Author : Sandeep Bajpai, Senior Architect
“Wondering why are we here again to discuss SBOM ?”
Till now we have covered half of the journey towards implementing the SBOM in our environment. In case you missed my previous blog — Please refer “SBOM — A Way to increase Security, Transparency & Visibility into Software Supply chain”
Your SBOM is ready — Whats Next ? Lets Inject it into “Continuous SBOM Analysis Platform“ , One of the them is Dependency Track.
“Why Continuous Analysis of SBOM ?”
Continuous Analysis refers to the practice of continuously monitoring, analyzing, and improving software code to ensure its quality, security, and reliability. This involves using a combination of automated tools and manual reviews to identify issues, vulnerabilities, and bugs in the code, and then taking corrective action to fix them.
By combining Continuous Analysis with SBOM, organizations can improve their software security posture and reduce the risk of cyber attacks. Continuous Analysis can help identify vulnerabilities in software components, while SBOM provides a comprehensive inventory of all software components, making it easier to track and manage them.
“What is Dependency-Track ?”
Dependency-Track is an open-source software composition analysis (SCA) tool that helps organizations identify and manage third-party software components and dependencies.
Dependency-Track uses a combination of automated analysis, vulnerability intelligence, and real-time monitoring to provide comprehensive visibility into the software supply chain.
Dependency-Track integrates with popular software development and DevOps tools, such as Jira, GitLab, Jenkins, and SonarQube, allowing organizations to incorporate SCA into their existing software development workflows.
“Lets Setup Dependency-Track environment”
Installation is easy and simple. Just download the Docker Compose file and run the Docker Compose command.
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
Login to http://abc.company.com:8080/dashboard using Username “admin” and Password “admin” , Reset the admin user password and you are all set to start the SBOM analysis.
Configure your Dependency-Track environment based on your needs. By default Internal Analyser,National Vulnerability Database (NVD Vulnerability Sources and Repositories (
Python , Nuget , CPAN, etc ) are enabled to perfom the scan and analysis.
“Lets inject our first SBOM into the Dependency-Track environment”
In our previous blog topic we were able to generate the SBOM XML file in cyclone-dx format. We will inject the same file into our Depdency-Track environment. Follow the below steps :
Login to “http://abc.company.com:8080/projects” and Click on “Create Project”
Project Name -> “My-First-Project”
Version -> “1.0”
Classifier -> “Operating System”
Description -> “As your wish”
Click Create and “My-First-Project” Project is created. Now we will Upload the SBOM Files under this project for analysis.
Click on “My-First-Project”.
Click on “Components” Tab and Choose to Upload BOM.
You have done a-lot , Let Dependency-Track do some work . Take A Tea Break and back in 5 minutes 😉
Go Back to your Project Dashboard Page , Click on “My-First-Projec” and you can see the updated Project information. In Our case its indicating some High and Medium vulnerability.
Now you can further navigate to “Audit Vulnerability” Tab and collect the detailed Analysis around the reported vulnerability , risk , severity and possible fix as well.
Conclusion — Overall, Dependency-Track is a powerful SCA tool that can help organisations improve their software security posture and mitigate risks associated with third-party software components and dependencies.
Dependency-Track provides an easy and effective API Support — In Our next blog of this series we will Setup an automated SBOM Generation , Injection and Notification Framework.
Till then Bye…… !
Leave a Reply