Skip to content

Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.

License

Notifications You must be signed in to change notification settings

William-GuoWei/dependency-track

 
 

Build Status Codacy BadgeAlpine License OWASP Flagship Website Documentation Slack Join the chat at https://gitter.im/dependency-track/Lobby Group Discussion YouTube Subscribe Twitter Downloads Latest Docker Pulls

Dependency-Track

Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBoM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.

NOTICE: Always use official binary releases in production.

Ecosystem Overview

alt text

Features

  • Tracks component usage across all version of every application in an organizations portfolio
  • Identifies multiple forms of risk including
    • Components with known vulnerabilities
    • Out-of-date components
    • Modified components
    • License risk
    • More coming soon...
  • Integrates with multiple sources of vulnerability intelligence including:
  • Ecosystem agnostic with built-in repository support for:
    • Ruby Gems
    • Maven
    • NPM
    • NuGet
    • Python (Pypi)
    • More coming soon.
  • Includes a comprehensive auditing workflow for triaging results
  • Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports importing of CycloneDX and SPDX software bill-of-materials
  • Supports importing of Dependency-Check reports to simplify the transition to SBoMs
  • Easy to read metrics for components, projects, and portfolio
  • Native support for Kenna Security, Fortify SSC, and ThreadFix
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Screenshots

alt text

For more eye-candy, visit https://dependencytrack.org/.

Distributions

Dependency-Track supports the following three deployment options:

  • Docker container
  • Executable WAR
  • Conventional WAR

Deploying Docker Container

Deploying with Docker is the easiest and fastest method of getting started. No prerequisites are required other than an modern version of Docker. Dependency-Track uses the following conventions:

  • The 'latest' tag, which is pulled by default if no tag is specified, will always refer to the latest stable release (3.0.0, 3.0.1, 3.1.0, etc)
  • The 'snapshot' tag will be built and pushed on all CI changes to the master. Use this if you want a "moving target" with all the latest changes.
  • Version tags (3.0.0, 3.0.1, etc) are used to indicate each release
docker pull owasp/dependency-track
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track

To run snapshot releases (not recommended for production):

docker pull owasp/dependency-track:snapshot
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track:snapshot

In the event you want to delete all Dependency-Track images, containers, and volumes, the following statements may be executed. NOTE: This is a destructive operation and cannot be undone.

docker rmi owasp/dependency-track
docker rm dependency-track
docker volume rm dependency-track:/data

Deploying the Executable WAR

Another simple way to get Dependency-Track running quickly is to automatically deploy the executable WAR. This method requires Java 8u101 or higher. Simply download dependency-track-embedded.war and execute:

java -Xmx4G -jar dependency-track-embedded.war

Deploying the Conventional WAR

This is the most difficult to deploy option as it requires an already installed and configured Servlet container such as Apache Tomcat 8.5 and higher, however, it offers the most flexible deployment options. Follow the Servlet containers instructions for deploying dependency-track.war.

Compiling From Sources (optional)

To create an executable WAR that is ready to launch (recommended for most users):

mvn clean package -P embedded-jetty

To create a WAR that must be manually deployed to a modern Servlet container (i.e. Tomcat 8.5+):

mvn clean package

To create an executable WAR that is ready to be deployed in a Docker container:

mvn clean package -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml

Resources

Community

Support

Dependency-Track is an open source project, created by people who believe that the knowledge of using vulnerable components should be accessible to anyone with a desire to know. By supporting this project, you'll allow the team to outsource testing, infrastructure, further research and development efforts, and engage in outreach to various communities that would benefit from this technology.

PayPal

Copyright & License

Dependency-Track is Copyright (c) Steve Springett. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0 license-url

Dependency-Track makes use of several other open source libraries. Please see the [NOTICES.txt] notices file for more information.

About

Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 63.8%
  • JavaScript 34.7%
  • CSS 1.3%
  • Other 0.2%