Dependency-Track logo Dependency-Track

The process of tracking, managing, and continuously evaluating metrics and risk is at the core of Cyber Supply Chain Risk Management programs.

components

Dependency-Track fulfills much of the guidance laid out by SAFECode.

Known Vulnerability Detection

Dependency-Track employs several methods of vulnerability identification including:

Scanner Description
Dependency-Check OWASP Dependency-Check is a utility designed to discover vulnerabilities in third-party components. Dependency-Check uses evidence-based analysis and performs fuzzy matching against the NVD to present results based on confidence. Dependency-Track has native integration with Dependency-Check.
NPM Audit NPM Audit is a service which identifies vulnerabilities in Node.js Modules. Dependency-Track integrates natively with the NPM Audit service to provide highly accurate results.
OSS Index OSS Index is a service provided by Sonatype which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the OSS Index service to provide highly accurate results.

Each of the scanners above can be enabled or disabled independently from one another.

configure scanners

Outdated Component Risk

Components with known vulnerabilities used in a supply chain represent significant risk to projects that have a dependency on them. However, the use of components which do not have known vulnerabilities but are not the latest release, also represent risk in the following ways:

By keeping components consistently updated, organizations are better prepared to respond with urgency when a vulnerability affecting a component becomes known.

Dependency-Track supports identification of outdated components by leveraging tight integration with APIs available from various repositories. Dependency-Track relies on Package URL (purl) to identify the ecosystem a component belongs to, the metadata about the component, and uses that data to query the various repositories capable of supporting the components ecosystem. Refer to Repositories for further information.

Internet of Things (IoT)

In a supply chain, any component including firmware, operating systems, applications, libraries, and the hardware components they run on, can and should be tracked. Dependency-Track is capable of tracking and analyzing each of these components.

The analysis of metadata describing hardware is currently possible, although limited. This capability will be expanded in future versions of the platform.