TLDR: Dependency Track, an open-source continuous component analysis platform, is a great application to use to manage your open source libraries and their licenses when on a tight budget.
Back when I started my career as a DevSecOps Engineer, literally, my first day in my new position, I walked in to emails from our CTO. Transitioning from being a developer, the highest person in the company I would talk to was my tech lead. But now, I was having direct communication with the CTO. Fast-forwarding, after back and forth email chains and in-person meetings, because of an audit we were under, I was tasked with a high priority item. My main objective was to manually go through a report generated from a contractor we hired and find a solution we could use in the future. Although this task sounds simple, the report I had to manually digest had NPM & Nuget packages from our source code containing over 10 million lines of code across 20+ projects. For each of the packages, I had to remove duplicates, find their vulnerabilities, find out where the package was being used throughout all of the projects, assign a risk level to each package based on its criticality to the company, give a recommendation on addressing the risk (upgrade version, remove package, etc.), and create an executive summary with a remediation plan on handling the most critical items first.
But wait, there’s more: After doing the manual work, my next task was to find a solution that would remove all of that grunt work. During this time, I was given a budget and started looking at popular solutions out there, Sonatype, WhiteSource, SonarQube, Snyk, and a couple others. After a couple weeks, I narrowed my list down to 3 companies and started the next step, a POC (Proof of Concept). After countless meetings, breakfast outings, and other events, I received word from my manager…you guessed it, we no longer had budget to purchase one of these tools. On top of having our budget stripped, I still had to find a tool to improve our current process.
This is where Dependency Track came into play. Whenever I need recommendations related to application security, I personally turn to OWASP first. With my search throughout different pages on their site, I came across different tools mostly inefficient, outdated, and/or didn’t support the company’s tech stack.
Dependency Track is an open-source continuous component analysis platform used to help organizations identity and reduce risk within the supply chain. In addition, the software keeps track of the vulnerabilities associated with the libraries in the portfolio along with their versions to check if the library is outdated, deprecated, or current.
If you dig into the software some more, you will find that you can quickly triage findings and policy violations, capture commentary and analysis decisions in an audit trail, & send notifications to Slack, Microsoft Teams, outbound webhooks, and email.
Within the Audit Vulnerabilities section of the app, you have the ability to suppress findings and follow the audit trail.
Some other notable features
Time Series Metrics
Bill of Materials (BOM)
API and Integration
The biggest pro with incorporating Dependency Track into your company is that it’s open source, which means it is FREE! Although the software is free, there are still infrastructure costs for hosting the application in a production environment. Another pro, with this being free software, the application has a very in-depth GUI, giving it the feel of a commercial product. Usually with open source security tools, you’ll find that GUI’s don’t exist or they are very rough looking. In addition to those 2 pros, an integration I appreciated is Sonatype’s OSS Index which is one of the industries most trusted open source scanners.
On the flip side, as should be expected, there are some cons. The 1 feature I personally think could be improved is centered around the license structure. It’ll be nice if you could set the license restrictions your company has (exam: GDPL) so that you could receive notifications if a package with a restricted license has been introduced. Another feature I think could be improved is around it’s CI/CD pipeline integration. The first company I worked for was an Azure shop so we had to manually script out a lot of things to integrate with our build process. To go along with this, I never figured out how to get the application to distinguish between branches. In other words, no matter what branch was being built, Dependency Track would just override the data already in your portfolio. Without this feature, you can’t have a true integration where you are able to compare packages on your master branch versus development branches.
Note: Dependency Track does support integrations with Fortify Software Security Center, Kenna Security, & ThreadFix which may help with this problem I was having, but the company I worked for didn’t use any of those 3rd party tools
Overall, Dependency Track is a great tool for tight-budgeted companies looking to identify and reduce risk in their software supply chain. Although the tool is free, remember you will have slight costs associated with running the infrastructure in a production environment (unless you run everything locally…I hope not).
As always, feel free to leave feedback or comments.