加载中
正在获取最新内容,请稍候...
Dependency-Track - Software Supply Chain Component Analysis Platform
Identify and reduce risk in your software supply chain with Dependency-Track, an intelligent Component Analysis platform. Integrate with build pipelines and security tools for continuous monitoring.
Java
Added on 2025年5月27日3,057
Stars630
ForksJava
LanguageProject Introduction
Summary
Dependency-Track is an open-source Component Analysis platform that provides a comprehensive and continuous Software Bill of Materials (SBOM) capability. It is designed to consume component usage and vulnerability data from various sources and correlate it, enabling organizations to understand and manage their software supply chain risk.
Problem Solved
Modern applications heavily rely on third-party and open-source components, which can introduce security vulnerabilities and licensing compliance issues. Without clear visibility into component usage and their associated risks, organizations are exposed. Dependency-Track automates the process of identifying, tracking, and reporting on these risks across projects.
Core Features
Continuous SBOM Analysis
Automatically ingest and analyze Software Bill of Materials (SBOMs) in various formats (CycloneDX, SPDX).
Vulnerability Management
Correlate components against multiple vulnerability intelligence feeds (NVD, OSV, etc.) and provide a centralized dashboard.
Policy Enforcement
Define and enforce security, license, and operational policies across projects.
API & Integrations
Provide a robust API for integration with CI/CD pipelines, security tools, and other systems.
Tech Stack
Java
Spring Boot
PostgreSQL
SQL Server
Vue.js
Docker
使用场景
Dependency-Track is invaluable for organizations focused on application security, open-source governance, and compliance. Key use cases include:
场景一:CI/CD Pipeline Integration
Details
Automatically analyze component risks and policy compliance as part of your continuous integration/continuous delivery pipeline before deployment.
User Value
Identify and address component vulnerabilities and policy violations early in the development lifecycle, reducing remediation costs and build risks.
场景二:Enterprise Risk Visibility
Details
Aggregate component and vulnerability data across all projects and applications within an organization to gain a high-level overview of software supply chain risk.
User Value
Enable security teams and management to understand the overall risk posture, prioritize remediation efforts, and report on compliance.
场景三:Open Source License Compliance
Details
Track open-source component licenses used in projects and enforce organizational licensing policies.
User Value
Ensure legal compliance and avoid potential legal issues related to open-source software usage.
Recommended Projects
You might be interested in these projects
yuliskovSmartTube
SmartTube is an advanced YouTube player specifically designed for Android set-top boxes and TVs, offering enhanced features not available in the standard app.
Java
234751258
microsoftWindows-driver-samples
This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
C
73904994
microgGmsCore
microG GmsCore is a free software re-implementation of Google's proprietary Android user space apps and libraries. It provides a compatibility layer for apps that require Google Play Services, focusing on privacy and efficiency.
Java
99991943