Dependency-Track has the ability to maintain it’s own repository of internally managed vulnerabilities. The private repository behaves identical to other sources of vulnerability intelligence such as the NVD.
There are three primary use cases for the private vulnerability repository.
- Organizations that wish to track vulnerabilities in internally-developed components shared among various software projects in the organization.
- Organizations performing security research that have a need to document said research before optionally disclosing it.
- Organizations that are using unmanaged sources of data to identify vulnerabilities. This includes:
- Change logs
- Commit logs
- Issue trackers
- Social media posts
Vulnerabilities tracked in the private vulnerability repository have a source of ‘INTERNAL’. Like all vulnerabilities
in the system, a unique VulnID
is required to help uniquely identify each one. It’s recommended that organizations
follow patterns to help identify the source. For example, vulnerabilities in the NVD all start with ‘CVE-‘. Likewise
an organization tracking their own may opt to use something like ‘ACME-‘ or ‘INT-‘ or use multiple qualifiers depending
on the type of vulnerability. The only requirement is that the VulnID is unique to the INTERNAL source.