What is OWASP Dependency Track?
Dependency Track is an open-source software composition analysis tool from an OWASP project. It is good for examining source code repositories for vulnerable libraries and containers.
Dependency Track examines source code through a tool called ORT (https://oss-review-toolkit.org/) to make an SBOM (https://owasp.org/www-community/Component_Analysis#Software_Bill-of-Materials_.28SBOM.29). This SBOM is then run through an analysis engine that flags up any known security vulnerabilities in the identified 3rd-party components.
|Security Stage||SCA (Software Composition Analysis)|
|1||You'll need a Git address to scan|
How do I set it up?
Adding Dependency Track to your set of security tests involved adding this testing tool to a version (security stage) that is set up to run static code analysis tests.
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the OWASP Dependency Track tool will be included in the test run and any results added to your vulnerabilities list.