Overview

​

What is Dependency-Track?

​

Why Integrate with SCANOSS?

• SCANOSS scans your codebase to identify all open-source components and generates a Software Bill of Materials (SBOM)
• Dependency-Track continuously monitors those components for vulnerabilities, licence risks, and policy violations

• Scans code on every push or pull request
• Analyses components against vulnerability databases
• Enforces security policies before merge
• Tracks vulnerabilities over time
• Alerts teams to newly disclosed threats

​

Key Features

​

Continuous Vulnerability Monitoring

• National Vulnerability Database (NVD): Comprehensive CVE database maintained by NIST
• GitHub Security Advisories: Community-curated vulnerability information
• OSS Index: Sonatype’s vulnerability database
• VulnDB: Commercial vulnerability intelligence
• Custom Sources: Configure additional vulnerability feeds via the Dependency-Track administration interface

​

Component Risk Management

• Risk Scoring: Automated calculation of component risk based on vulnerabilities, age, and usage
• Component Inventory: Complete visibility into all components across projects
• Dependency Graphs: Visual representation of direct and transitive dependencies
• Lifecycle Management: Track component versions and end-of-life status

​

Policy Enforcement

• Licence Policies: Block or warn on specific licences or licence groups
• Vulnerability Policies: Flag components based on CVE severity or specific CVEs
• Component Age Policies: Identify outdated components requiring updates
• Custom Policies: Define complex rules using multiple conditions

​

Audit and Compliance

• Audit Trail: Complete history of all vulnerability assessments and policy decisions
• Triage: Document why specific vulnerabilities are accepted or suppressed
• Reporting: Generate compliance reports for stakeholders
• Attribution: Track component licences and attribution requirements

​

Architecture Overview

​

How It Works

1. Code Commit: Developer pushes code or creates a pull request
2. SCANOSS Scan: GitHub Actions triggers a SCANOSS scan
3. SBOM Generation: SCANOSS generates a CycloneDX or SPDX SBOM
4. Upload to Dependency-Track: The SBOM is automatically uploaded to Dependency-Track
5. Vulnerability Analysis: Dependency-Track analyses components against configured vulnerability databases
6. Policy Evaluation: Defined policies are evaluated against the uploaded SBOM
7. Feedback: Results are reported back to the pull request or build pipeline

​

Dashboard Components

​

Components Tab

• Complete inventory of detected components
• Licence information for each component
• Version details and package URLs (PURLs)
• Risk scores based on vulnerabilities and other factors

​

Dependency Graph

• Visual representation of component relationships
• Direct vs transitive dependencies
• Impact analysis for component upgrades
• Dependency hierarchy visualisation

​

Audit Vulnerabilities

• List of all components with known vulnerabilities
• Severity ratings (Critical, High, Medium, Low)
• CVE identifiers and descriptions
• Vulnerability analysis states
• Remediation guidance

​

Policy Violations

• Active policy violations across the project
• Violation severity (Info, Warn, Fail)
• Policy conditions that triggered the violation
• Triage status and justifications

​

Use Cases

​

CI/CD Integration

• Block builds containing critical vulnerabilities
• Prevent merges that violate licence policies
• Generate SBOMs for every release
• Track dependency changes over time

​

Security Monitoring

• Automated alerts for newly disclosed vulnerabilities affecting monitored components
• Identification of newly introduced security risks
• Centralised vulnerability management
• Security metrics and dashboards

​

Compliance Management

• Licence compliance verification
• Policy enforcement automation
• Audit trail documentation
• Compliance reporting for stakeholders

​

Portfolio Management

• Multi-project visibility
• Shared policy definitions
• Centralised component tracking
• Organisation-wide risk assessment

​

Prerequisites

• Running Dependency-Track Instance: Self-hosted or cloud-hosted. See the Dependency-Track documentation for setup guidance.
• Dependency-Track API Key: Obtained via Administration → Access Management → Teams → API Keys
• Base URL: The URL at which your Dependency-Track instance is accessible
• SCANOSS API Key: Required for scanning your codebase. See the SCANOSS documentation for details on obtaining a key.
• GitHub Repository: With Actions enabled (required for CI/CD integration)

​

Next Steps

1. Configuration: Set up your Dependency-Track instance and configure API access
2. GitHub Integration: Create a workflow to automatically upload SBOMs
3. Policy Setup: Define organisational policies for licences, vulnerabilities, and components
4. Usage: Learn how to manage vulnerabilities and triage policy violations