This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Dependency-Track

    Dependency-Track is an open source SBOM management and vulnerability analysis platform managed by OWASP. It continuously monitors component-level vulnerabilities based on uploaded SBOMs (CycloneDX, SPDX) and automatically evaluates policy violations.

    Features

    • SBOM-based continuous monitoring: Automatically tracks the latest vulnerabilities per component after uploading SBOMs in SPDX or CycloneDX format
    • Multiple vulnerability data sources: NVD, OSV, GitHub Advisories, VulnDB, and more
    • Policy engine: Define rules for license policies, vulnerability severity thresholds, and component allowlists for automatic evaluation
    • REST API: Integrate with CI/CD pipelines to automatically upload SBOMs and receive feedback at build time
    • Web UI dashboard: View per-project risk scores, vulnerability status, and license distribution at a glance
    • Notifications: Send new vulnerability alerts via Slack, email, Webhook, and other channels

    Installation

    Using Docker Compose is the simplest approach:

    # Download official Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Start services
docker compose up -d

    By default, the API server runs on port 8081 and the frontend on port 8080. Default admin credentials: admin / admin (change immediately after first login)

    Administration -> Vulnerability Sources

    Avoid enabling every source on day one. Start with a minimal set to reduce duplicate findings and alert noise.

    SourceRecommended settingWhy
    NVDEnabled + API mirroring ONPrimary CVE database with CVSS scoring
    GitHub AdvisoriesEnabled + PAT configuredStrong package ecosystem coverage that complements NVD
    Google OSVInitially disabledOften overlaps with NVD/GitHub and can increase duplicates
    OSS IndexInitially disabledRequires account setup and has overlapping coverage
    VulnDBDisabledCommercial datasource

    NVD (required): use API mirroring

    If Enable mirroring via API is OFF, Dependency-Track may rely on legacy feed behavior. In current environments, API mirroring is the reliable default.

    • Enable NVD mirroring: ON
    • Enable mirroring via API: ON
    • API endpoint: https://services.nvd.nist.gov/rest/json/cves/2.0 (keep default)
    • API key: set your NVD API key
    • Additionally download feeds: OFF for normal operation

    If Last Modification is empty right after applying settings, initial synchronization may still be running.

    GitHub Advisories: requires PAT

    Without a Personal Access Token (PAT), GitHub Advisory mirroring will not run correctly after restart.

    • Enable GitHub Advisory mirroring: ON
    • Enable vulnerability alias synchronization: ON
    • Personal Access Token: use a classic token (ghp_...)

    Note: fine-grained PAT (github_pat_...) may fail in some environments. A classic token is safer for Dependency-Track.

    Google OSV: ecosystem selection is mandatory

    OSV mirroring is active only when one or more ecosystems are selected.

    • Select ecosystem to enable Google OSV Advisory mirroring: ON
    • Enable vulnerability alias synchronization: ON
    • OSV Base URL: keep default
    • Example ecosystems: PyPI, npm, Maven, Go, Linux (add NuGet, RubyGems, crates.io only when needed)

    Operational check

    # Follow datasource mirroring progress
docker compose logs -f dtrack-apiserver | grep -iE "nvd|github|osv|mirror"

    If needed, restart once after configuration changes:

    docker compose restart dtrack-apiserver

    Basic Usage

    (1) Create a Project and Upload SBOM via Web UI

    1. Navigate to http://localhost:8080
    2. Click ProjectsCreate Project
    3. Enter project name and version, then save
    4. Open the project → Components tab → Upload BOM
    5. Upload your SBOM file (.cdx.json or .spdx.json)

    After upload, Dependency-Track automatically starts vulnerability analysis.

    (2) Upload SBOM via API (CI/CD Integration)

    # API Key: Administration > Access Management > Teams
API_KEY="your-api-key"
PROJECT_UUID="your-project-uuid"

curl -X PUT \
  "http://localhost:8081/api/v1/bom" \
  -H "X-Api-Key: ${API_KEY}" \
  -H "Content-Type: multipart/form-data" \
  -F "project=${PROJECT_UUID}" \
  -F "bom=@sbom.cdx.json"

    (3) GitHub Actions Integration Example

    - name: Upload SBOM to Dependency-Track
  uses: DependencyTrack/gh-upload-sbom@v3
  with:
    serverhostname: dependency-track.example.com
    apikey: ${{ secrets.DT_API_KEY }}
    project: ${{ secrets.DT_PROJECT_UUID }}
    bomfilename: sbom.cdx.json

    Using with cdxgen / Syft

    Dependency-Track is most effective when used with SBOM generation tools like cdxgen and Syft:

    cdxgen or Syft  →  Generate SBOM  →  Upload to Dependency-Track  →  Continuous monitoring
    • SBOM generation: Use cdxgen or Syft to generate SBOMs at build time
    • Centralized management: Upload to Dependency-Track to manage vulnerability status across all projects

    References