Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

OWASP Dependency Tracker

What is OWASP Dependency Track?

Dependency Track is an open-source software composition analysis tool from an OWASP project.  It is good for examining source code repositories for vulnerable libraries and containers.

Dependency Track examines source code through a tool called ORT (https://oss-review-toolkit.org/) to make an SBOM (https://owasp.org/www-community/Component_Analysis#Software_Bill-of-Materials_.28SBOM.29). This SBOM is then run through an analysis engine that flags up any known security vulnerabilities in the identified 3rd-party components.

Security Stage SCA (Software Composition Analysis)
Type OpenSource
Site https://dependencytrack.org/

 

Pre-requisite

1 You'll need a Git address to scan

How do I set it up?

Adding Dependency Track to your set of security tests involved adding this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

EditStage-1

  • Ensure that the version's 'Uri' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'OWASP Tracker' tool.

deptrackSetup

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the OWASP Dependency Track tool will be included in the test run and any results added to your vulnerabilities list.

Notes

None