Dependency-Track — Continuous Software Composition Analysis

Introduction

Dependency-Track is an open-source Software Composition Analysis (SCA) platform developed by OWASP. It ingests Software Bills of Materials (SBOMs) in CycloneDX format, continuously monitors components for known vulnerabilities using multiple data sources, and tracks license compliance across your entire project portfolio.

What Dependency-Track Does

• Ingests CycloneDX and SPDX SBOMs from CI/CD pipelines or manual uploads
• Continuously monitors components against NVD, GitHub Advisories, OSV, and other sources
• Calculates risk scores and tracks vulnerability trends across projects over time
• Identifies license conflicts and policy violations in your dependency tree
• Sends notifications via Slack, Teams, webhooks, or email when new vulnerabilities are found

Architecture Overview

Dependency-Track consists of an API server (Java/Alpine) and a frontend (Vue.js SPA). The API server periodically mirrors vulnerability databases (NVD, GitHub Advisories, OSV) into a local PostgreSQL or H2 database. When an SBOM is uploaded, each component is matched against the mirrored data using CPE, PURL, and SWID identifiers. A policy engine evaluates results against configurable rules for vulnerability severity and license compliance.

Self-Hosting & Configuration

• Deploy with Docker Compose using the official API server and frontend images
• Use PostgreSQL for production deployments instead of the default embedded H2 database
• Configure vulnerability data sources in the admin panel (NVD API key recommended)
• Integrate with CI/CD by uploading SBOMs via the REST API or dedicated plugins
• Set up notification rules to alert teams when critical vulnerabilities are discovered

Key Features

• Portfolio-wide vulnerability dashboard with risk scoring and trend analysis
• Policy engine for automated evaluation of severity thresholds and license restrictions
• Support for CycloneDX VEX documents for vulnerability exploitability assessment
• Integration plugins for Jenkins, GitHub Actions, GitLab CI, and other CI systems
• OIDC/LDAP authentication with team-based access control and API key management

Comparison with Similar Tools

• Snyk — commercial SCA with broader language support; Dependency-Track is free and SBOM-native
• Trivy — CLI scanner that generates findings; Dependency-Track is a continuous monitoring platform
• Grype — single-scan vulnerability scanner; Dependency-Track tracks portfolio risk over time
• OWASP Dependency-Check — scan-time analysis; Dependency-Track provides ongoing monitoring after scan
• Socket — supply chain security SaaS; Dependency-Track is self-hosted with no vendor lock-in

FAQ

Q: What SBOM formats does Dependency-Track support? A: CycloneDX (XML and JSON) is the primary format. SPDX support is available with conversion.

Q: How often are vulnerability databases updated? A: By default, mirrors are refreshed daily. The schedule is configurable in the admin settings.

Q: Can Dependency-Track generate SBOMs? A: No. It consumes SBOMs. Use tools like Syft, cdxgen, or Trivy to generate SBOMs in your build pipeline.

Q: How does Dependency-Track handle false positives? A: Analysts can suppress findings, apply VEX analysis states, or create policies to auto-suppress specific patterns.

Sources

• https://github.com/DependencyTrack/dependency-track
• https://docs.dependencytrack.org/