OWASP Dependency Track Project

OWASP Dependency-Track

Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBoM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.

Features

• Tracks component usage across all version of every application in an organizations portfolio
• Identifies multiple forms of risk including
  • Components with known vulnerabilities
  • Out-of-date components
  • Modified components
  • License risk
  • More coming soon...
• Integrates with multiple sources of vulnerability intelligence including:
  • National Vulnerability Database (NVD)
  • NPM Public Advisories
  • Sonatype OSS Index
  • VulnDB from Risk Based Security
  • More coming soon.
• Ecosystem agnostic with built-in repository support for:
  • Ruby Gems
  • Maven
  • NPM
  • NuGet
  • Python (Pypi)
  • More coming soon.
• Includes a comprehensive auditing workflow for triaging results
• Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
• Supports standardized SPDX license ID’s and tracks license use by component
• Supports importing of CycloneDX and SPDX software bill-of-materials
• Supports importing of [Dependency-Check] reports to simplify transitioning to SBoMs
• Easy to read metrics for components, projects, and portfolio
• Native support for Kenna Security, Fortify SSC, and ThreadFix
• API-first design facilitates easy integration with other systems
• API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
• Supports internally managed users, Active Directory/LDAP, and API Keys
• Simple to install and configure. Get up and running in just a few minutes

Distributions

Dependency-Track supports the following three deployment options:

• Executable WAR
• Conventional WAR
• Docker container

Licensing

OWASP Dependency-Track is licensed under the Apache 2.0 license.

Quick Download

Ready-to-deploy distributions are available from the Dependency-Track website

• Website
• Source Code

News and Events

• [07 Jun 2019] v3.5.0 Released
• [16 Apr 2019] v3.4.1 Released
• [22 Dec 2018] v3.4.0 Released
• [13 Nov 2018] v3.3.1 Released
• [25 Oct 2018] v3.3.0 Released
• [02 Oct 2018] v3.2.2 Released
• [21 Sep 2018] v3.2.1 Released
• [06 Sep 2018] v3.2.0 Released
• [19 Jun 2018] v3.1.0 Released
• [02 May 2018] v3.0.4 Released
• [13 Apr 2018] v3.0.3 Released
• [30 Mar 2018] v3.0.2 Released
• [27 Mar 2018] v3.0.1 Released
• [26 Mar 2018] v3.0.0 Released
• [08 Oct 2017] v3.0 Updates to community
• [16 Jun 2017] Presentation at OWASP Summit 2017
• [10 Dec 2016] Work begins on v3.0

Media

OWASP Dependency-Track Channel (YouTube)

AppSec Podcast (S03E13)

Documentation

Dependency-Track Documentation

Project Leader

Steve Springett

Related Projects

• OWASP Dependency-Check

Classifications