This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Dependency Track Project"

From OWASP
Jump to: navigation, search
m (3.5.0 release)
m (updated description)
Line 7: Line 7:
 
==OWASP Dependency-Track==
 
==OWASP Dependency-Track==
  
Modern applications leverage the availability of existing components for use as building blocks in application development. By using existing components, organizations can dramatically decrease time-to-market. Reusing existing components however, comes at a cost. Organizations that build on top of existing components assume risk for software they did not create. Vulnerabilities in third-party components are inherited by all applications that use those components. The [[OWASP Top Ten]] (2013 and 2017) both recognize the risk of [[Top 10 2013-A9-Using Components with Known Vulnerabilities|using components with known vulnerabilities]].
+
Dependency-Track is an intelligent Software [[Component Analysis|Supply Chain Component Analysis]] platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBoM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
  
Dependency-Track is a Software Composition Analysis (SCA) platform that keeps track of all third-party components used in all the applications an organization creates or consumes. It integrates with multiple vulnerability databases including the [https://nvd.nist.gov/ National Vulnerability Database] (NVD), [https://www.npmjs.com/advisories NPM Public Advisories], [https://ossindex.sonatype.org/ Sonatype OSS Index], and [https://vulndb.cyberriskanalytics.com VulnDB] from [https://www.riskbasedsecurity.com Risk Based Security]. Dependency-Track monitors all applications in its portfolio in order to proactively identify vulnerabilities in components that are placing your applications at risk. Use of Dependency-Track can play a vital role in an overall [https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management Cyber Supply Chain Risk Management] (C-SCRM) program by fulfilling many of the recommendations laid out by [https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf SAFECode].
+
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.
 
 
Dependency-Track is designed to be used in an automated DevOps environment where BoM (bill-of-material) formats are automatically ingested during CI/CD. Use of the [https://plugins.jenkins.io/dependency-track Dependency-Track Jenkins Plugin] is highly recommended for this purpose and is well suited for use in Jenkins Pipeline. In such an environment, Dependency-Track enables your DevOps teams to accelerate while still keeping tabs on component usage and any inherited risk.
 
 
 
Dependency-Track can also be used to monitor vulnerabilities in COTS (commercial off-the-shelf) software.
 
  
 
[[File:Integrations.png|frameless]]
 
[[File:Integrations.png|frameless]]
  
 
==Features==
 
==Features==
* Increases visibility into the use of vulnerable and outdated components
+
* Tracks component usage across all version of every application in an organizations portfolio
* Flexible data model supporting an unlimited number of projects and components
+
* Identifies multiple forms of risk including
* Tracks vulnerabilities and inherited risk
+
** Components with known vulnerabilities
** by component
+
** Out-of-date components
** by project
+
** Modified components
** across entire portfolio
+
** License risk
* Tracks usage of out-of-date components
+
** More coming soon...
 +
* Integrates with multiple sources of vulnerability intelligence including:
 +
** [https://nvd.nist.gov National Vulnerability Database] (NVD)
 +
** [https://www.npmjs.com/advisories NPM Public Advisories]
 +
** [https://ossindex.sonatype.org Sonatype OSS Index]
 +
** [https://vulndb.cyberriskanalytics.com VulnDB] from [https://www.riskbasedsecurity.com Risk Based Security]
 +
** More coming soon.
 +
* Ecosystem agnostic with built-in repository support for:
 +
** Ruby Gems
 +
** Maven
 +
** NPM
 +
** NuGet
 +
** Python (Pypi)
 +
** More coming soon. 
 
* Includes a comprehensive auditing workflow for triaging results
 
* Includes a comprehensive auditing workflow for triaging results
 
* Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
 
* Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
 
* Supports standardized SPDX license ID’s and tracks license use by component
 
* Supports standardized SPDX license ID’s and tracks license use by component
* Supports [http://cyclonedx.org CycloneDX] and [https://spdx.org/ SPDX] bill-of-material formats and Dependency-Check XML
+
* Supports importing of [https://cyclonedx.org CycloneDX] and [https://spdx.org/ SPDX] software bill-of-materials
 +
* Supports importing of [Dependency-Check] reports to simplify transitioning to SBoMs
 
* Easy to read metrics for components, projects, and portfolio
 
* Easy to read metrics for components, projects, and portfolio
* Provides a reliable mirror of the NVD data feed
+
* Native support for Kenna Security, Fortify SSC, and ThreadFix
 
* API-first design facilitates easy integration with other systems
 
* API-first design facilitates easy integration with other systems
 
* API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
 
* API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)

Revision as of 21:55, 19 June 2019

Flagship big.jpg

OWASP Dependency-Track

Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBoM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.

Integrations.png

Features

  • Tracks component usage across all version of every application in an organizations portfolio
  • Identifies multiple forms of risk including
    • Components with known vulnerabilities
    • Out-of-date components
    • Modified components
    • License risk
    • More coming soon...
  • Integrates with multiple sources of vulnerability intelligence including:
  • Ecosystem agnostic with built-in repository support for:
    • Ruby Gems
    • Maven
    • NPM
    • NuGet
    • Python (Pypi)
    • More coming soon.
  • Includes a comprehensive auditing workflow for triaging results
  • Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports importing of CycloneDX and SPDX software bill-of-materials
  • Supports importing of [Dependency-Check] reports to simplify transitioning to SBoMs
  • Easy to read metrics for components, projects, and portfolio
  • Native support for Kenna Security, Fortify SSC, and ThreadFix
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Distributions

Dependency-Track supports the following three deployment options:

  • Executable WAR
  • Conventional WAR
  • Docker container

Licensing

OWASP Dependency-Track is licensed under the Apache 2.0 license.

Dependency-Track-logo-300x100.png

Quick Download

Ready-to-deploy distributions are available from the Dependency-Track website

News and Events

  • [07 Jun 2019] v3.5.0 Released
  • [16 Apr 2019] v3.4.1 Released
  • [22 Dec 2018] v3.4.0 Released
  • [13 Nov 2018] v3.3.1 Released
  • [25 Oct 2018] v3.3.0 Released
  • [02 Oct 2018] v3.2.2 Released
  • [21 Sep 2018] v3.2.1 Released
  • [06 Sep 2018] v3.2.0 Released
  • [19 Jun 2018] v3.1.0 Released
  • [02 May 2018] v3.0.4 Released
  • [13 Apr 2018] v3.0.3 Released
  • [30 Mar 2018] v3.0.2 Released
  • [27 Mar 2018] v3.0.1 Released
  • [26 Mar 2018] v3.0.0 Released
  • [08 Oct 2017] v3.0 Updates to community
  • [16 Jun 2017] Presentation at OWASP Summit 2017
  • [10 Dec 2016] Work begins on v3.0

Media

OWASP Dependency-Track Channel (YouTube)

AppSec Podcast (S03E13)

Documentation

Dependency-Track Documentation

Project Leader

Steve Springett

Related Projects

Classifications

Flagship Project Owasp-builders-small.png Owasp-defenders-small.png
Project Type Files TOOL.jpg

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Dependency_Track_Project&oldid=252489"