Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Clone this repo:
  1. ad371d8 Merge pull request #1523 from valentijnscholten/jetty-enhance by Steve Springett · 8 months ago master
  2. 62b1e02 README: add needed `-P enhance` for jetty (#1) by valentijnscholten · 8 months ago
  3. 895166b Merge pull request #1521 from valentijnscholten/npm-audit-removal-text-updates by Steve Springett · 8 months ago
  4. e00bb07 update texts now that npm audit analyzer has been removed by Valentijn Scholten · 8 months ago
  5. aa9a370 Merge remote-tracking branch 'origin/master' into npm-audit-removal-text-updates by Valentijn Scholten · 8 months ago

Build Status Codacy Badge Alpine License OWASP Flagship Website Documentation Slack Group Discussion YouTube Subscribe Twitter Downloads Latest Pulls - API Server Pulls - Frontend Pulls - Bundled Pulls - Legacy

logo preview

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.

Ecosystem Overview

alt text

Features

  • Component support for:
    • Applications
    • Libraries
    • Frameworks
    • Operating systems
    • Containers
    • Firmware
    • Files
    • Hardware
  • Tracks component usage across every application in an organizations portfolio
  • Quickly identify what is affected, and where
  • Identifies multiple forms of risk including
    • Components with known vulnerabilities
    • Out-of-date components
    • Modified components
    • License risk
    • More coming soon...
  • Integrates with multiple sources of vulnerability intelligence including:
  • Robust policy engine with support for global and per-project policies
    • Security risk and compliance
    • License risk and compliance
    • Operational risk and compliance
  • Ecosystem agnostic with built-in repository support for:
    • Cargo (Rust)
    • Composer (PHP)
    • Gems (Ruby)
    • Hex (Erlang/Elixir)
    • Maven (Java)
    • NPM (Javascript)
    • NuGet (.NET)
    • Pypi (Python)
    • More coming soon.
  • Identifies APIs and external service components including:
    • Service provider
    • Endpoint URIs
    • Data classification
    • Directional flow of data
    • Trust boundary traversal
    • Authentication requirements
  • Includes a comprehensive auditing workflow for triaging results
  • Configurable notifications supporting Slack, Microsoft Teams, WebEx, Webhooks, and Email
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports importing CycloneDX Software Bill of Materials (SBOM)
  • Easy to read metrics for components, projects, and portfolio
  • Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
  • API-first design facilitates easy integration with other systems
  • API documentation available in OpenAPI format
  • OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
  • Supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

alt text

Quickstart (Docker Compose)

# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Starts the stack using Docker Compose
docker-compose up -d

Quickstart (Docker Swarm)

# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Initializes Docker Swarm (if not previously initialized)
docker swarm init

# Starts the stack using Docker Swarm
docker stack deploy -c docker-compose.yml dtrack

Quickstart (Manual Execution)

# Pull the image from the Docker Hub OWASP repo
docker pull dependencytrack/bundled

# Creates a dedicated volume where data can be stored outside the container
docker volume create --name dependency-track

# Run the bundled container with 8GB RAM on port 8080
docker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:/data dependencytrack/bundled

NOTICE: Always use official binary releases in production.

Distributions

Dependency-Track has four distribution variants. They are:

PackagePackage FormatRecommendedSupportedDockerDownload
API ServerExecutable WAR
FrontendSingle Page Application
BundledExecutable WAR☑️
Traditional WARWAR

API Server

The API Server contains an embedded Jetty server and all server-side functionality, but excludes the frontend user interface. This variant is new as of Dependency-Track v4.0.

Frontend

The Frontend is the user interface that is accessible in a web browser. The Frontend is a Single Page Application (SPA) that can be deployed independently of the Dependency-Track API Server. This variant is new as of Dependency-Track v3.8.

Bundled

The Bundled variant combines the API Server and the Frontend user interface. This variant was previously referred to as the executable war and was the preferred distribution from Dependency-Track v3.0 - v3.8. This variant is supported but deprecated and will be discontinued in a future release.

Traditional

The Traditional variant combines the API Server and the Frontend user interface and must be deployed to a Servlet container. This variant is not supported, deprecated, and will be discontinued in a future release.

Deploying on Kubernetes with Helm

You can install on Kubernetes using the community-maintained chart like this:

Helm v3:

helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
helm install dependency-track evryfs-oss/dependency-track --namespace dependency-track --create-namespace

Helm v2:

helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
helm install evryfs-oss/dependency-track --name dependency-track --namespace dependency-track --create-namespace

by default, it will install PostgreSQL and use persistent volume claims for the data-directory used for vulnerability feeds.

Compiling From Sources (optional)

To create the API Server executable WAR that is ready to launch:

mvn clean package -P enhance -P embedded-jetty

To create the API Server executable WAR that is ready to be deployed in a Docker container:

mvn clean package -P enhance -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml

To create the Bundled (API Server + Frontend) executable WAR that is ready to be deployed in a Docker container:

mvn clean package -P enhance -P embedded-jetty -P bundle-ui -Dlogback.configuration.file=src/main/docker/logback.xml

To run for local dev

Command Line

Using the maven jetty plugin, you can just run mvn -P enhance jetty:run and mvn jetty:stop.

The plugin will periodically scan your project for changes and automatically redeploy the application.

Resources

Community

Copyright & License

Dependency-Track is Copyright (c) Steve Springett. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0.

Dependency-Track makes use of several other open source libraries. Please see the notices file for more information.