Dependency-Track has the ability to maintain it’s own repository of internally managed vulnerabilities. The private repository behaves identical to other sources of vulnerability intelligence such as the NVD.

There are three primary use cases for the private vulnerability repository.

• Organizations that wish to track vulnerabilities in internally-developed components shared among various software projects in the organization.
• Organizations performing security research that have a need to document said research before optionally disclosing it.
• Organizations that are using unmanaged sources of data to identify vulnerabilities. This includes:
  • Change logs
  • Commit logs
  • Issue trackers
  • Social media posts

Vulnerabilities tracked in the private vulnerability repository have a source of ‘INTERNAL’. Like all vulnerabilities in the system, a unique VulnID is required to help uniquely identify each one. It’s recommended that organizations follow patterns to help identify the source. For example, vulnerabilities in the NVD all start with ‘CVE-‘. Likewise an organization tracking their own may opt to use something like ‘ACME-‘ or ‘INT-‘ or use multiple qualifiers depending on the type of vulnerability. The only requirement is that the VulnID is unique to the INTERNAL source.