DependencyTrack/dependency-track

Features

• Component Risk Identification - Detects known vulnerabilities, outdated versions, and license compliance issues across third-party software ecosystems.
• Software Bill of Materials Scanners - Parses standardized CycloneDX software bill of materials files to map components and dependencies across the supply chain.
• Software Supply Chain Security - Analyzes software bills of materials to identify vulnerabilities and risks across third-party dependencies.
• Advisory Mirrors - Imports vulnerability advisories from aggregator databases to identify security risks in tracked components.
• Structured Advisory Portals - Mirrors structured vulnerability data from public APIs to identify security risks affecting open source components.
• SBOM Generators - Produces standardized CycloneDX manifests and VEX exploitability reports based on the current inventory.
• Outdated Version Detection - Queries repository APIs using package URLs to identify components that are not on their latest release.
• REST API Interfaces - Exposes system functionality through a standardized REST interface for programmatic interaction and automation.
• Security Risk Assessments - Provides structured security risk assessments to evaluate the impact and likelihood of identified vulnerabilities.
• Component Identity Matching - Matches software components using Package URLs and hashes to accurately detect specific versions.
• Project Access Controls - Manages granular project access controls through a hierarchical team structure to restrict project visibility.
• License Compliance Tools - Audits software components against defined policies to identify legal and compliance risks associated with licenses.
• Role-Based Access Control - Manages user permissions through teams and identity provider claims to restrict access to sensitive project data.
• Dependency Vulnerability Scanning - Scans installed project packages for known security vulnerabilities using external vulnerability databases.
• Security Finding Management - Provides lifecycle management for security findings, including the ability to suppress vulnerabilities to clean up risk metrics.
• Interactive Triage Workflows - Provides workflows for reviewing security findings and documenting the resolution process with audit history.
• Vulnerability Database Management - Synchronizes and maintains local mirrors of external vulnerability databases to enable fast offline security analysis.
• Vulnerability Matching - Triggers security violations by matching identified components against known vulnerability databases based on severity.
• Software Composition Analysis Tools - Identifies known vulnerabilities and license compliance issues within third-party software components.
• CycloneDX Analysis Platforms - Functions as a dedicated platform for ingesting and analyzing CycloneDX SBOMs to manage supply chain risk.
• SBOM Ingestion APIs - Imports Software Bill of Materials files via API or HTTP POST to analyze project dependencies and supply chain risks.
• SBOM Parsing - Processes CycloneDX lists to identify bundled components, authors, and licenses.
• User Access Management - Provides centralized tools for managing user accounts and authentication via LDAP, Active Directory, or OAuth 2.0.
• User Identity Management - Handles user profiles and authentication using internal accounts, LDAP, Active Directory, or OpenID Connect.
• Vulnerability Analysis - Performs vulnerability analysis by cross-referencing components against internal analyzers and public advisories.
• Vulnerability Analysis Tools - Analyzes the impact of security flaws by matching vulnerability data against mirrored component inventories across projects.
• Vulnerability Database APIs - Queries public vulnerability database APIs using Package URLs to detect known security risks.
• Vulnerability Management - Provides a structured workflow for triaging security findings and tracking remediation efforts.
• Vulnerability Management Systems - Provides a centralized system for aggregating, triaging, and prioritizing the remediation of security findings.
• Vulnerability Data Synchronization - Synchronizes with external vulnerability databases and scoring systems to prioritize mitigation based on exploitability.
• SBOM Vulnerability Testers - Scans uploaded SBOMs against vulnerability intelligence sources to identify security risks and license issues.
• Vulnerability Mapping - Links software components to known CVEs via dependency tree traversal to trigger automated scanning.
• Software Inventory Management - Maintains a complete inventory of software components across all projects to quickly locate specific vulnerabilities.
• Dependency - Monitors the use of libraries and containers across versions to identify risks and outdated dependencies.
• External API Integrations - Exposes system functionality via a REST API to automate data exchange with third-party security dashboards.
• Vulnerability Blast Radius Analysis - Lists all projects using a specific component version to determine the blast radius of a security flaw.
• Security Event Notifications - Sends automated alerts via webhooks, email, or chat when security or policy violations are identified.
• Risk Alerting - Sends real-time notifications via email, chat, or webhooks when new vulnerabilities or supply chain errors are detected.
• CPE Matching - Detects security risks by cross-referencing Common Platform Enumeration identifiers against mirrored vulnerability databases.
• Security Finding Exports - Publishes identified security vulnerabilities to external management platforms to centralize organizational risk tracking.
• Security Platform Integrations - Integrates with the Kenna risk platform to synchronize identified component vulnerabilities for a consolidated view.
• Webhook Distribution - Automatically pushes generated software bills of materials to external endpoints via webhooks during project processing.
• Security Automation APIs - Exposes a REST API for programmatically automating SBOM imports and exporting vulnerability metrics.
• Project Hierarchies - Automatically creates and organizes projects into hierarchies that reflect software architectures upon SBOM upload.
• Helm Chart Deployment - Provides pre-configured Helm charts to simplify the installation of the platform into Kubernetes clusters.
• Event Notifications - Triggers automated alerts to external communication tools and ticketing systems when security risks are detected.
• Portfolio Risk Aggregations - Calculates combined risk and health metrics across all projects defined in the system.
• Vulnerability Trend Metrics - Calculates and refreshes time-series metrics for projects to track risk trends over time.
• Component Allow/Deny Lists - Compares identified components against allowed or prohibited lists to ensure organizational compliance.
• SBOM Policy Evaluation - Evaluates SBOMs against custom license and security rules to detect portfolio violations.
• Dashboard Synchronizers - Synchronizes identified vulnerable component findings to the DefectDojo security dashboard for centralized reporting.
• LDAP Authentication - Integrates with external directory services via LDAP for centralized user authentication and automated provisioning.
• User Synchronization - Automates the import and update of user accounts and permissions from an LDAP directory.
• OIDC Identity Integrations - Integrates with OpenID Connect and LDAP to manage user permissions and synchronize team memberships.
• OpenID Connect Support - Implements the OpenID Connect protocol to enable user authentication via external identity providers.
• Vendor Risk Assessments - Evaluates the security posture and vulnerability impact of vendor-provided software during the procurement process.
• Dependency Version Restrictions - Blocks specific components based on age, version, or hashes to maintain approved dependencies.
• Contextual Vulnerability Analysis - Uses VEX documents to perform contextual vulnerability analysis and differentiate technical flaws from actual operational risks.
• Vulnerability Scanner Integrations - Consumes identified vulnerabilities from the Snyk developer security platform via REST API.
• Vulnerability Aggregator Synchronizers - Sends event notifications via webhooks and synchronizes data with external vulnerability aggregation platforms.
• Known Exploited Vulnerability Catalogs - Cross-references software components against the CISA Known Exploited Vulnerabilities catalog to isolate active risks.
• Project Component Hierarchies - The product groups components into high-level categories to track inherited risk from vulnerabilities.
• Hierarchical Risk Summaries - Summarizes vulnerabilities and policy violations from child projects based on tags or membership.
• Vulnerability Prioritization - Prioritizes vulnerability mitigation by combining security data with exploit prediction scores to identify urgent risks.
• Hierarchical Risk Aggregation - Organizes software assets into parent-child relationships to aggregate risk metrics across multiple nested projects.
• Risk Posture Metrics - Generates high-level metrics for components and projects to visualize organizational risk posture.
• Exploit Prediction Scoring - Uses exploit prediction scoring to estimate the likelihood of a vulnerability being exploited and prioritize remediation.
• Dependency Management - Platform for tracking and managing dependency security.

Star history