Dependency-Track logo Dependency-Track

The process of tracking, managing, and continuously evaluating metrics and risk is at the core of Cyber Supply Chain Risk Management programs.


Dependency-Track fulfills much of the guidance laid out by SAFECode.

Outdated Component Risk

Components with known vulnerabilities used in a supply chain represent significant risk to projects that have a dependency on them. However, the use of components which do not have known vulnerabilities but are not the latest release, also represent risk in the following ways:

By keeping components consistently updated, organizations are better prepared to respond with urgency when a vulnerability affecting a component becomes known.

Dependency-Track supports identification of outdated components by leveraging tight integration with APIs available from various repositories. Dependency-Track relies on Package URL (purl) to identify the ecosystem a component belongs to, the metadata about the component, and uses that data to query the various repositories capable of supporting the components ecosystem. Refer to Repositories for further information.

Internet of Things (IoT)

In a supply chain, any component including firmware, operating systems, applications, libraries, and the hardware components they run on, can and should be tracked. Dependency-Track is capable of tracking and analyzing each of these components.

The analysis of metadata describing hardware is currently possible, although limited. This capability will be expanded in future versions of the platform.