depending on the type of vulnerability. The only requirement is that the VulnID is unique to the INTERNAL source.