Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml
# Starts the stack using Docker Compose in Detached mode: Run containers in the background
docker-compose up --detach
To publish CycloneDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the BOM and insert the resulting text into the ‘bom’ field.
curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: application/json' \
-H 'X-API-Key: XXXXXXXXXXX' \
-d $'{
"project": "f90934f5-cb88-47ce-81cb-db06fc67d4b4",
"bom": "PD94bWwgdm..."
}'
It’s also possible to publish BOMs via HTTP POST which does not require Base64 encoding the payload.
curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: multipart/form-data' \
-H 'X-Api-Key: XXXXXXXXXXX' \
-F "project=f90934f5-cb88-47ce-81cb-db06fc67d4b4" \
-F "bom=<?xml version=\"1.0\" encoding=\"UTF-8\"?>..."
In cases where the scan or BOM being uploaded is large, using cURL’s capability of specifying a file containing a payload may be preferred.
curl -X "PUT" "http://dtrack.example.com/api/v1/bom" \
-H 'Content-Type: application/json' \
-H 'X-API-Key: XXXXXXXXXXX' \
-d @payload.json
Dependency-Track contains a full mirror for each of the vulnerability datasources it supports. Virtually all public information about the vulnerability including the description, affected versions, CWE, and severity, are captured, as well as the affected projects. The list of affected projects is dynamically generated based on data in Dependency-Track at the time of inquiry.
Dependency-Track relies on integration with repositories to help identify metadata that may be useful for the identification of risk. Package repositories to manage and automatically resolve dependencies.
Dependency-Track incorporates the concept of repositories, completely independent of software engineering use-cases, as a way to gain additional intelligence about the components it’s tracking. Dependency-Track brings the power of package repositories to every project the system tracks, whether the project is developed internally or commercial off-the-shelf software.
https://docs.dependencytrack.org/datasources/repositories/
State | Description |
---|---|
EXPLOITABLE | The finding is exploitable (or likely exploitable) |
IN_TRIAGE | An investigation is in progress to determine if the finding is accurate and affects the project or component |
FALSE_POSITIVE | The finding was identified through faulty logic or data (i.e. misidentified component or incorrect vulnerability intelligence) |
NOT_AFFECTED | The finding is a true positive, but the project is not affected by the vulnerability identified |
NOT_SET | Analysis of the finding has not commenced |
- https://docs.dependencytrack.org/integrations/notifications/
- https://docs.dependencytrack.org/integrations/rest-api/
- https://docs.dependencytrack.org/integrations/badges/
These are verbatim notes from https://docs.dependencytrack.org. Please visit the original documentation for more up-to date definitions.