Dependency-Track | Software Bill of Materials (SBOM) Analysis | OWASP
Reduce Supply Chain Risk

Continuous SBOM Analysis Platform

Continuous Integration

Consume and analyze SBOMs at high-velocity. Ideal for use with modern build pipelines.

Continuous Insight

Identify risk across all assets and applications. Quickly answer what is affected and where.

Continuous Transparency

Full-stack component inventory. Optionally republish SBOMs to others in the supply chain.

Accurate and complete full-stack inventory

Track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects in the Dependency-Track portfolio. Get full-stack traceability for the cloud, for the enterprise, for smart devices, and for IoT.

Identify and remediate vulnerable components

Bring vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, GitHub Advisories, Snyk, OSV, and VulnDB from Risk Based Security.

Measure and enforce policy compliance

Security, operational, and license policies ensure that associated risk is quickly identified across development teams, suppliers, and partners in the supply chain

Platform Features

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Vulnerability Detection

Identify known vulnerabilities in third-party components via integration with the NVD, OSS Index, GitHub, Snyk, OSV, and VulnDB

Policy Evaluation

Measure and enforce security, operational, and license policy compliance for individual projects or the entire portfolio

Impact Analysis

Rapidly respond to identified vulnerabilities for projects which are affected from vulnerable components

Exploit Prediction

Prioritize mitigation by leveraging integrated support for the Exploit Prediction Scoring System (EPSS)

Auditing Workflow

Quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail

Outdated Version Detection

Identifies components that are not the most recent available which indirectly impact project health and risk

Full-Stack Inventory

Tracks usage of libraries, frameworks, applications, containers, operating systems, firmware, hardware, and services

Bill of Materials (BOM)

Consumes, analyzes, and produces CycloneDX Software Bill of Materials (SBOM), an OWASP and industry standard

Vulnerability Aggregation

Native integration with multiple application risk platforms providing organizations a consolidated view of prioritized findings

NIST VDR

Produces CycloneDX Vulnerability Disclosure Reports (VDR) that exceed requirements defined in NIST SP 800-161

CISA VEX

Produces and consumes CycloneDX Vulnerability Exploitability eXchange (VEX) exceeding CISA recommendations

Notifications

Automates notifications to Slack, Microsoft Teams, Mattermost, Cisco WebEx, outbound webhooks, and email

Enterprise Ready

Supports Single Sign On (SSO) via OpenID Connect (OIDC) and supports Active Directory and LDAP authentication

API and Integration

Well documented API-first design integrates easily with other systems providing endless possibilities

Time Series Metrics

Provides trending details of the inherited risk and policy violations for all projects and components in the portfolio

Open Source

Community-driven project distributed under the Apache 2.0 license Large and active community of contributors and adopters.

Installation

curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
curl -LO https://dependencytrack.org/docker-compose.yml
docker swarm init
docker stack deploy -c docker-compose.yml dtrack