Component Analysis, as defined by OWASP, is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. Component Analysis is a function within an overall Cyber Supply Chain Risk Management (C-SCRM) framework.
Dependency-Track fulfills much of the guidance laid out by OWASP and SAFECode.
- Tracks application, library, framework, operating system, and hardware components
- Tracks component usage among all projects in the enterprise
- Adapts to changes in component dependencies used among the various projects
- Tracks various metadata for each component including:
- Group / Vendor
- Component Name
- Component Version
- File Hashes
- Continuously analyzes components for known, publicly disclosed vulnerabilities
- Reports component vulnerability metrics to higher-level projects that have dependencies on them
- Reports vulnerability metrics for all projects in an organizations portfolio
- Provides vulnerability metrics over a customizable period of time for individual components, projects, or an organizations entire portfolio
- Identifies out-of-date components where the version used is not the latest available