What is Dependency Track? Explained in Detail.

What is Dependency Track? Explained in Detail.


What is Dependency Track

Dependency-Track is an intelligent component analysis platform that allows organizations to identify and mitigate risk in the software supply chain. Dependency-Track software takes a unique and highly beneficial approach by leveraging the capabilities of Bill of Materials (SBOM). Dependency-Track monitors component usage across all versions of every application in its portfolio to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments


Component support for:

  1. Frameworks
  2. Operating systems
  3. Applications
  4. Containers
  5. Libraries
  6. Firmware
  7. Files
  8. Hardware
  9. Components with known vulnerabilities
  10. Quickly identify what is affected, and where
  11. Identifies multiple forms of risk including
  12. License risk
  13. Out-of-date components
  14. Modified components
  15. NPM Public Advisories
  16. Tracks component usage across each application in the organization portfolio

More coming soon…

Integrates with multiple sources of vulnerability intelligence including:

  1. National Vulnerability Database (NVD)
  2. Sonatype OSS Index
  3. VulnDB from Risk Based Security
  4. More coming soon.
  5. Powerful policy engine with support for global and per-project policies
  6. Security risk and compliance
  7. License risk and compliance
  8. Operational risk and compliance
  9. Ecosystem agnostic with built-in repository support for:
  10. Cargo (Rust)
  11. Composer (PHP)
  12. Gems (Ruby)
  13. Hex (Erlang/Elixir)
  14. Maven (Java)
  15. NPM (Javascript)
  16. NuGet (.NET)
  17. Pypi (Python)

More coming soon.

Identifies APIs and external service components including:

  1. Service provider
  2. Endpoint URIs
  3. Data classification
  4. Directional flow of data
  5. Trust boundary traversal
  6. Authentication requirements
  7. Includes a comprehensive auditing workflow for triaging results
  8. Configurable notifications supporting Slack, Microsoft Teams, webhooks, and email Support
  9. standardized SPDX license IDs and track license usage by component
  10. Supports importing CycloneDX Software Bill of Materials (SBOM)
  11. Easy to read metrics for components, projects and portfolios Native support for Kenna Security,
  12. Fortify SSC, ThreadFix and DefectDojo
  13. API-first design facilitates easy integration with other systems
  14. API documentation available in OpenAPI format
  15. OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
  16. Supports internally managed users, Active Directory/LDAP, and API Keys
  17. Simple to install and configure. Get up and running in just minutes

Read Also-Features of Java Programming


API Server:

The API server includes an embedded Jetty server and all server-side functionality, but does not include a frontend user interface. This variant is new as of Dependency-Track v4.0.


The frontend is a user interface that is accessible in a web browser. The frontend is a single page application (SPA) that can be deployed independently of the dependency-tracked API server.This variant is new as of Dependency-Track v3.8.


The bundle variant combines the API server and frontend user interface.This variant was previously referred to as the executable war and was the preferred distribution from Dependency-Track v3.0 – v3.8. This version is supported but obsolete and will be discontinued in a future release.

Hope you like this blog….
Mahesh Wabale
Latest posts by Mahesh Wabale (see all)

Leave a Comment