OWASP Dependency-Track offers a robust notification framework that alerts users to new vulnerabilities, system events, and changes within their usage of components. This capability ensures that teams remain informed about critical issues, enabling prompt responses to potential risks as they arise following vulnerability database updates over time.
Notification Scopes and Levels
Notifications are categorized into two primary scopes:
1. SYSTEM: Pertains to system-level informational and error conditions.
2. PORTFOLIO: Relates to objects within the portfolio, such as vulnerabilities, audit decisions, policy violations etc…
Each notification is assigned a level—INFORMATIONAL, WARNING, or ERROR—which determines its severity and the appropriate response.
Configuring Notification Rules
Administrators can configure notification rules to specify which events trigger alerts and how these alerts are delivered. This customization ensures that notifications align with organizational priorities and workflows.
Notification Publishers
Dependency-Track supports various notification publishers, allowing alerts to be delivered through multiple channels, including:
Email: Sends notifications directly to specified email addresses.
Slack: Integrates with Slack channels for real-time team communication.
Microsoft Teams: Delivers alerts to Microsoft Teams channels.
Outbound Webhook: Sends HTTP POST requests to specified endpoints, facilitating integration with other systems.
Cisco Webex: Publishes notifications to a Cisco Webex Teams channel.
Console: Displays notifications on the system console.
Jira: Creates a Jira issue in a configurable Jira instance and queue.
Mattermost: Publishes notifications to a Mattermost channel.
Setting Up Notifications
To set up notifications:
1. Navigate to the Administration section in Dependency-Track.
2. Click Notifications -> Alerts.
3. Create a new alert clicking in the Create Alerts button.
4. Enter the name of the alert, choose Scope, Notification Level and Publisher
5. Click the Create button to activate and save the alert.
By leveraging Dependency-Track’s notification framework, organizations can maintain real-time awareness of their software assets, promptly address vulnerabilities, and ensure system integrity.
Dependency-Track allow us to create our own notification templates using the pebble java templating engine under the Templates settings
For more information, please visit Notifications | Dependency-Track
In summary, proactive vulnerability notification is a cornerstone of effective risk management. Through OWASP Dependency-Track’s powerful notification framework organizations can stay informed and responsive, addressing security issues before they escalate. By leveraging its customizable alerts and diverse notification channels, teams can ensure they remain ahead of potential threats, safeguarding their software assets and maintaining system integrity.