Dependency-Track

An OWASP project for continuous software composition analysis. Identifies vulnerabilities in third-party and open-source components by analyzing SBOMs (CycloneDX, SPDX). Bundled deployment includes an embedded H2 database — single container, no external dependencies.

What You Can Do After Deployment

1. Visit your domain — log in with admin / admin (change immediately)
2. Upload an SBOM — import a CycloneDX or SPDX Bill of Materials
3. Review vulnerabilities — see identified CVEs across your components
4. Create projects — organize your applications and track their dependencies
5. Set policies — define vulnerability policies and get alerts on violations

Key Features

• SBOM analysis supporting CycloneDX and SPDX formats
• Vulnerability identification from NVD, GitHub Advisories, OSV, and more
• Project portfolio management for tracking all applications
• Policy engine for enforcing component risk thresholds
• REST API for CI/CD pipeline integration
• Embedded H2 database in bundled deployment
• OWASP flagship project with active community

Important Notes

• This is the bundled deployment with embedded H2 database
• Recommended minimum 8 GB RAM for the container
• Default credentials: admin / admin (must change on first login)

License

Apache-2.0 — GitHub | Website