Dependency Track
Definition
Dependency Track is an open-source platform designed to help organizations identify and reduce risk in the software supply chain. It continuously monitors and analyzes software dependencies, providing visibility into vulnerabilities, license compliance, and operational risk. By integrating with various development and CI/CD tools, Dependency Track enables teams to make informed decisions about the components they use in their software projects.
Secure Settings Example
# Dependency Track configuration for secure deployment
api:
authentication:
enabled: true
jwtSecret: "a-very-secure-secret-key"
expiration: 3600 # Token expiration in seconds
database:
type: "postgresql"
url: "jdbc:postgresql://localhost:5432/dependencytrack"
username: "secure_user"
password: "secure_password"
logging:
level: "INFO"
file: "/var/log/dependency-track/application.log"
vulnerability:
source:
nvd:
enabled: true
mirrorUrl: "https://nvd.nist.gov/"
Insecure Settings Example
# Dependency Track configuration with insecure settings
api:
authentication:
enabled: false # Disabling authentication exposes the API to unauthorized access
database:
type: "h2"
url: "jdbc:h2:mem:dependencytrack" # Using an in-memory database for production
logging:
level: "DEBUG" # Excessive logging can expose sensitive information
file: "/tmp/dependency-track.log"
vulnerability:
source:
nvd:
enabled: false # Disabling NVD source limits vulnerability detection