I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub. I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides. It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your... - Source: Hacker News / 5 days ago
To detect these types of vulnerabilities, we should first and foremost know our dependencies and versions, and which of them have vulnerabilities. The OWASP Top 10 2021 identifies this need as A06:2021-Vulnerable and Outdated Components. OWASP has several tools for this, including Dependency Check and Dependency Track. These tools will warn about the use of components with vulnerabilities. - Source: dev.to / 15 days ago
Https://dependencytrack.org/ You just need to use one of the various tools out there to scan. - Source: Hacker News / 7 months ago
OWASP Dependency Track - https://dependencytrack.org/. Source: 11 months ago
I actually want to build the same thing you are after, and I think I’ll go for the setup you describe in idea 2. The tool you can use for this is Trivy (https://trivy.dev), have it generate a SBOM and send it to Dependencytrack (https://dependencytrack.org). Source: over 1 year ago
If you like Dependency-Track, consider moving to Dependency-Track ( https://dependencytrack.org ), which makes administration much easier. Source: over 1 year ago
I don't quite understand the deployment issue. I mean, I understand people might not be tracking what's deployed, but I don't understand what is missing for it to be happening today, other than will. For example: I build some software into a Docker image, version tag it, sign it, and generate an SBOM for it. That image goes into production with signature validation. Even if I've included 100 jar files in there, I... - Source: Hacker News / over 1 year ago
CycloneDX SBOM file can be used for project vulnerability analysis using the OWASP Dependency Track](https://dependencytrack.org/) application. - Source: dev.to / over 1 year ago
It's missing DependencyTrack which has been adopted by OWASP. Source: almost 2 years ago
We use this - https://dependencytrack.org/. - Source: Hacker News / almost 2 years ago
I'm confused. When would I need "https://dependencytrack.org/"? Is it when I've completely lost my marbles and can no longer answer the questions "what does your app run on" and "what are your app's dependencies"? Is the idea that I would then download and install this "dependency tracker", hoping it would give me a list of things I depend on, so that I could inform the end user? What's the use case? - Source: Hacker News / almost 2 years ago
There is an open source UI for querying based on SBOM called DependencyTrack (https://dependencytrack.org/). Commercial offerings exist from vendors like TideLift (https://tidelift.com/). - Source: Hacker News / almost 2 years ago
From OWASP for those class of tools you could look into DependencyCheck and DependencyTrack. Source: about 2 years ago
Dependency Track (SCA) That is if your VCS doesn't already have something baked in. Source: over 2 years ago
Submitting it due to the latest Log4J vuln, should go hand in hand with OWASP DepTrack https://dependencytrack.org/ combined they provide pretty much the best SCA experience there is OWASP DepTrack has excellent UI and is enterprise ready with OIDC/SSO support to boot. This is by far the best OWASP project so far and I dare say the best FOSS security project I’ve seen rivaling and beating pretty much every... - Source: Hacker News / over 2 years ago
We do it monthly, and use Dependency Track to not miss out on crucial updates. Source: over 2 years ago
Dependency Track is a platform that ingests SBOMs (CycloneDX, SPDX formats) and produces component analysis reports for your projects. CycloneDX has support for a wide range of package managers and is able to pull a full list of project dependencies and licenses out of your project. Source: almost 3 years ago
There is also https://dependencytrack.org/ which allows you to gather your software dependencies and notifies you when new vulnerabilities are found for them. - Source: Hacker News / about 3 years ago
I am particularly interested in scanning vulnerabilities in third party libraries, both in Clojure & ClojureScript — e.g., tools such as the OWASP Dependency Track and Snyk, which have integrations with Maven and NPM. Given the hosted approach of Clojure/Script, I would assume that it is possible to somehow take this route, but before diving too deep into it, I was hoping some of you might share their approach. Source: about 3 years ago
Do you know an article comparing OWASP Dependency-Track to other products?
Suggest a link to a post with product alternatives.
This is an informative page about OWASP Dependency-Track. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.
