OWASP Dependency-Track is a powerful tool for managing Software Bill-Of-Materials (SBOMs) and proactively identifying vulnerabilities in your software supply chain. Once your SBOM is uploaded, Dependency-Track can, at a time interval defined by you, continuously monitor it against various vulnerability databases to detect new threats as they are discovered. This guide will walk you through enabling and configuring vulnerability data sources, followed by an overview of the panels that help you monitor vulnerabilities in real time.
Configuring Vulnerability Data Sources
Dependency-Track supports multiple free and commercial vulnerability data sources. Here’s how you can enable and configure them to keep your vulnerability analysis up to date.
Free Data Sources
1. National Vulnerability Database (NVD):
A U.S. government repository of standardized vulnerability information, including CVE records and enriched metadata.
How to configure:
- • Navigate to Administration → Vulnerability Sources → National Vulnerability Database.
- • Enable the Enable National Vulnerability Database mirroring and Enable mirroring via API option and for API key use below URL to Request NVD API key.
NVD – API Key Request - • Ensure internet access for syncing vulnerability feeds.
2. GitHub Advisories:
This is a database of security advisories for open-source projects hosted on GitHub, helping developers stay informed about vulnerabilities.
Configuration:
- • Navigate to Administration → Vulnerability Sources → GitHub Advisories.
- • Generate GitHub Personal Access Token, refer below URL to know more about generation of GitHub API Token
Managing your personal access tokens – GitHub Docs - • Once the token is generated, paste that token in Personal Access Token field and then Enable GitHub Advisory mirroring
3. OSV (Open-Source Vulnerabilities):
A vulnerability database designed for open-source libraries, focusing on automation and developer-friendly interfaces.
Configuration:
- • Navigate to Administration → Vulnerability Sources → Google OSV Advisories (Beta)
- • Select the Ecosystems from the supported ecosystems and then click Select
- • Activate Enable vulnerability alias synchronization, Select ecosystem to enable Google OSV Advisory mirroring option and then click Update.
4. OSS Index (Sonatype):
A free vulnerability database for open-source components, offering detailed insights into risks and remediation steps.
Configuration:
- • Sign up on Sonatype OSS Index using below URL to get the API Key.
Register an Account – Sonatype OSS Index - • Copy the API key and paste under the Administration → Analyzers → Sonatype OSS Index -> API Key
- • Enter the Sonatype OSS Index registered email address under the Registered email address field and then click Update
5. Trivy:
An open-source vulnerability scanner for containers, file systems, and SBOMs, widely used for DevSecOps integration.
Configuration:
- • Setup Trivy Server by using the below command.
trivy server –listen <IP>:<PORT> –password <API_Token> - • Navigate to Administration → Analyzers → Trivy
- • Enter the Base URL, API Token and then click Update
- • Ensure Trivy is installed locally or accessible to your Dependency-Track Server.
Commercial Data Sources
1. Snyk:
A commercial vulnerability management platform providing real-time insights and fixes for open-source and proprietary software.
Configuration:
- • Sign up for a Snyk account and obtain an API token and , Organization ID.
- • Add your API token, Organization ID in the Administration → Analyzers → Snyk section.
- • Enable Enable Snyk analyzer and Enable vulnerability alias synchronization
2. VulnDB:
A premium vulnerability database with extensive coverage and detailed insights into both known and emerging security issues.
Configuration:
- • Obtain credentials (Consumer key and Consumer secret) from Risk Based Security.
- • Configure Consumer key and Consumer secret in the Administration → Analyzers → VulnDB section.
- • Enable Enable VulnDB analyzer option
Summary
Dependency-Track simplifies vulnerability identification and management by continuously monitoring your SBOMs on an on-going basis against trusted vulnerability data sources. Whether you rely on free databases like NVD, GitHub Advisories, and OSV, or leverage commercial tools like Snyk and VulnDB, Dependency-Track ensures your software supply chain stays resilient. By following this guide to configure vulnerability data sources, you can enhance your security posture and proactively address emerging threats. Start monitoring your SBOMs today for better risk management.