DependencyTrack/dependency-track

Project: dependency-track (GitHub Link)

dependency-track-master
- .github
  - ISSUE_TEMPLATE
    - ask-a-question.md
    - enhancement-request.md
    - defect-report.md
  - FUNDING.yml
  - workflows
    - anchore.yml
    - maven.yml
  - lock.yml
- src
  - main
    - resources
      - logback.xml
      - nist
      - license-list-data
        json
        licenses.json
        exceptions.json
        exceptions
        gnu-javamail-exception.json
        OCaml-LGPL-linking-exception.json
        WxWindows-exception-3.1.json
        freertos-exception-2.0.json
        u-boot-exception-2.0.json
        openvpn-openssl-exception.json
        Qt-LGPL-exception-1.1.json
        i2p-gpl-java-exception.json
        GCC-exception-3.1.json
        OCCT-exception-1.0.json
        GCC-exception-2.0.json
        CLISP-exception-2.0.json
        OpenJDK-assembly-exception-1.0.json
        Libtool-exception.json
        Autoconf-exception-3.0.json
        Fawkes-Runtime-exception.json
        FLTK-exception.json
        GPL-CC-1.0.json
        Font-exception-2.0.json
        Linux-syscall-note.json
        mif-exception.json
        LZMA-exception.json
        eCos-exception-2.0.json
        Bison-exception-2.2.json
        389-exception.json
        Qwt-exception-1.0.json
        Nokia-Qt-exception-1.1.json
        Classpath-exception-2.0.json
        DigiRule-FOSS-exception.json
        PS-or-PDF-font-exception-20170817.json
        Qt-GPL-exception-1.0.json
        LLVM-exception.json
        Bootloader-exception.json
        Autoconf-exception-2.0.json
        details
        MPL-1.0.json
        bzip2-1.0.6.json
        GPL-2.0.json
        LPPL-1.0.json
        ISC.json
        BSD-2-Clause-NetBSD.json
        Info-ZIP.json
        ErlPL-1.1.json
        Saxpath.json
        AGPL-1.0-only.json
        Zend-2.0.json
        BSD-2-Clause-Patent.json
        AFL-1.1.json
        eGenix.json
        NetCDF.json
        IPL-1.0.json
        CC-BY-NC-ND-4.0.json
        Glulxe.json
        MIT-feh.json
        AFL-1.2.json
        LPL-1.02.json
        GPL-1.0-only.json
        AMPAS.json
        OLDAP-1.3.json
        LGPL-2.1+.json
        EFL-1.0.json
        CC-BY-ND-2.5.json
        AGPL-3.0.json
        Zimbra-1.4.json
        TORQUE-1.1.json
        AFL-3.0.json
        CATOSL-1.1.json
        diffmark.json
        IBM-pibs.json
        LPPL-1.3c.json
        HPND.json
        Xnet.json
        CC-BY-NC-SA-4.0.json
        BSD-3-Clause-No-Nuclear-License.json
        BSL-1.0.json
        CECILL-C.json
        libtiff.json
        Barr.json
        Abstyles.json
        xinetd.json
        OpenSSL.json
        OGTSL.json
        APL-1.0.json
        LiLiQ-P-1.1.json
        NLOD-1.0.json
        CC-BY-ND-1.0.json
        GPL-2.0-only.json
        SCEA.json
        YPL-1.0.json
        PHP-3.01.json
        BSD-3-Clause-Attribution.json
        GL2PS.json
        LGPL-2.1-only.json
        Zimbra-1.3.json
        LGPLLR.json
        NTP.json
        SGI-B-1.0.json
        MTLL.json
        Python-2.0.json
        Mup.json
        Artistic-1.0.json
        WXwindows.json
        CC-BY-SA-2.0.json
        FSFAP.json
        GPL-3.0-or-later.json
        HaskellReport.json
        copyleft-next-0.3.0.json
        W3C-19980720.json
        Ruby.json
        GFDL-1.3.json
        NBPL-1.0.json
        OLDAP-1.4.json
        MIT-enna.json
        CDLA-Sharing-1.0.json
        OSL-2.0.json
        LPPL-1.2.json
        NGPL.json
        LiLiQ-Rplus-1.1.json
        CC-BY-2.5.json
        Afmparse.json
        CrystalStacker.json
        mpich2.json
        CC-BY-NC-ND-1.0.json
        OLDAP-2.0.1.json
        Sendmail-8.23.json
        gSOAP-1.3b.json
        OLDAP-1.1.json
        NASA-1.3.json
        LAL-1.2.json
        OLDAP-2.2.2.json
        CC-BY-NC-3.0.json
        RPL-1.5.json
        NPOSL-3.0.json
        GPL-3.0-with-autoconf-exception.json
        copyleft-next-0.3.1.json
        LGPL-2.0.json
        CDDL-1.0.json
        APSL-1.0.json
        OLDAP-2.2.json
        MIT-CMU.json
        GPL-2.0-with-autoconf-exception.json
        Spencer-99.json
        AFL-2.1.json
        OFL-1.0.json
        QPL-1.0.json
        Linux-OpenIB.json
        Plexus.json
        MS-RL.json
        Spencer-94.json
        CERN-OHL-1.1.json
        CECILL-2.1.json
        CC-BY-NC-SA-1.0.json
        OSL-3.0.json
        CPAL-1.0.json
        OLDAP-2.1.json
        Aladdin.json
        YPL-1.1.json
        BSD-Protection.json
        Giftware.json
        Caldera.json
        xpp.json
        GPL-2.0-with-font-exception.json
        MIT-advertising.json
        DOC.json
        Unlicense.json
        Libpng.json
        BSD-Source-Code.json
        Artistic-1.0-Perl.json
        FTL.json
        TMate.json
        MITNFA.json
        eCos-2.0.json
        CNRI-Python-GPL-Compatible.json
        CC0-1.0.json
        LAL-1.3.json
        OPL-1.0.json
        SimPL-2.0.json
        GPL-2.0-or-later.json
        iMatix.json
        OSL-1.1.json
        CC-BY-SA-1.0.json
        Fair.json
        MS-PL.json
        OLDAP-2.2.1.json
        Apache-2.0.json
        W3C.json
        Vim.json
        BSD-2-Clause-FreeBSD.json
        gnuplot.json
        CC-BY-NC-2.0.json
        LiLiQ-R-1.1.json
        curl.json
        AMDPLPA.json
        GPL-3.0+.json
        EUPL-1.1.json
        Nokia.json
        ANTLR-PD.json
        EUPL-1.2.json
        JSON.json
        OCLC-2.0.json
        MIT-0.json
        Apache-1.0.json
        dvipdfm.json
        AML.json
        W3C-20150513.json
        ZPL-1.1.json
        Sendmail.json
        GPL-1.0+.json
        TOSL.json
        Rdisc.json
        Frameworx-1.0.json
        ODbL-1.0.json
        OSL-2.1.json
        Borceux.json
        AGPL-1.0.json
        CECILL-1.1.json
        APAFML.json
        BSD-3-Clause-No-Nuclear-Warranty.json
        OLDAP-2.4.json
        SGI-B-2.0.json
        Wsuipa.json
        XFree86-1.1.json
        OLDAP-2.5.json
        Beerware.json
        JPNIC.json
        Sleepycat.json
        Glide.json
        AFL-2.0.json
        ClArtistic.json
        OCCT-PL.json
        RSA-MD.json
        0BSD.json
        TCP-wrappers.json
        OGL-UK-1.0.json
        OLDAP-2.8.json
        OGL-UK-2.0.json
        ZPL-2.1.json
        LPPL-1.1.json
        BSD-3-Clause-LBNL.json
        Condor-1.1.json
        Noweb.json
        APSL-2.0.json
        GFDL-1.2-only.json
        VOSTROM.json
        OGL-UK-3.0.json
        Spencer-86.json
        OLDAP-2.3.json
        Apache-1.1.json
        MakeIndex.json
        CC-BY-NC-1.0.json
        IPA.json
        Interbase-1.0.json
        StandardML-NJ.json
        LGPL-2.0+.json
        Eurosym.json
        UPL-1.0.json
        DSDP.json
        WTFPL.json
        BSD-4-Clause.json
        OSET-PL-2.1.json
        CDLA-Permissive-1.0.json
        LGPL-3.0-or-later.json
        Leptonica.json
        EUPL-1.0.json
        Cube.json
        IJG.json
        CC-BY-NC-SA-2.5.json
        AGPL-1.0-or-later.json
        CNRI-Python.json
        Adobe-2006.json
        CUA-OPL-1.0.json
        CC-BY-NC-4.0.json
        CECILL-2.0.json
        GFDL-1.1-or-later.json
        OLDAP-1.2.json
        psfrag.json
        Entessa.json
        ECL-2.0.json
        BSD-3-Clause-No-Nuclear-License-2014.json
        EUDatagrid.json
        Xerox.json
        CC-BY-NC-2.5.json
        ECL-1.0.json
        JasPer-2.0.json
        SAX-PD.json
        GFDL-1.2-or-later.json
        CC-BY-NC-ND-2.5.json
        Multics.json
        OSL-1.0.json
        SPL-1.0.json
        GFDL-1.1.json
        GPL-2.0-with-GCC-exception.json
        Intel.json
        SMPPL.json
        Unicode-DFS-2015.json
        XSkat.json
        LGPL-3.0.json
        LPPL-1.3a.json
        GPL-2.0+.json
        Artistic-1.0-cl8.json
        LGPL-2.1-or-later.json
        CECILL-1.0.json
        SISSL.json
        Zlib.json
        CC-BY-3.0.json
        LGPL-2.0-or-later.json
        X11.json
        BSD-2-Clause.json
        CPOL-1.02.json
        CPL-1.0.json
        GFDL-1.3-or-later.json
        CC-BY-NC-ND-2.0.json
        FSFULLR.json
        psutils.json
        D-FSL-1.0.json
        GPL-2.0-with-classpath-exception.json
        OML.json
        Nunit.json
        Imlib2.json
        AGPL-3.0-or-later.json
        EFL-2.0.json
        OLDAP-2.6.json
        MPL-2.0.json
        Watcom-1.0.json
        HPND-sell-variant.json
        APSL-1.2.json
        GPL-1.0.json
        SGI-B-1.1.json
        GPL-3.0.json
        CC-BY-ND-4.0.json
        BSD-3-Clause.json
        CC-BY-NC-ND-3.0.json
        EPL-2.0.json
        LGPL-3.0+.json
        CC-BY-2.0.json
        PostgreSQL.json
        Adobe-Glyph.json
        Bahyph.json
        SISSL-1.2.json
        zlib-acknowledgement.json
        CC-BY-SA-2.5.json
        ODC-By-1.0.json
        Naumen.json
        VSL-1.0.json
        Latex2e.json
        GFDL-1.2.json
        PHP-3.0.json
        LGPL-2.0-only.json
        ZPL-2.0.json
        RPSL-1.0.json
        CERN-OHL-1.2.json
        Motosoto.json
        GFDL-1.3-only.json
        CC-BY-SA-3.0.json
        TU-Berlin-2.0.json
        MirOS.json
        MIT.json
        NRL.json
        FSFUL.json
        MPL-1.1.json
        CECILL-B.json
        BSD-1-Clause.json
        NLPL.json
        NOSL.json
        CC-BY-1.0.json
        OLDAP-2.7.json
        CC-BY-4.0.json
        RHeCos-1.1.json
        CC-BY-ND-2.0.json
        OLDAP-2.0.json
        Unicode-DFS-2016.json
        Zed.json
        NCSA.json
        BitTorrent-1.0.json
        MPL-2.0-no-copyleft-exception.json
        TU-Berlin-1.0.json
        Net-SNMP.json
        ICU.json
        RPL-1.1.json
        BitTorrent-1.1.json
        CNRI-Jython.json
        GPL-3.0-with-GCC-exception.json
        APSL-1.1.json
        Artistic-2.0.json
        BSD-4-Clause-UC.json
        GFDL-1.1-only.json
        FreeImage.json
        libpng-2.0.json
        CC-BY-ND-3.0.json
        NPL-1.0.json
        Unicode-TOU.json
        Crossword.json
        CC-BY-NC-SA-3.0.json
        SNIA.json
        SMLNJ.json
        ADSL.json
        GPL-2.0-with-bison-exception.json
        PDDL-1.0.json
        GPL-3.0-only.json
        Newsletr.json
        OFL-1.1.json
        EPL-1.0.json
        TCL.json
        CDDL-1.1.json
        SWL.json
        TAPR-OHL-1.0.json
        CC-BY-NC-SA-2.0.json
        AGPL-3.0-only.json
        Dotseqn.json
        LPL-1.0.json
        Qhull.json
        SugarCRM-1.1.3.json
        BSD-3-Clause-Clear.json
        CC-BY-SA-4.0.json
        ImageMagick.json
        AAL.json
        NPL-1.1.json
        LGPL-2.1.json
        GPL-1.0-or-later.json
        bzip2-1.0.5.json
        LGPL-3.0-only.json
        RSCPL.json
        Intel-ACPI.json
      - default-objects
        licenseGroups.json
      - templates
        notification
        publisher
        msteams.peb
        slack.peb
        email.peb
        webhook.peb
        console.peb
        badge
        project-novulns.peb
        project-vulns.peb
        project-nometrics.peb
      - application.version
      - META-INF
        persistence.xml
      - application.properties
    - docker
      - logback.xml
      - Dockerfile
      - docker-compose.yml
    - java
      - org
        dependencytrack
        integrations
        IntegrationPoint.java
        PortfolioFindingUploader.java
        AbstractIntegrationPoint.java
        kenna
        KennaDataTransformer.java
        KennaSecurityUploader.java
        FindingUploader.java
        fortifyssc
        FortifySscUploader.java
        FortifySscClient.java
        FindingPackagingFormat.java
        ProjectFindingUploader.java
        resources
        v1
        ProjectResource.java
        FindingResource.java
        vo
        DependencyRequest.java
        AnalysisRequest.java
        MappedLdapGroupRequest.java
        BomSubmitRequest.java
        package-info.java
        CloneProjectRequest.java
        MappedOidcGroupRequest.java
        MetricsResource.java
        PermissionResource.java
        RepositoryResource.java
        DependencyResource.java
        NotificationRuleResource.java
        ConfigPropertyResource.java
        NotificationPublisherResource.java
        misc
        Badger.java
        ComponentResource.java
        ProjectPropertyResource.java
        LdapResource.java
        CalculatorResource.java
        PolicyConditionResource.java
        package-info.java
        BadgeResource.java
        SearchResource.java
        PolicyResource.java
        UserResource.java
        OidcResource.java
        CweResource.java
        VulnerabilityResource.java
        TeamResource.java
        LicenseResource.java
        AnalysisResource.java
        AbstractConfigPropertyResource.java
        serializers
        CustomPackageURLSerializer.java
        BomResource.java
        LicenseGroupResource.java
        package-info.java
        search
        ProjectIndexer.java
        LicenseIndexer.java
        VulnerabilityIndexer.java
        CpeIndexer.java
        IndexManager.java
        SearchResult.java
        ComponentIndexer.java
        ObjectIndexer.java
        package-info.java
        IndexManagerFactory.java
        SearchManager.java
        VulnerableSoftwareIndexer.java
        IndexConstants.java
        upgrade
        v370
        v370Updater.java
        v310
        v310Updater.java
        v350
        v350Updater.java
        v321
        v321Updater.java
        v320
        v320Updater.java
        v360
        v360Updater.java
        UpgradeItems.java
        v340
        v340Updater.java
        v380
        v380Updater.java
        v330
        v330Updater.java
        UpgradeInitializer.java
        common
        ManagedHttpClient.java
        HttpClientPool.java
        UnirestFactory.java
        ManagedHttpClientFactory.java
        RequirementsVerifier.java
        util
        XmlUtil.java
        InternalComponentIdentificationUtil.java
        VulnerabilityUtil.java
        DateUtil.java
        JsonUtil.java
        HashUtil.java
        CompressUtil.java
        HttpUtil.java
        ComponentVersion.java
        NotificationUtil.java
        exception
        RequirementsException.java
        package-info.java
        ParseException.java
        event
        EventSubsystemInitializer.java
        IndexEvent.java
        RepositoryMetaEvent.java
        InternalComponentIdentificationEvent.java
        AbstractVulnerabilityManagementUploadEvent.java
        NpmAuditAnalysisEvent.java
        VulnerabilityAnalysisEvent.java
        BomUploadEvent.java
        NpmAdvisoryMirrorEvent.java
        NistMirrorEvent.java
        package-info.java
        VulnDbSyncEvent.java
        OssIndexAnalysisEvent.java
        VulnDbAnalysisEvent.java
        CloneProjectEvent.java
        InternalAnalysisEvent.java
        FortifySscUploadEventAbstract.java
        KennaSecurityUploadEventAbstract.java
        MetricsUpdateEvent.java
        tasks
        FortifySscUploadTask.java
        InternalComponentIdentificationTask.java
        NistMirrorTask.java
        scanners
        NpmAuditAnalysisTask.java
        AbstractVulnerableSoftwareAnalysisTask.java
        OssIndexAnalysisTask.java
        VulnDbAnalysisTask.java
        ScanTask.java
        BaseComponentAnalyzerTask.java
        InternalAnalysisTask.java
        VulnDbSyncTask.java
        NpmAdvisoryMirrorTask.java
        TaskScheduler.java
        repositories
        HexMetaAnalyzer.java
        IMetaAnalyzer.java
        GemMetaAnalyzer.java
        PypiMetaAnalyzer.java
        NugetMetaAnalyzer.java
        MavenMetaAnalyzer.java
        MetaModel.java
        RepositoryMetaAnalyzerTask.java
        AbstractMetaAnalyzer.java
        NpmMetaAnalyzer.java
        MetricsUpdateTask.java
        KennaSecurityUploadTask.java
        VulnerabilityAnalysisTask.java
        IndexTask.java
        package-info.java
        CloneProjectTask.java
        BomUploadProcessingTask.java
        VulnerabilityManagementUploadTask.java
        servlets
        NvdMirrorServlet.java
        notification
        vo
        NewVulnerabilityIdentified.java
        NewVulnerableDependency.java
        BomConsumedOrProcessed.java
        AnalysisDecisionChange.java
        NotificationConstants.java
        publisher
        SendMailPublisher.java
        ConsolePublisher.java
        WebhookPublisher.java
        Publisher.java
        SlackPublisher.java
        AbstractWebhookPublisher.java
        MsTeamsPublisher.java
        DefaultNotificationPublishers.java
        NotificationSubsystemInitializer.java
        NotificationRouter.java
        NotificationScope.java
        NotificationGroup.java
        auth
        Permissions.java
        package-info.java
        model
        AnalysisState.java
        NotificationRule.java
        Cwe.java
        Severity.java
        ComponentMetrics.java
        PolicyCondition.java
        VulnerableSoftware.java
        LicenseGroup.java
        ProjectMetrics.java
        CpeReference.java
        ComponentAnalysisCache.java
        ICpe.java
        DependencyMetrics.java
        License.java
        Analysis.java
        NotificationPublisher.java
        Bom.java
        Policy.java
        Classifier.java
        ConfigPropertyConstants.java
        Dependency.java
        Project.java
        PortfolioMetrics.java
        VulnerabilityMetrics.java
        Finding.java
        package-info.java
        IdentifiableObject.java
        Component.java
        RepositoryMetaComponent.java
        Tag.java
        Repository.java
        RepositoryType.java
        ProjectProperty.java
        Vulnerability.java
        AnalysisComment.java
        Cpe.java
        metrics
        package-info.java
        Metrics.java
        persistence
        QueryManager.java
        PackageURLStringConverter.java
        DefaultObjectGenerator.java
        CweImporter.java
        package-info.java
        defaults
        IDefaultObjectImporter.java
        DefaultLicenseGroupImporter.java
        parser
        vulndb
        ModelConverter.java
        nvd
        ModelConverter.java
        CpeDictionaryParser.java
        package-info.java
        NvdParser.java
        common
        resolver
        CweResolver.java
        ComponentResolver.java
        npm
        BaseAdvisoryParser.java
        package-info.java
        NpmAuditParser.java
        model
        AdvisoryResults.java
        Advisory.java
        package-info.java
        NpmAdvisoriesParser.java
        cyclonedx
        util
        ModelConverter.java
        package-info.java
        spdx
        rdf
        SpdxDocumentParser.java
        package-info.java
        json
        SpdxLicenseDetailParser.java
        package-info.java
        package-info.java
        ossindex
        OssIndexParser.java
        model
        ComponentReport.java
        ComponentReportVulnerability.java
    - webapp
      - WEB-INF
        fragments
        error.jsp
        web.xml
  - test
    - resources
      - integration
        application-postgres.properties
        application-mysql.properties
        application-h2.properties
      - SPDXTagExample-v2.1.spdx
      - bom-1.xml
      - textfile.txt
    - java
      - org
        dependencytrack
        integrations
        FindingUploaderTest.java
        kenna
        KennaSecurityUploaderTest.java
        ProjectFindingUploaderTest.java
        AbstractIntegrationPointTest.java
        IntegrationPointTest.java
        fortifyssc
        FortifySscClientTest.java
        FortifySscUploaderTest.java
        PortfolioFindingUploaderTest.java
        FindingPackagingFormatTest.java
        resources
        v1
        ProjectPropertyResourceTest.java
        SearchResourceTest.java
        DependencyResourceTest.java
        RepositoryResourceTest.java
        AnalysisResourceTest.java
        PermissionResourceTest.java
        UserResourceUnauthenticatedTest.java
        ConfigPropertyResourceTest.java
        OidcResourceAuthenticatedTest.java
        ComponentResourceTest.java
        NotificationRuleResourceTest.java
        FindingResourceTest.java
        VulnerabilityResourceTest.java
        CalculatorResourceTest.java
        NotificationPublisherResourceTest.java
        LdapResourceTest.java
        LicenseResourceTest.java
        UserResourceAuthenticatedTest.java
        CweResourceTest.java
        TeamResourceTest.java
        OidcResourceUnauthenticatedTest.java
        ProjectResourceTest.java
        BomResourceTest.java
        search
        ProjectIndexerTest.java
        LicenseIndexerTest.java
        ComponentIndexerTest.java
        VulnerabilityIndexerTest.java
        integration
        ApiClient.java
        PopulateData.java
        common
        ManagedHttpClientTest.java
        ManagedHttpClientFactoryTest.java
        HttpClientPoolTest.java
        UnirestFactoryTest.java
        util
        DateUtilTest.java
        HashUtilTest.java
        InternalComponentIdentificationUtilTest.java
        HttpUtilTest.java
        exception
        ParseExceptionTest.java
        event
        CloneProjectEventTest.java
        KennaSecurityUploadEventTest.java
        NpmAdvisoryMirrorEventTest.java
        NpmAuditAnalysisEventTest.java
        BomUploadEventTest.java
        NistMirrorEventTest.java
        InternalAnalysisEventTest.java
        FortifySscUploadEventTest.java
        VulnDbSyncEventTest.java
        RepositoryMetaEventTest.java
        MetricsUpdateEventTest.java
        IndexEventTest.java
        OssIndexAnalysisEventTest.java
        VulnerabilityAnalysisEventTest.java
        tasks
        repositories
        PypiMetaAnalyzerTest.java
        NugetMetaAnalyzerTest.java
        MavenMetaAnalyzerTest.java
        GemMetaAnalyzerTest.java
        NpmMetaAnalyzerTest.java
        HexMetaAnalyzerTest.java
        PersistenceCapableTest.java
        notification
        vo
        AnalysisDecisionChangeTest.java
        NewVulnerableDependencyTest.java
        NewVulnerabilityIdentifiedTest.java
        publisher
        WebhookPublisherTest.java
        DefaultNotificationPublishersTest.java
        MsTeamsPublisherTest.java
        ConsolePublisherTest.java
        SlackPublisherTest.java
        NotificationGroupTest.java
        NotificationRouterTest.java
        NotificationConstantsTest.java
        NotificationScopeTest.java
        NotificationSubsystemInitializerTest.java
        auth
        PermissionsTest.java
        model
        LicenseGroupTest.java
        RepositoryMetaComponentTest.java
        ProjectPropertyTest.java
        ProjectMetricsTest.java
        TagTest.java
        AnalysisStateTest.java
        AnalysisCommentTest.java
        ClassifierTest.java
        PolicyTest.java
        ProjectTest.java
        AnalysisTest.java
        PolicyConditionTest.java
        DependencyMetricsTest.java
        BomTest.java
        ComponentTest.java
        CpeReferenceTest.java
        VulnerabilityMetricsTest.java
        NotificationPublisherTest.java
        CweTest.java
        VulnerabilityTest.java
        FindingTest.java
        RepositoryTypeTest.java
        RepositoryTest.java
        LicenseTest.java
        ComponentMetricsTest.java
        PortfolioMetricsTest.java
        VulnerableSoftwareTest.java
        DependencyTest.java
        CpeTest.java
        SeverityTest.java
        NotificationRuleTest.java
        servlet
        NvdMirrorServletTest.java
        metrics
        MetricsTest.java
        persistence
        PackageURLStringConverterTest.java
        CweImporterTest.java
        DefaultObjectGeneratorTest.java
        parser
        common
        resolver
        CweResolverTest.java
        spdx
        SpdxDocumentParserTest.java
        ResourceTest.java
- release.sh
- prerelease.sh
- pom.xml
- upgrade
  - README.md
  - 3.0.0_to_3.0.1.sql
  - 3.7.1_and_previous_maven_central_fix.sql
- clearlogs.sh
- SECURITY.md
- README.md
- CODE_OF_CONDUCT.md
- .gitignore
- docs
  - robots.txt
  - _docs
    - best-practices.md
    - integrations
      - kenna.md
      - rest-api.md
      - ecosystem.md
      - notifications.md
      - fortify-ssc.md
      - badges.md
      - file-formats.md
      - threadfix.md
      - jenkins.md
    - usage
      - supply-chain-component-analysis.md
      - cicd.md
      - impact-analysis.md
    - getting-started
      - openidconnect-configuration.md
      - configuration.md
      - deploy-docker.md
      - initial-startup.md
      - data-directory.md
      - deploy-exewar.md
      - deploy-war.md
      - database-support.md
      - ldap-configuration.md
    - terminology.md
    - datasources
      - private-vuln-repo.md
      - ossindex.md
      - vulndb.md
      - internal-components.md
      - nvd.md
      - npm.md
      - routing.md
      - repositories.md
    - FAQ.md
    - triage
      - suppression.md
      - analysis-states.md
      - auditing-basics.md
    - _defaults.md
    - analysis-types
      - license.md
      - integrity-verification.md
      - known-vulnerabilities.md
      - outdated-components.md
  - 404.md
  - _sass
    - _pygments.scss
    - _typography.scss
    - _tables.scss
    - _code.scss
    - _normalize.scss
    - _layout.scss
    - _mixins.scss
  - _config.yml
  - Gemfile
  - images
    - badge-project-nometrics.svg
    - dt-logo-white-text.svg
    - badge-project-novulns.svg
    - badge-project-vulns.svg
    - screenshots
    - menu.svg
    - dt-logo-black-text.svg
  - odt-odc-comparison.html
  - changelog.html
  - CNAME
  - index.md
  - _layouts
    - default.html
  - favicon.ico
  - scripts
    - search.js
    - lunr.min.js
  - _plugins
    - replace-regex.rb
  - search.html
  - css
    - main.scss
  - _posts
    - 2018-03-29-v3.0.1.md
    - 2019-09-28-v3.6.0.md
    - 2020-03-22-v3.8.0.md
    - 2018-04-13-v3.0.3.md
    - 2018-06-20-v3.1.1.md
    - 2018-03-30-v3.0.2.md
    - 2018-11-13-v3.3.1.md
    - 2019-10-01-v3.6.1.md
    - 2018-09-21-v3.2.1.md
    - 2018-12-22-v3.4.0.md
    - 2019-04-16-v3.4.1.md
    - 2018-10-02-v3.2.2.md
    - 2019-12-16-v3.7.0.md
    - 2020-01-07-v3.7.1.md
    - _defaults.md
    - 2018-03-27-v3.0.0.md
    - 2019-06-07-v3.5.0.md
    - 2018-06-19-v3.1.0.md
    - 2018-09-06-v3.2.0.md
    - 2018-05-02-v3.0.4.md
    - 2018-10-25-v3.3.0.md
    - 2019-07-17-v3.5.1.md
- LICENSE.txt
- dev-docs.sh
- build-docs.sh

Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.

NOTICE: Always use official binary releases in production.

Ecosystem Overview

alt text

Features

Tracks application, library, framework, operating system, and hardware components
Tracks component usage across all version of every application in an organizations portfolio
Identifies multiple forms of risk including
- Components with known vulnerabilities
- Out-of-date components
- Modified components
- License risk
- More coming soon...
Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- NPM Public Advisories
- Sonatype OSS Index
- VulnDB from Risk Based Security
- More coming soon.
Ecosystem agnostic with built-in repository support for:
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- NuGet (.NET)
- Pypi (Python)
- More coming soon.
Includes a comprehensive auditing workflow for triaging results
Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
Supports standardized SPDX license ID’s and tracks license use by component
Supports importing CycloneDX and SPDX Software Bill-of-Materials (SBOM) formats
Easy to read metrics for components, projects, and portfolio
Native support for Kenna Security, Fortify SSC, and ThreadFix
API-first design facilitates easy integration with other systems
API documentation available in OpenAPI format
Supports internally managed users, Active Directory/LDAP, and API Keys
Simple to install and configure. Get up and running in just a few minutes

Screenshots

alt text

For more eye-candy, visit https://dependencytrack.org/.

Distributions

Dependency-Track supports the following three deployment options:

Docker container
Executable WAR
Conventional WAR

Deploying Docker Container

Deploying with Docker is the easiest and fastest method of getting started. No prerequisites are required other than an modern version of Docker. Dependency-Track uses the following conventions:

The 'latest' tag, which is pulled by default if no tag is specified, will always refer to the latest stable release (3.0.0, 3.0.1, 3.1.0, etc)
The 'snapshot' tag will be built and pushed on all CI changes to the master. Use this if you want a "moving target" with all the latest changes.
Version tags (3.0.0, 3.0.1, etc) are used to indicate each release

docker pull owasp/dependency-track
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track

To run snapshot releases (not recommended for production):

docker pull owasp/dependency-track:snapshot
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track:snapshot

In the event you want to delete all Dependency-Track images, containers, and volumes, the following statements may be executed. NOTE: This is a destructive operation and cannot be undone.

docker rmi owasp/dependency-track
docker rm dependency-track
docker volume rm dependency-track:/data

Deploying on Kubernetes with Helm

You can install on Kubernetes using the community-maintained chart like this:

helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
helm install evryfs-oss/dependency-track --name dependency-track --namespace dependency-track

by default it will install PostgreSQL and use persistent volume claims for the data-directory used for vulnerability feeds.

Deploying the Executable WAR

Another simple way to get Dependency-Track running quickly is to automatically deploy the executable WAR. This method requires Java 8u101 or higher. Simply download dependency-track-embedded.war and execute:

java -Xmx4G -jar dependency-track-embedded.war

Deploying the Conventional WAR

This is the most difficult to deploy option as it requires an already installed and configured Servlet container such as Apache Tomcat 8.5 and higher, however, it offers the most flexible deployment options. Follow the Servlet containers instructions for deploying dependency-track.war.

Compiling From Sources (optional)

To create an executable WAR that is ready to launch (recommended for most users):

mvn clean package -P embedded-jetty

To create a WAR that must be manually deployed to a modern Servlet container (i.e. Tomcat 8.5+):

mvn clean package

To create an executable WAR that is ready to be deployed in a Docker container:

mvn clean package -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml

Resources

Website: https://dependencytrack.org/
Documentation: https://docs.dependencytrack.org/
Component Analysis: https://owasp.org/www-community/Component_Analysis

Community

Twitter: https://dependencytrack.org/twitter
YouTube: https://dependencytrack.org/youtube
Gitter: https://dependencytrack.org/gitter
Slack: https://dependencytrack.org/slack (Invite: https://dependencytrack.org/slack/invite)
Discussion (Groups.io): https://dependencytrack.org/discussion

Support

Dependency-Track is an open source project, created by people who believe that the knowledge of using vulnerable components should be accessible to anyone with a desire to know. By supporting this project, you'll allow the team to outsource testing, infrastructure, further research and development efforts, and engage in outreach to various communities that would benefit from this technology.

Copyright & License

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

Dependency-Track makes use of several other open source libraries. Please see the NOTICES.txt file for more information.