Product Overview: Dependency-Track
Dependency-Track is an advanced Component Analysis platform designed to help organizations identify and mitigate risks within their software supply chain. Here’s a detailed look at what the product does and its key features.
What Dependency-Track Does
Dependency-Track leverages the power of Software Bill of Materials (SBOM) to provide a comprehensive analysis of the components used across all versions of every application within an organization’s portfolio. This approach goes beyond traditional Software Composition Analysis (SCA) solutions, offering unique capabilities to proactively identify and reduce various forms of risk.
Key Features
Component Analysis and Risk Identification
- Dependency-Track monitors component usage to identify risks such as components with known vulnerabilities, out-of-date components, modified components, and license risks. It also tracks operational and compliance risks.
Integration with Vulnerability Intelligence Sources
- The platform integrates with multiple sources of vulnerability intelligence, including the National Vulnerability Database (NVD), GitHub Advisories, Sonatype OSS Index, Snyk, Trivy, OSV, and VulnDB from Risk Based Security, among others.
Policy Engine and Compliance
- Dependency-Track features a robust policy engine that supports both global and per-project policies. It helps in managing security, license, and operational compliance across the organization.
Support for Various Ecosystems
- The platform is ecosystem-agnostic, providing built-in repository support for various package managers such as Cargo (Rust), Composer (PHP), Gems (Ruby), Hex (Erlang/Elixir), Maven (Java), NPM (JavaScript), NuGet (.NET), and PyPI (Python).
API and Integration Capabilities
- With an API-first design, Dependency-Track is ideal for integration into CI/CD environments. It supports OAuth 2.0 and OpenID Connect (OIDC) for single sign-on and includes API documentation in OpenAPI format. The platform can also integrate with tools like Kenna Security, Fortify SSC, ThreadFix, and DefectDojo.
Tagging and Project Management
- The latest updates include enhanced tagging features that offer more granular control over security and compliance protocols. Users can manage policies across multiple projects and receive alerts specific to tagged projects, improving the overall user experience.
SBOM and VEX Support
- Dependency-Track consumes and produces CycloneDX Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) formats, ensuring comprehensive component tracking and vulnerability management.
Auditing and Notifications
- The platform includes a comprehensive auditing workflow for triaging results and supports configurable notifications via Slack, Microsoft Teams, Mattermost, Webhooks, Email, and Jira.
User and Authentication Management
- Dependency-Track supports internally managed users, Active Directory/LDAP, and API Keys, making user and authentication management flexible and secure.
Additional Functionality
- Exploit Prediction Scoring System (EPSS): Helps prioritize mitigation efforts by incorporating EPSS support.
- Private Vulnerability Database: Allows organizations to maintain a private database of vulnerability components.
- APIs and External Services: Identifies APIs and external service components, including service providers, endpoint URIs, data classification, and authentication requirements.
- Metrics and Reporting: Provides easy-to-read metrics for components, projects, and the overall portfolio.
In summary, Dependency-Track is a powerful tool for managing software supply chain risks by leveraging SBOM, integrating with multiple vulnerability intelligence sources, and offering robust policy management, API-first design, and comprehensive auditing and notification capabilities. Its flexibility and extensive feature set make it an essential tool for organizations aiming to enhance their software security and compliance.