Dependency Track: Analyze your vulnerabilities from the use of third-party components
In this post we are going to talk about the OWASP tool called Dependency-Track. To start, a good question is….
What is Dependency-Track?
Dependency Track is a vulnerability analysis tool that audits the components or external libraries that we use for our applications. This tool has integrations with different vulnerability databases such as NPM Public Advisories, National Vulnerability Database, Sonartype OSS Index and VulnDB.
Dependency Track is in charge of proactively analyzing all your applications in order to identify vulnerabilities in open source components that may put your application at risk.
How does Dependency-Track work?
Dependency-Track takes full advantage of the Bill-of-Materials Software (SBOM). Thanks to this, we can obtain more complete and sophisticated information than with traditional component analysis.
These BOM files (bill-of-materials) define and describe the content that is used in the manufacturing of the deliverables. This content includes the data of the author, publishers, licenses, versions and copyright.
To generate the BoM file we have several tools, but one of the better known is CycloneDX. Once we have our BoM file we can upload it to Dependency-Track manually or by integrating the upload in our CICD.
CycloneDX supports and integrates through its plugins with various languages
- CycloneDX .NET Core
- CycloneDX Node.js Module
- CycloneDX Java (Maven) Plugin
- CycloneDX Java (Gradle) Plugin
- CycloneDX Java API
- CycloneDX PHP Composer
- CycloneDX Python Module
- CycloneDX Ruby Gem
- CycloneDX Rust Cargo
Dependency Track is designed to be easily integrated into our Continuous Integration and Continuous Deployment processes. In order to do all this, it has a powerful API and a plugin for Jenkins that allows us to integrate this process into our pipelines.
Dependency-Track enables DevOps teams to accelerate processes and development while still controlling the use of external components and the risks they may cause.
This tool also has an integrated alert system via email or with integrations with various messaging services such as Slack or Microsoft Teams. All of them customizable through templates.
How can I deploy it?
To create your own Dependency-Track service you have several options:
- Using War -> This is the most difficult to deploy option as it requires an already installed and configured Servlet container such as Apache Tomcat 8.5 and higher, however, it offers the most flexible deployment options
- Executable War -> The Dependency-Track executable WAR is delivered ready-to-run. An executable WAR is a traditional Java Web Archive (WAR) that is packaged in a way where it can executed from the command-line.
- Docker Container -> Deploying with Docker is the easiest and fastest method of getting started. No prerequisites are required other than a modern version of Docker.
Read more about Dependency-Track here: