Dependency-Track periodically calls external APIs to download vulnerability intelligence and component metadata. If your instance is behind a restrictive firewall or proxy, allow egress to the endpoints listed in services.bom.json.

Where to find the authoritative list	What it contains
services.bom.json	Source-of-truth JSON maintained in-repo
Release SBOM (e.g. bom.json for v4.12.0)	services.bom.json merged into the full build SBOM