dependency-track v4.9 releases: intelligent Software Composition Analysis platform
Dependency-Track
Modern applications leverage the availability of existing components for use as building blocks in application development. By using existing components, organizations can dramatically decrease time-to-market. Reusing existing components, however, comes at a cost. Organizations that build on top of existing components assume the risk for the software they did not create. Vulnerabilities in third-party components are inherited by all applications that use those components. The OWASP Top Ten (2013 and 2017) both recognize the risk of using components with known vulnerabilities.
Dependency-Track is a Software Composition Analysis (SCA) platform that keeps track of all third-party components used in all the applications an organization creates or consumes. It integrates with multiple vulnerability databases including the National Vulnerability Database (NVD), Node Security Platform (NSP), and VulnDB from Risk Based Security. Dependency-Track monitors all applications in its portfolio in order to proactively identify vulnerabilities in components that are placing your applications at risk. Use of Dependency-Track can play a vital role in an overall Supply Chain Risk Management (SCRM) program by providing many of the recommendations outlined in the NIST Cybersecurity Framework.
Dependency-Track is designed to be used in an automated DevOps environment where Dependency-Check results or specific BOM (Bill of Material) formats are automatically ingested during CI/CD. Use of the Dependency-Check Jenkins Plugin is highly recommended for this purpose and is well suited for use in Jenkins Pipeline. In such an environment, Dependency-Track enables your DevOps teams to accelerate while still keeping tabs on component usage and any inherited risk.
Dependency-Track can also be used to monitor vulnerabilities in COTS (commercial off-the-shelf) software.
Features
- Increases visibility into the use of vulnerable and outdated components
- Flexible data model supporting an unlimited number of projects and components
- Tracks vulnerabilities and inherited risk
- by component
- by project
- across entire portfolio
- Tracks usage of out-of-date components
- Includes a comprehensive auditing workflow for triaging results
- Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports CycloneDX and SPDX bill-of-material formats
- Easy to read metrics for components, projects, and portfolio
- Provides a reliable mirror of the NVD data feed
- API-first design facilitates easy integration with other systems
- API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
- Supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes
Ecosystem Overview
Viewing an individual vulnerable component:
Viewing an individual vulnerability:
Viewing all vulnerabilities in the system:
Viewing an individual license:
Changelog v4.9
Features:
- Support import of CycloneDX v1.5 BOMs – apiserver/#2850
- Introduce
odt_
prefix for API keys to ease leak detection – apiserver/#3047 - Add support for SPDX license expressions – apiserver/#2400
- Refer to Policy Compliance for details on how license expressions behave in policies
- Update SPDX license list to v3.21 – apiserver/#3006
- Support resolving of custom licenses by name, instead of only by ID – apiserver/#2769
- Add version distance policy condition – apiserver/#2537
- Separate policy evaluation into its own background task – apiserver/#2523
- Allow policy violation state to be set via API – apiserver/#2997
- Add “Outdated only” and “Direct only” options for viewing components of a project – apiserver/#2568
- Update bundled CWE dictionary to v4.12 – apiserver/#2877
- Reduce number of API requests necessary to populate the dependency graph of a project – apiserver/#2623
- Include JDBC connectors for Google Cloud SQL – apiserver/#2651
- Update default Snyk API version to
2023-06-22
– apiserver/#2911 - Log warnings when analyses from VEX could not be applied – apiserver/#2989
- Update Docker base image latest Debian stable – apiserver/#2904
- Update temurin base image to
17.0.8.1_1
– apiserver/#3069 - Add extensive test suite for CPE matching logic – apiserver/#2243
- Update documentation for private vulnerability database – apiserver/#2990
- Add docs and example config for logging in JSON format – apiserver/#2933
- Add note about required plan for the Snyk integration to docs – apiserver/#2899
- Update example Grafana dashboard – apiserver/#2788
- Add Docker Compose files for simplified local testing – apiserver/#2675
- Add auto-provisioning of Grafana to Docker Compose development setup – apiserver/#2879
- Hide username and password fields on login view when OIDC is enabled – frontend/#613
- Make NGINX listen on both IPv4 and IPv6 interfaces – frontend/#427
- Display external references and description in project overview – frontend/#485
- Use separate icons for current and out-of-date components to improve accessibility – frontend/#311
- Propagate
searchText
query parameter to list views – frontend/#563 - Raise baseline NodeJS version to 18 – frontend/#470
- Upgrade CoreJS to 3.x – frontend/#548
Fixes:
- Fix memory leak in policy evaluation – apiserver/#2872
- Fix memory leak in VEX upload processing – apiserver/#2873
- Fix VDR export erroneously containing non-vulnerable components – apiserver/#2878
- Fix VEX export erroneously containing dependency graph – apiserver/#3067
- Fix false positives in CPE matching when version attribute of a CVE’s CPE is
NA
– apiserver/#1832 - Fix false negatives in CPE matching when part or vendor attribute of a component’s CPE is
ANY
– apiserver/#2988 - Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled – apiserver/#2953
- Fix Affected Component format for CPEs with version ranges – apiserver/#2967
- Fix missing duplicate check when cloning projects – apiserver/#2966
- Fix
NullPointerException
when checking for existence of projects without version – apiserver/#3068 - Fix module import issues when working on the code base with Eclipse – apiserver/#2971
- Fix version distance policy being evaluated despite not being configured – apiserver/#2980
- Fix
@JsonIgnore
having no effect ontransient
fields – apiserver/#3051 - Fix misleading docs about authentication and authorization enforcement being optional – apiserver/#3047
- Fix default Slack notification template producing invalid JSON for
PROJECT_AUDIT_CHANGE
notifications – apiserver/#2838 - Fix default Mattermost notification template producing invalid JSON for
NEW_VULNERABLE_DEPENDENCY
notifications – apiserver/#3093 - Fix number of project versions displayed in dropdown being limited to 10 – frontend/#397
- Fix unauthenticated users not being redirected to login page – frontend/#502
- Fix no permissions being defined for dashboard route – frontend/#506
- Fix regression in Docker Compose file regarding application directory – frontend/#494
- Fix external references dropdown rendering outside the screen – frontend/#539
- Fix vulnerability aliases not being displayed in expanded rows of findings table – frontend/#559
- Fix type error in external references dropdown – frontend/#565
- Fix license expression input fields – frontend/#580
- Fix wrong message being displayed when creating policies – frontend/#610
- Fix file permissions of NGINX config file – frontend/#611
Download && Tutorial
Dependency-Track is Copyright (c), Steve Springett. All Rights Reserved.