[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-10901":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":9,"totalLinesOfCode":9,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":9,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":16,"starSnapshotCount":16,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},10901,"dependency-track","DependencyTrack\u002Fdependency-track","DependencyTrack","Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.",null,"https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track","Java",3895,748,76,954,0,18,31,93,54,102.42,false,"main",[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44],"owasp","appsec","security","bom","vulnerabilities","component-analysis","nvd","software-security","software-composition-analysis","sca","bill-of-materials","package-url","purl","vulnerability-detection","ossindex","sbom","devsecops","security-automation","cyclonedx","hacktoberfest","2026-06-12 04:00:52","[![Build Status](https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Factions\u002Fworkflows\u002Fci-build.yaml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Factions?workflow=CI+Build)\n[![Codacy Badge](https:\u002F\u002Fapp.codacy.com\u002Fproject\u002Fbadge\u002FGrade\u002Fb2ecd06dab57438a9a55bc4a71c5a8ce)](https:\u002F\u002Fwww.codacy.com\u002Fgh\u002FDependencyTrack\u002Fdependency-track\u002Fdashboard?utm_source=github.com&utm_medium=referral&utm_content=DependencyTrack\u002Fdependency-track&utm_campaign=Badge_Grade)\n[![Alpine](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fbuilt%20on-Alpine-blue.svg)](https:\u002F\u002Fgithub.com\u002Fstevespringett\u002FAlpine)\n[![License][license-image]][Apache License 2.0]\n[![OWASP Flagship](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fowasp-flagship%20project-orange.svg)](https:\u002F\u002Fwww.owasp.org\u002Findex.php\u002FOWASP_Dependency_Track_Project)\n[![Website](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fhttps:\u002F\u002F-dependencytrack.org-blue.svg)](https:\u002F\u002Fdependencytrack.org\u002F)\n[![Documentation](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fread-documentation-blue.svg)](https:\u002F\u002Fdocs.dependencytrack.org\u002F)\n[![Slack](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fchat%20on-slack-46BC99.svg)](https:\u002F\u002Fdependencytrack.org\u002Fslack)\n[![Group Discussion](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fdiscussion-groups.io-blue.svg)](https:\u002F\u002Fdependencytrack.org\u002Fdiscussion)\n[![YouTube Subscribe](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fyoutube-subscribe-%23c4302b.svg)](https:\u002F\u002Fdependencytrack.org\u002Fyoutube)\n[![Twitter](https:\u002F\u002Fimg.shields.io\u002Ftwitter\u002Ffollow\u002Fdependencytrack.svg?label=Follow&style=social)](https:\u002F\u002Ftwitter.com\u002Fdependencytrack)\n[![Downloads](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002FDependencyTrack\u002Fdependency-track\u002Ftotal.svg)](https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Freleases)\n[![Latest](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frelease\u002FDependencyTrack\u002Fdependency-track.svg)](https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Freleases)\n[![Pulls - API Server](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fdependencytrack\u002Fapiserver.svg?label=Docker%20Pulls%20%28API%20Server%29)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fdependencytrack\u002Fapiserver\u002F)\n[![Pulls - Frontend](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fdependencytrack\u002Ffrontend.svg?label=Docker%20Pulls%20%28Frontend%29)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fdependencytrack\u002Ffrontend\u002F)\n[![Pulls - Bundled](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fdependencytrack\u002Fbundled.svg?label=Docker%20Pulls%20%28Bundled%29)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fdependencytrack\u002Fbundled\u002F)\n[![Pulls - Legacy](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fowasp\u002Fdependency-track.svg?label=Docker%20Pulls%20%28OWASP%20Legacy%29)](https:\u002F\u002Fhub.docker.com\u002Fr\u002Fowasp\u002Fdependency-track\u002F)\n\n![logo preview](https:\u002F\u002Fraw.githubusercontent.com\u002FDependencyTrack\u002Fbranding\u002Fmaster\u002Fdt-logo.svg?sanitize=true)\n\n\nDependency-Track is an intelligent [Component Analysis] platform that allows organizations to\nidentify and reduce risk in the software supply chain. Dependency-Track takes a unique\nand highly beneficial approach by leveraging the capabilities of [Software Bill of Materials] (SBOM). This approach\nprovides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.\n\nDependency-Track monitors component usage across all versions of every application in its portfolio in order to\nproactively identify risk across an organization. The platform has an API-first design and is ideal for use in\nCI\u002FCD environments.\n\n## Ecosystem Overview\n![alt text](.\u002Fdocs\u002Fimages\u002Fintegrations.png)\n\n## Features\n* Consumes and produces [CycloneDX] Software Bill of Materials (SBOM)\n* Consumes and produces [CycloneDX Vulnerability Exploitability Exchange (VEX)](https:\u002F\u002Fcyclonedx.org\u002Fcapabilities\u002Fvex\u002F)\n* Component support for:\n * Applications\n * Libraries\n * Frameworks\n * Operating systems\n * Containers\n * Firmware\n * Files\n * Hardware\n * Services\n* Tracks component usage across every application in an organizations portfolio\n* Quickly identify what is affected, and where\n* Identifies multiple forms of risk including\n * Components with known vulnerabilities\n * Out-of-date components\n * Modified components\n * License risk\n * More coming soon...\n* Integrates with multiple sources of vulnerability intelligence including:\n * [National Vulnerability Database] (NVD)\n * [GitHub Advisories]\n * [Sonatype OSS Index]\n * [Snyk]\n * [Trivy]\n * [OSV]\n * [VulnDB] from [Risk Based Security]\n * More coming soon.\n* Helps to prioritize mitigation by incorporating support for the [Exploit Prediction Scoring System (EPSS)](https:\u002F\u002Fwww.first.org\u002Fepss\u002F)\n* Maintain a private vulnerability database of vulnerability components\n* Robust policy engine with support for global and per-project policies\n * Security risk and compliance\n * License risk and compliance\n * Operational risk and compliance\n* Ecosystem agnostic with built-in repository support for:\n * Cargo (Rust)\n * Composer (PHP)\n * Gems (Ruby)\n * Hex (Erlang\u002FElixir)\n * Maven (Java)\n * NPM (Javascript)\n * CPAN (Perl)\n * NuGet (.NET)\n * PyPI (Python)\n * More coming soon.\n* Identifies APIs and external service components including:\n * Service provider\n * Endpoint URIs\n * Data classification\n * Directional flow of data\n * Trust boundary traversal\n * Authentication requirements\n* Includes a comprehensive auditing workflow for triaging results\n* Configurable notifications supporting Slack, Microsoft Teams, Mattermost, Webhooks, Webex, Email and Jira\n* Supports standardized SPDX license ID’s and tracks license use by component\n* Easy to read metrics for components, projects, and portfolio\n* Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo\n* API-first design facilitates easy integration with other systems\n* API documentation available in OpenAPI format\n* OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN\u002FauthZ)\n* Supports internally managed users, Active Directory\u002FLDAP, and API Keys\n* Simple to install and configure. Get up and running in just a few minutes\n\n\n\u003Chr>\n\n![alt text](.\u002Fdocs\u002Fimages\u002Fscreenshots\u002Fdashboard.png)\n\n### Quickstart (Docker Compose)\n\n```bash\n# Downloads the latest Docker Compose file\ncurl -LO https:\u002F\u002Fdependencytrack.org\u002Fdocker-compose.yml\n\n# Starts the stack using Docker Compose\ndocker compose up -d\n```\n\n### Quickstart (Docker Swarm)\n\n```bash\n# Downloads the latest Docker Compose file\ncurl -LO https:\u002F\u002Fdependencytrack.org\u002Fdocker-compose.yml\n\n# Initializes Docker Swarm (if not previously initialized)\ndocker swarm init\n\n# Starts the stack using Docker Swarm\ndocker stack deploy -c docker-compose.yml dtrack\n```\n\n### Quickstart (Manual Execution)\n\n```bash\n# Pull the image from the Docker Hub OWASP repo\ndocker pull dependencytrack\u002Fbundled\n\n# Creates a dedicated volume where data can be stored outside the container\ndocker volume create --name dependency-track\n\n# Run the bundled container with 8GB RAM on port 8080\ndocker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:\u002Fdata dependencytrack\u002Fbundled\n```\n\n**NOTICE: Always use official binary releases in production.**\n\n## Distributions\n\nDependency-Track has three distribution variants. They are:\n\n| Package | Package Format | Recommended | Supported | Docker | Download |\n|:-----------|:------------------------|:-----------:|:---------:|:------:|:--------:|\n| API Server | Executable WAR | ✅ | ✅ | ✅ | ✅ |\n| Frontend | Single Page Application | ✅ | ✅ | ✅ | ✅ |\n| Bundled | Executable WAR | ❌ | ☑️ | ✅ | ✅ |\n\n#### API Server\n\nThe API Server contains an embedded Jetty server and all server-side functionality, but excludes the frontend user\ninterface. This variant is new as of Dependency-Track v4.0.\n\n#### Frontend\n\nThe [Frontend](https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Ffrontend) is the user interface that is accessible in a web browser. The Frontend is a Single Page Application (SPA)\nthat can be deployed independently of the Dependency-Track API Server. This variant is new as of Dependency-Track v3.8.\n\n#### Bundled\n\nThe Bundled variant combines the API Server and the Frontend user interface. This variant was previously referred to as\nthe executable war and was the preferred distribution from Dependency-Track v3.0 - v3.8. This variant is supported but\ndeprecated and will be discontinued in a future release.\n\n#### Traditional\n\nThe Traditional variant combines the API Server and the Frontend user interface and must be deployed to a Servlet\ncontainer. This variant is not supported, deprecated, and will be discontinued in a future release.\n\n## Deploying on Kubernetes with Helm\n\nRefer to https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fhelm-charts.\n\n## Contributing\n\nInterested in contributing to Dependency-Track? Please check [`CONTRIBUTING.md`](.\u002FCONTRIBUTING.md) to see how you can help!\n\n## Resources\n\n* Website: \u003Chttps:\u002F\u002Fdependencytrack.org\u002F>\n* Documentation: \u003Chttps:\u002F\u002Fdocs.dependencytrack.org\u002F>\n* Component Analysis: \u003Chttps:\u002F\u002Fowasp.org\u002Fwww-community\u002FComponent_Analysis>\n\n## Community\n\n* Twitter: \u003Chttps:\u002F\u002Fdependencytrack.org\u002Ftwitter>\n* YouTube: \u003Chttps:\u002F\u002Fdependencytrack.org\u002Fyoutube>\n* Slack: \u003Chttps:\u002F\u002Fdependencytrack.org\u002Fslack> (Invite: \u003Chttps:\u002F\u002Fdependencytrack.org\u002Fslack\u002Finvite>)\n* Discussion (Groups.io): \u003Chttps:\u002F\u002Fdependencytrack.org\u002Fdiscussion>\n\n## Copyright & License\nDependency-Track is Copyright (c) OWASP Foundation. All Rights Reserved.\n\nPermission to modify and redistribute is granted under the terms of the\n[Apache License 2.0].\n\nDependency-Track makes use of several other open source libraries. Please see\nthe [notices] file for more information.\n\n [National Vulnerability Database]: https:\u002F\u002Fnvd.nist.gov\n [GitHub Advisories]: https:\u002F\u002Fwww.github.com\u002Fadvisories\n [Sonatype OSS Index]: https:\u002F\u002Fossindex.sonatype.org\n [Snyk]: https:\u002F\u002Fsnyk.io\n [Trivy]: https:\u002F\u002Fwww.aquasec.com\u002Fproducts\u002Ftrivy\u002F\n [OSV]: https:\u002F\u002Fosv.dev\n [VulnDB]: https:\u002F\u002Fvulndb.flashpoint.io\n [Risk Based Security]: https:\u002F\u002Fwww.riskbasedsecurity.com\n [Component Analysis]: https:\u002F\u002Fowasp.org\u002Fwww-community\u002FComponent_Analysis\n [Software Bill of Materials]: https:\u002F\u002Fowasp.org\u002Fwww-community\u002FComponent_Analysis#software-bill-of-materials-sbom\n [CycloneDX]: https:\u002F\u002Fcyclonedx.org\n [license-image]: https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-apache%20v2-brightgreen.svg\n [Apache License 2.0]: https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Fblob\u002Fmaster\u002FLICENSE.txt\n [notices]: https:\u002F\u002Fgithub.com\u002FDependencyTrack\u002Fdependency-track\u002Fblob\u002Fmaster\u002FNOTICES.txt\n [Alpine]: https:\u002F\u002Fgithub.com\u002Fstevespringett\u002FAlpine\n","Dependency-Track 是一个智能组件分析平台,旨在帮助组织识别和降低软件供应链中的风险。该项目利用软件物料清单(SBOM)的功能,提供比传统软件成分分析更强大的能力,能够自动检测和管理开源组件的漏洞,并支持多种格式如CycloneDX、SPDX等。其核心功能包括依赖关系跟踪、漏洞扫描与评估、以及政策违规检测。该工具适用于需要加强软件安全性和合规性的企业开发团队,在DevSecOps流程中发挥重要作用。",2,"2026-06-11 03:30:44","trending"]