Introduction

The main purpose of this page is to provide detailed information on Software Composition Analysis. It also covers Plugin Selection using Dependency Tracker to export SBOM.

Tools and Plugins

Note:

• CycloneDX has a Tool Center that supports multiple programming languages. To know more about this, please refer to the link https://cyclonedx.org/tool-center/

What is Dependency Tracker?

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.

Features

• Component support for:
  • Applications
  • Libraries
  • Frameworks
  • Operating systems
  • Containers
  • Firmware
  • Files
  • Hardware
• Tracks component usage across every application in an organizations portfolio
• Quickly identify what is affected, and where
• Identifies multiple forms of risk including
  • Components with known vulnerabilities
  • Out-of-date components
  • Modified components
  • License risk
  • More coming soon…
• Integrates with multiple sources of vulnerability intelligence including:
  • National Vulnerability Database (NVD)
  • NPM Public Advisories
  • Sonatype OSS Index
  • VulnDB from Risk Based Security
  • and More
• Robust policy engine with support for global and per-project policies
  • Security risk and compliance
  • License risk and compliance
  • Operational risk and compliance
• Ecosystem agnostic with built-in repository support for:
  • Cargo (Rust)
  • Composer (PHP)
  • Gems (Ruby)
  • Hex (Erlang/Elixir)
  • Maven (Java)
  • NPM (Javascript)
  • NuGet (.NET)
  • Pypi (Python)
  • More coming soon.
• Identifies APIs and external service components including:
  • Service provider
  • Endpoint URIs
  • Data classification
  • Directional flow of data
  • Trust boundary traversal
  • Authentication requirements
• Includes a comprehensive auditing workflow for triaging results
• Configurable notifications supporting Slack, Microsoft Teams, Web hooks, and Email
• Supports standardized SPDX license ID’s and tracks license use by component
• Supports importing CycloneDX (recommended) and SPDX Software Bill of Materials (SBOM) formats
• Easy to read metrics for components, projects, and portfolio
• Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
• API-first design facilitates easy integration with other systems
• API documentation available in OpenAPI format
• OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
• Supports internally managed users, Active Directory/LDAP, and API Keys
• Simple to install and configure. Get up and running in just a few minutes

Integration Support

Installation

I decided to go with Docker installation, which is quite handy and comfortable. To install in Docker, please follow the following steps:

Docker Compose

# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Starts the stack using Docker Compose
docker compose up -d

Frontend/Backend Analysis

Navigate to App root directory and follow the below commands.

Dependency Tracker UI Screenshot

References

https://owasp.org/www-project-dependency-track/

https://dependencytrack.org/