Simple Dependency/SBOM/License/Vulnerability Tracking

I’ve recently been returning to writing some software. I was looking for an automated solution to allow me to do the following things :

• Track Vulnerabilities
• Track Licenses Used
• Track Package Versions

I also wanted something that would alert me to new vulnerabilities appearing even when I’ve not performed a build on the project for a while. Ideally, this would be free until I find a revenue stream for the software.

TLDR: Dependency TrackDoes this and more.

Dependency Track takes a generated SBOM (Software Bill Of Materials) and performs a series of checks after upload and then at defined periods afterwards.

It comes with a set of vulnerability scanners and also allows the use of commercial tools like Snyk.

You can create lists of “Blessed licenses” or “Prohibited licenses” for your organisation.

As well as email alerts, it can integrate with issue trackers like Jira to create tickets based on audits.

The workflow is simple, modify your build to create an SBOM. In Maven this is as simple as :

<build>
 <plugins>
  <plugin>
          <groupId>org.cyclonedx</groupId>
          <artifactId>cyclonedx-maven-plugin</artifactId>
          <executions>
               <execution>
                   <phase>package</phase>
                   <goals>
                        <goal>makeAggregateBom</goal>
                   </goals>
               </execution>
          </executions>
  </plugin>
 </plugins>
.....
</build>

Then as part of a CI build push the SBOM to Dependency Tracker.

I’m using a small percentage of the available tooling, but include a few screenshots of it applied to the current [Jenkins] (https://www.jenkins.io/)source as of 2024-07-18.

Overview of the portfolio of projects with trends for issues.

Shows outdated versions of packages (alongside the latest available version numbers), licenses used and risk scores.

Shows identified vulnerabilities, links to the CVE and scan indexer that found them.