Dependency-Track is an intelligent Software Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill-of-Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in Continuous Integration (CI) and Continuous Delivery (CD) environments.
NOTICE: Always use official binary releases in production.
For more eye-candy, visit https://dependencytrack.org/.
Dependency-Track supports the following three deployment options:
Deploying with Docker is the easiest and fastest method of getting started. No prerequisites are required other than an modern version of Docker. Dependency-Track uses the following conventions:
docker pull owasp/dependency-track
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track
To run snapshot releases (not recommended for production):
docker pull owasp/dependency-track:snapshot
docker volume create --name dependency-track
docker run -d -p 8080:8080 --name dependency-track -v dependency-track:/data owasp/dependency-track:snapshot
In the event you want to delete all Dependency-Track images, containers, and volumes, the following statements may be executed. NOTE: This is a destructive operation and cannot be undone.
docker rmi owasp/dependency-track
docker rm dependency-track
docker volume rm dependency-track:/data
You can install on Kubernetes using the community-maintained chart like this:
helm repo add evryfs-oss https://evryfs.github.io/helm-charts/
helm install evryfs-oss/dependency-track --name dependency-track --namespace dependency-track
by default it will install PostgreSQL and use persistent volume claims for the data-directory used for vulnerability feeds.
Another simple way to get Dependency-Track running quickly is to automatically deploy the executable WAR. This
method requires Java 8u101 or higher. Simply download dependency-track-embedded.war
and execute:
java -Xmx4G -jar dependency-track-embedded.war
This is the most difficult to deploy option as it requires an already installed and configured Servlet
container such as Apache Tomcat 8.5 and higher, however, it offers the most flexible deployment options.
Follow the Servlet containers instructions for deploying dependency-track.war
.
To create an executable WAR that is ready to launch (recommended for most users):
mvn clean package -P embedded-jetty
To create a WAR that must be manually deployed to a modern Servlet container (i.e. Tomcat 8.5+):
mvn clean package
To create an executable WAR that is ready to be deployed in a Docker container:
mvn clean package -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml
Dependency-Track is an open source project, created by people who believe that the knowledge of using vulnerable components should be accessible to anyone with a desire to know. By supporting this project, you'll allow the team to outsource testing, infrastructure, further research and development efforts, and engage in outreach to various communities that would benefit from this technology.
Dependency-Track is Copyright (c) Steve Springett. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache License 2.0
Dependency-Track makes use of several other open source libraries. Please see the NOTICES.txt file for more information.