← CRA Glossary
Software Supply Chain

Dependency-Track

Dependency-Track is an open-source Software Composition Analysis (SCA) platform maintained by OWASP that continuously monitors SBOM component inventories for known vulnerabilities. It is widely used by CRA manufacturers to operationalise their SBOM-driven vulnerability management obligations.

Dependency-Track is an open-source Software Composition Analysis (SCA) platform maintained by OWASP that continuously monitors SBOM component inventories for known vulnerabilities. It is widely used by CRA manufacturers to operationalise their SBOM-driven vulnerability management obligations.

Software Supply Chain
Free CVD portal →

What Is Dependency-Track?

Dependency-Track is an open-source platform developed and maintained by OWASP that provides continuous software composition analysis (SCA) and vulnerability management. It ingests SBOMs in CycloneDX or SPDX format, maintains an inventory of all components across the manufacturer's product portfolio, and continuously correlates that inventory against vulnerability databases (NVD, OSV, GitHub Advisory, and others) to identify which components have known vulnerabilities. When a new CVE is published affecting a component present in any product's SBOM, Dependency-Track generates an alert and tracks the finding through its lifecycle. The platform provides a dashboard view of the manufacturer's overall vulnerability exposure across all products — the foundation of a scalable CRA-compliant vulnerability management operation.

CRA reference:Annex I, Annex VII

Dependency-Track for CRA Compliance

Dependency-Track directly supports multiple CRA compliance activities:

  • SBOM repository: Stores current SBOMs for all product versions, satisfying the Annex VII technical file requirement for SBOM retention.
  • Continuous vulnerability monitoring: Automatically detects new CVEs affecting the product SBOM without requiring manual monitoring of vulnerability feeds.
  • PSIRT triage feed: Generates vulnerability findings that can be fed into the PSIRT triage workflow, pre-populated with CVE details, CVSS scores, and component information.
  • VEX integration: Dependency-Track supports importing VEX documents to suppress findings that have been assessed as not-affecting the product, maintaining an accurate risk posture without noise.
  • Policy engine: Configurable policies can automatically escalate findings based on CVSS score, EPSS, or component criticality, enforcing triage SLAs automatically.
CRA reference:Annex I, Annex VII

Integrating Dependency-Track into the PSIRT Workflow

For maximum CRA compliance value, Dependency-Track should be integrated into the manufacturer's PSIRT workflow:

  1. CI/CD integration: Configure the build pipeline to automatically upload the freshly generated SBOM to Dependency-Track on every release build.
  2. Finding notifications: Configure Dependency-Track to send alerts to the PSIRT ticketing system when new Critical or High findings appear, triggering the triage workflow.
  3. Policy-based escalation: Use Dependency-Track policies to automatically identify findings that meet CISA KEV criteria or have high EPSS scores, routing these to a fast-track triage queue.
  4. VEX workflow: For findings assessed as not-affected, generate VEX statements in Dependency-Track and export them for publication in CSAF advisories.
  5. Audit logging: Dependency-Track maintains an audit log of all findings, status changes, and analyst comments — this provides the documentary evidence of vulnerability handling that MSAs may request.

Dependency-Track vs Commercial SCA Alternatives

Dependency-Track is the leading open-source option in its category. Commercial alternatives include Snyk, FOSSA, Mend (WhiteSource), and Black Duck (Synopsys). Key considerations for CRA manufacturers:

  • Cost: Dependency-Track is free and open-source; commercial tools have licensing costs that scale with portfolio size.
  • Data freshness: Commercial tools typically have faster vulnerability database updates and proprietary intelligence feeds beyond NVD/OSV.
  • Integration depth: Commercial tools often have deeper IDE, ticketing system, and CI/CD integrations out of the box.
  • Support: Open-source means community support; commercial tools provide vendor SLAs.

For smaller manufacturers with limited budgets, Dependency-Track with commercial threat intelligence feed integration is a cost-effective path to CRA-compliant SCA. Larger manufacturers with complex portfolios often use commercial tools for their support and integration capabilities.

CVD Portal makes Dependency-Track compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is Dependency-Track sufficient for CRA compliance by itself?+

Dependency-Track handles the SBOM-based continuous vulnerability monitoring component of CRA compliance excellently. However, it does not cover all CRA obligations: it does not generate CSAF advisories, manage CVD policy publication, handle researcher report intake, or produce declarations of conformity. It is one component of a broader CRA compliance toolchain. CVD Portal handles the CVD process and advisory generation; Dependency-Track handles the SBOM inventory and vulnerability correlation. Used together, they cover the major operational compliance requirements.

How many products can Dependency-Track manage?+

Dependency-Track scales well for large portfolios — it handles thousands of projects and hundreds of thousands of components in production deployments. Each 'project' in Dependency-Track corresponds to a product version with its SBOM. For a manufacturer with many product variants and firmware versions, structuring the Dependency-Track project hierarchy to reflect the product portfolio (by product family, version, and variant) makes the vulnerability dashboard most useful.

Does Dependency-Track support SPDX in addition to CycloneDX?+

Yes. Dependency-Track v4.x supports both CycloneDX and SPDX SBOM formats for import. CycloneDX has historically had deeper feature support in Dependency-Track (given OWASP's development of both tools), but SPDX support is mature and suitable for production use. Manufacturers using SPDX as their primary SBOM format can use Dependency-Track without format conversion.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.CycloneDXCycloneDX is an open-standard SBOM format maintained by OWASP that represents software components, their relationships, and associated metadata in a machine-readable structure. It is one of the two dominant SBOM formats alongside SPDX and is widely used for CRA compliance documentation.SPDX (Software Package Data Exchange)SPDX (Software Package Data Exchange) is an ISO-standardised SBOM format (ISO/IEC 5962:2021) that describes software components, their versions, licences, and provenance in a machine-readable structure. SPDX is one of the two dominant SBOM formats alongside CycloneDX and is accepted for CRA technical documentation purposes.Software Composition Analysis (SCA)Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Dependency-Track fits into your complete CRA compliance programme.

View checklists →