In this post we are going to talk about the OWASP tool called Dependency-Track. To start, a good question is….

What is Dependency-Track?

Dependency Track is a vulnerability analysis tool that audits the components or external libraries that we use for our applications. This tool has integrations with different vulnerability databases such as NPM Public Advisories, National Vulnerability Database, Sonartype OSS Index and VulnDB.
Dependency Track is in charge of proactively analyzing all your applications in order to identify vulnerabilities in open source components that may put your application at risk.

Dependency-Track Dashboard

 

How does Dependency-Track work?

Dependency-Track takes full advantage of the Bill-of-Materials Software (SBOM). Thanks to this, we can obtain more complete and sophisticated information than with traditional component analysis.

These BOM files (bill-of-materials) define and describe the content that is used in the manufacturing of the deliverables. This content includes the data of the author, publishers, licenses, versions and copyright.

To generate the BoM file we have several tools, but one of the better known is CycloneDX. Once we have our BoM file we can upload it to Dependency-Track manually or by integrating the upload in our CICD.

CycloneDX supports and integrates through its plugins with various languages

Dependency-Track Integrations

Dependency Track is designed to be easily integrated into our Continuous Integration and Continuous Deployment processes. In order to do all this, it has a powerful API and a plugin for Jenkins that allows us to integrate this process into our pipelines.

Dependency-Track enables DevOps teams to accelerate processes and development while still controlling the use of external components and the risks they may cause.

This tool also has an integrated alert system via email or with integrations with various messaging services such as Slack or Microsoft Teams. All of them customizable through templates.

 

 

How can I deploy it?

To create your own Dependency-Track service you have several options:

 

Read more about Dependency-Track here:


I hope you’ve enjoyed this post and I encourage you to check our blog for other posts that you might find helpful. Do not hesitate to contact us if you would like us to help you on your projects.

See you on the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *