This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Dependency Track Project

From OWASP
Revision as of 06:25, 29 September 2019 by Steve Springett (talk | contribs) (case)

Jump to: navigation, search
Flagship big.jpg

OWASP Dependency-Track

Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.

Integrations.png

Features

  • Tracks component usage across all version of every application in an organizations portfolio
  • Identifies multiple forms of risk including
    • Components with known vulnerabilities
    • Out-of-date components
    • Modified components
    • License risk
    • More coming soon...
  • Integrates with multiple sources of vulnerability intelligence including:
  • Ecosystem agnostic with built-in repository support for:
    • Ruby Gems
    • Maven
    • NPM
    • NuGet
    • Python (Pypi)
    • More coming soon.
  • Includes a comprehensive auditing workflow for triaging results
  • Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports importing of CycloneDX and SPDX software bill-of-materials
  • Supports importing of Dependency-Check reports to simplify the transition to SBoMs
  • Easy to read metrics for components, projects, and portfolio
  • Native support for Kenna Security, Fortify SSC, and ThreadFix
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Distributions

Dependency-Track supports the following three deployment options:

  • Executable WAR
  • Conventional WAR
  • Docker container

Licensing

OWASP Dependency-Track is licensed under the Apache 2.0 license.

Dependency-Track-logo-300x100.png

Quick Download

Ready-to-deploy distributions are available from the Dependency-Track website

News and Events

  • [28 Sep 2019] v3.6.0 Released
  • [17 Jul 2019] v3.5.1 Released
  • [07 Jun 2019] v3.5.0 Released
  • [16 Apr 2019] v3.4.1 Released
  • [22 Dec 2018] v3.4.0 Released

Community Integrations

Media

OWASP Dependency-Track Channel (YouTube)

AppSec Podcast (S03E13)

Documentation

Dependency-Track Documentation

Project Leader

Steve Springett

Related Projects

Classifications

Flagship Project Owasp-builders-small.png Owasp-defenders-small.png
Project Type Files TOOL.jpg

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Dependency_Track_Project&oldid=255004"