{"id":13510082,"url":"https://github.com/DependencyTrack/dependency-track","last_synced_at":"2025-03-30T15:30:37.879Z","repository":{"id":37397045,"uuid":"11457947","full_name":"DependencyTrack/dependency-track","owner":"DependencyTrack","description":"Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.","archived":false,"fork":false,"pushed_at":"2025-03-27T08:22:30.000Z","size":105407,"stargazers_count":2944,"open_issues_count":843,"forks_count":607,"subscribers_count":72,"default_branch":"master","last_synced_at":"2025-03-27T08:22:34.345Z","etag":null,"topics":["appsec","bill-of-materials","bom","component-analysis","cyclonedx","devsecops","hacktoberfest","nvd","ossindex","owasp","package-url","purl","sbom","sca","security","security-automation","software-composition-analysis","software-security","vulnerabilities","vulnerability-detection"],"latest_commit_sha":null,"homepage":"https://dependencytrack.org/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DependencyTrack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-07-16T19:16:43.000Z","updated_at":"2025-03-26T14:27:56.000Z","dependencies_parsed_at":"2023-02-19T06:31:41.667Z","dependency_job_id":"53b84c20-ba5f-4794-9901-8689ca9063eb","html_url":"https://github.com/DependencyTrack/dependency-track","commit_stats":{"total_commits":4244,"total_committers":160,"mean_commits":26.525,"dds":0.5252120640904807,"last_synced_commit":"72e582c07a5eb15bb1f5f0da6921ccc85483f3f8"},"previous_names":["stevespringett/dependency-track"],"tags_count":74,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fdependency-track","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fdependency-track/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fdependency-track/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fdependency-track/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DependencyTrack","download_url":"https://codeload.github.com/DependencyTrack/dependency-track/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246338643,"owners_count":20761413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","bill-of-materials","bom","component-analysis","cyclonedx","devsecops","hacktoberfest","nvd","ossindex","owasp","package-url","purl","sbom","sca","security","security-automation","software-composition-analysis","software-security","vulnerabilities","vulnerability-detection"],"created_at":"2024-08-01T02:01:23.458Z","updated_at":"2025-03-30T15:30:37.872Z","avatar_url":"https://github.com/DependencyTrack.png","language":"Java","readme":"[![Build Status](https://github.com/DependencyTrack/dependency-track/actions/workflows/ci-build.yaml/badge.svg)](https://github.com/DependencyTrack/dependency-track/actions?workflow=CI+Build)\n[![Codacy Badge](https://app.codacy.com/project/badge/Grade/b2ecd06dab57438a9a55bc4a71c5a8ce)](https://www.codacy.com/gh/DependencyTrack/dependency-track/dashboard?utm_source=github.com\u0026amp;utm_medium=referral\u0026amp;utm_content=DependencyTrack/dependency-track\u0026amp;utm_campaign=Badge_Grade)\n[![Alpine](https://img.shields.io/badge/built%20on-Alpine-blue.svg)](https://github.com/stevespringett/Alpine)\n[![License][license-image]][Apache License 2.0]\n[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-orange.svg)](https://www.owasp.org/index.php/OWASP_Dependency_Track_Project)\n[![Website](https://img.shields.io/badge/https://-dependencytrack.org-blue.svg)](https://dependencytrack.org/)\n[![Documentation](https://img.shields.io/badge/read-documentation-blue.svg)](https://docs.dependencytrack.org/)\n[![Slack](https://img.shields.io/badge/chat%20on-slack-46BC99.svg)](https://dependencytrack.org/slack)\n[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://dependencytrack.org/discussion)\n[![YouTube Subscribe](https://img.shields.io/badge/youtube-subscribe-%23c4302b.svg)](https://dependencytrack.org/youtube)\n[![Twitter](https://img.shields.io/twitter/follow/dependencytrack.svg?label=Follow\u0026style=social)](https://twitter.com/dependencytrack)\n[![Downloads](https://img.shields.io/github/downloads/DependencyTrack/dependency-track/total.svg)](https://github.com/DependencyTrack/dependency-track/releases)\n[![Latest](https://img.shields.io/github/release/DependencyTrack/dependency-track.svg)](https://github.com/DependencyTrack/dependency-track/releases)\n[![Pulls - API Server](https://img.shields.io/docker/pulls/dependencytrack/apiserver.svg?label=Docker%20Pulls%20%28API%20Server%29)](https://hub.docker.com/r/dependencytrack/apiserver/)\n[![Pulls - Frontend](https://img.shields.io/docker/pulls/dependencytrack/frontend.svg?label=Docker%20Pulls%20%28Frontend%29)](https://hub.docker.com/r/dependencytrack/frontend/)\n[![Pulls - Bundled](https://img.shields.io/docker/pulls/dependencytrack/bundled.svg?label=Docker%20Pulls%20%28Bundled%29)](https://hub.docker.com/r/dependencytrack/bundled/)\n[![Pulls - Legacy](https://img.shields.io/docker/pulls/owasp/dependency-track.svg?label=Docker%20Pulls%20%28OWASP%20Legacy%29)](https://hub.docker.com/r/owasp/dependency-track/)\n\n![logo preview](https://raw.githubusercontent.com/DependencyTrack/branding/master/dt-logo.svg?sanitize=true)\n\n\nDependency-Track is an intelligent [Component Analysis] platform that allows organizations to\nidentify and reduce risk in the software supply chain. Dependency-Track takes a unique\nand highly beneficial approach by leveraging the capabilities of [Software Bill of Materials] (SBOM). This approach\nprovides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.\n\nDependency-Track monitors component usage across all versions of every application in its portfolio in order to\nproactively identify risk across an organization. The platform has an API-first design and is ideal for use in\nCI/CD environments.\n\n## Ecosystem Overview\n![alt text](./docs/images/integrations.png)\n\n## Features\n* Consumes and produces [CycloneDX] Software Bill of Materials (SBOM)\n* Consumes and produces [CycloneDX Vulnerability Exploitability Exchange (VEX)](https://cyclonedx.org/capabilities/vex/)\n* Component support for:\n  * Applications\n  * Libraries\n  * Frameworks\n  * Operating systems\n  * Containers\n  * Firmware\n  * Files\n  * Hardware\n  * Services\n* Tracks component usage across every application in an organizations portfolio\n* Quickly identify what is affected, and where\n* Identifies multiple forms of risk including\n  * Components with known vulnerabilities\n  * Out-of-date components\n  * Modified components\n  * License risk\n  * More coming soon...\n* Integrates with multiple sources of vulnerability intelligence including:\n  * [National Vulnerability Database] (NVD)\n  * [GitHub Advisories]\n  * [Sonatype OSS Index]\n  * [Snyk]\n  * [Trivy]\n  * [OSV]\n  * [VulnDB] from [Risk Based Security]\n  * More coming soon.\n* Helps to prioritize mitigation by incorporating support for the [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/)\n* Maintain a private vulnerability database of vulnerability components\n* Robust policy engine with support for global and per-project policies\n  * Security risk and compliance\n  * License risk and compliance\n  * Operational risk and compliance\n* Ecosystem agnostic with built-in repository support for:\n  * Cargo (Rust)\n  * Composer (PHP)\n  * Gems (Ruby)\n  * Hex (Erlang/Elixir)\n  * Maven (Java)\n  * NPM (Javascript)\n  * CPAN (Perl)\n  * NuGet (.NET)\n  * PyPI (Python)\n  * More coming soon.\n* Identifies APIs and external service components including:\n  * Service provider\n  * Endpoint URIs\n  * Data classification\n  * Directional flow of data\n  * Trust boundary traversal\n  * Authentication requirements\n* Includes a comprehensive auditing workflow for triaging results\n* Configurable notifications supporting Slack, Microsoft Teams, Mattermost, Webhooks, Webex, Email and Jira\n* Supports standardized SPDX license ID’s and tracks license use by component\n* Easy to read metrics for components, projects, and portfolio\n* Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo\n* API-first design facilitates easy integration with other systems\n* API documentation available in OpenAPI format\n* OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)\n* Supports internally managed users, Active Directory/LDAP, and API Keys\n* Simple to install and configure. Get up and running in just a few minutes\n\n\n\u003chr\u003e\n\n![alt text](./docs/images/screenshots/dashboard.png)\n\n### Quickstart (Docker Compose)\n\n```bash\n# Downloads the latest Docker Compose file\ncurl -LO https://dependencytrack.org/docker-compose.yml\n\n# Starts the stack using Docker Compose\ndocker-compose up -d\n```\n\n### Quickstart (Docker Swarm)\n\n```bash\n# Downloads the latest Docker Compose file\ncurl -LO https://dependencytrack.org/docker-compose.yml\n\n# Initializes Docker Swarm (if not previously initialized)\ndocker swarm init\n\n# Starts the stack using Docker Swarm\ndocker stack deploy -c docker-compose.yml dtrack\n```\n\n### Quickstart (Manual Execution)\n\n```bash\n# Pull the image from the Docker Hub OWASP repo\ndocker pull dependencytrack/bundled\n\n# Creates a dedicated volume where data can be stored outside the container\ndocker volume create --name dependency-track\n\n# Run the bundled container with 8GB RAM on port 8080\ndocker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:/data dependencytrack/bundled\n```\n\n**NOTICE: Always use official binary releases in production.**\n\n## Distributions\n\nDependency-Track has three distribution variants. They are:\n\n| Package    | Package Format          | Recommended | Supported | Docker | Download |\n|:-----------|:------------------------|:-----------:|:---------:|:------:|:--------:|\n| API Server | Executable WAR          |      ✅      |     ✅     |   ✅    |    ✅     |\n| Frontend   | Single Page Application |      ✅      |     ✅     |   ✅    |    ✅     |\n| Bundled    | Executable WAR          |      ❌      |    ☑️     |   ✅    |    ✅     |\n\n#### API Server\n\nThe API Server contains an embedded Jetty server and all server-side functionality, but excludes the frontend user\ninterface. This variant is new as of Dependency-Track v4.0.\n\n#### Frontend\n\nThe [Frontend](https://github.com/DependencyTrack/frontend) is the user interface that is accessible in a web browser. The Frontend is a Single Page Application (SPA)\nthat can be deployed independently of the Dependency-Track API Server. This variant is new as of Dependency-Track v3.8.\n\n#### Bundled\n\nThe Bundled variant combines the API Server and the Frontend user interface. This variant was previously referred to as\nthe executable war and was the preferred distribution from Dependency-Track v3.0 - v3.8. This variant is supported but\ndeprecated and will be discontinued in a future release.\n\n#### Traditional\n\nThe Traditional variant combines the API Server and the Frontend user interface and must be deployed to a Servlet\ncontainer. This variant is not supported, deprecated, and will be discontinued in a future release.\n\n## Deploying on Kubernetes with Helm\n\nRefer to https://github.com/DependencyTrack/helm-charts.\n\n## Contributing\n\nInterested in contributing to Dependency-Track? Please check [`CONTRIBUTING.md`](./CONTRIBUTING.md) to see how you can help!\n\n## Resources\n\n* Website: \u003chttps://dependencytrack.org/\u003e\n* Documentation: \u003chttps://docs.dependencytrack.org/\u003e\n* Component Analysis: \u003chttps://owasp.org/www-community/Component_Analysis\u003e\n\n## Community\n\n* Twitter: \u003chttps://dependencytrack.org/twitter\u003e\n* YouTube: \u003chttps://dependencytrack.org/youtube\u003e\n* Slack: \u003chttps://dependencytrack.org/slack\u003e (Invite:  \u003chttps://dependencytrack.org/slack/invite\u003e)\n* Discussion (Groups.io): \u003chttps://dependencytrack.org/discussion\u003e\n\n## Copyright \u0026 License\nDependency-Track is Copyright (c) OWASP Foundation. All Rights Reserved.\n\nPermission to modify and redistribute is granted under the terms of the\n[Apache License 2.0].\n\nDependency-Track makes use of several other open source libraries. Please see\nthe [notices] file for more information.\n\n  [National Vulnerability Database]: https://nvd.nist.gov\n  [GitHub Advisories]: https://www.github.com/advisories\n  [Sonatype OSS Index]: https://ossindex.sonatype.org\n  [Snyk]: https://snyk.io\n  [Trivy]: https://www.aquasec.com/products/trivy/\n  [OSV]: https://osv.dev\n  [VulnDB]: https://vulndb.cyberriskanalytics.com\n  [Risk Based Security]: https://www.riskbasedsecurity.com\n  [Component Analysis]: https://owasp.org/www-community/Component_Analysis\n  [Software Bill of Materials]: https://owasp.org/www-community/Component_Analysis#software-bill-of-materials-sbom\n  [CycloneDX]: https://cyclonedx.org\n  [license-image]: https://img.shields.io/badge/license-apache%20v2-brightgreen.svg\n  [Apache License 2.0]: https://github.com/DependencyTrack/dependency-track/blob/master/LICENSE.txt\n  [notices]: https://github.com/DependencyTrack/dependency-track/blob/master/NOTICES.txt\n  [Alpine]: https://github.com/stevespringett/Alpine\n","funding_links":[],"categories":["Java","OSS and Dependency management","Dependency intelligence","Licensing","Java (504)","Software Composition Analysis","Application Security","security","Software Composition Analysis (SCA)"],"sub_categories":["SCA and SBOM","SCA"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDependencyTrack%2Fdependency-track","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDependencyTrack%2Fdependency-track","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDependencyTrack%2Fdependency-track/lists"}