What is Dependency Track? Explained in Detail.
Dependency-Track is an intelligent component analysis platform that allows organizations to identify and mitigate risk in the software supply chain. Dependency-Track software takes a unique and highly beneficial approach by leveraging the capabilities of Bill of Materials (SBOM). Dependency-Track monitors component usage across all versions of every application in its portfolio to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments
Features:
Component support for:
- Frameworks
- Operating systems
- Applications
- Containers
- Libraries
- Firmware
- Files
- Hardware
- Components with known vulnerabilities
- Quickly identify what is affected, and where
- Identifies multiple forms of risk including
- License risk
- Out-of-date components
- Modified components
- NPM Public Advisories
- Tracks component usage across each application in the organization portfolio
More coming soon…
Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- Sonatype OSS Index
- VulnDB from Risk Based Security
- More coming soon.
- Powerful policy engine with support for global and per-project policies
- Security risk and compliance
- License risk and compliance
- Operational risk and compliance
- Ecosystem agnostic with built-in repository support for:
- Cargo (Rust)
- Composer (PHP)
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- NuGet (.NET)
- Pypi (Python)
More coming soon.
Identifies APIs and external service components including:
- Service provider
- Endpoint URIs
- Data classification
- Directional flow of data
- Trust boundary traversal
- Authentication requirements
- Includes a comprehensive auditing workflow for triaging results
- Configurable notifications supporting Slack, Microsoft Teams, webhooks, and email Support
- standardized SPDX license IDs and track license usage by component
- Supports importing CycloneDX Software Bill of Materials (SBOM)
- Easy to read metrics for components, projects and portfolios Native support for Kenna Security,
- Fortify SSC, ThreadFix and DefectDojo
- API-first design facilitates easy integration with other systems
- API documentation available in OpenAPI format
- OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
- Supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just minutes
Read Also-Features of Java Programming
Components:
API Server:
The API server includes an embedded Jetty server and all server-side functionality, but does not include a frontend user interface. This variant is new as of Dependency-Track v4.0.
Frontend:
The frontend is a user interface that is accessible in a web browser. The frontend is a single page application (SPA) that can be deployed independently of the dependency-tracked API server.This variant is new as of Dependency-Track v3.8.
Bundled:
The bundle variant combines the API server and frontend user interface.This variant was previously referred to as the executable war and was the preferred distribution from Dependency-Track v3.0 – v3.8. This version is supported but obsolete and will be discontinued in a future release.
Hope you like this blog….
- Dependency Track – End To End CI/CD Pipeline - November 29, 2024
- Dependency-track Jenkins Integration - November 27, 2024
- Jenkins Setup for PyTest + Selenium Automation Testing - November 27, 2024