What is OWASP Dependency-Track?
OWASP Dependency-Track is an open source software composition analysis and software supply chain management tool that allows organizations to identify and reduce risk from the use of third-party and open source components.
It works by scanning project dependencies and generating reports on vulnerabilities, licenses, and other metadata to support organizational policy enforcement, facilitate open source governance, and provide visibility into risk associated with software dependencies.
Key features include:
- Identification of all third-party transitive dependencies and associated metadata (CPEs, purls, licenses, cryptographic hashes, etc.)
- Detection of vulnerabilities using integrated Snyk engine or other sources
- Customizable Bill-of-Materials (BOM) reports
- Component policy enforcement based on security, licensing, and other metadata
- Integration with software composition analysis, application security testing, CI/CD, and other DevOps toolchains
- APIs, CLI, and integrations with IDEs for automated scanning
- Centralized inventory of all open source and third-party dependencies across an organization
Overall, Dependency-Track provides organizations with the capabilities to identify risks that stem from the use third-party and open source code, support open source management policy, and govern the integrity of the software supply chain.