base on Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. [](https://github.com/DependencyTrack/dependency-track/actions?workflow=CI+Build) [](https://www.codacy.com/gh/DependencyTrack/dependency-track/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=DependencyTrack/dependency-track&amp;utm_campaign=Badge_Grade) [](https://github.com/stevespringett/Alpine) [![License][license-image]][Apache License 2.0] [](https://www.owasp.org/index.php/OWASP_Dependency_Track_Project) [](https://dependencytrack.org/) [](https://docs.dependencytrack.org/) [](https://dependencytrack.org/slack) [](https://dependencytrack.org/discussion) [](https://dependencytrack.org/youtube) [](https://twitter.com/dependencytrack) [](https://github.com/DependencyTrack/dependency-track/releases) [](https://github.com/DependencyTrack/dependency-track/releases) [](https://hub.docker.com/r/dependencytrack/apiserver/) [](https://hub.docker.com/r/dependencytrack/frontend/) [](https://hub.docker.com/r/dependencytrack/bundled/) [](https://hub.docker.com/r/owasp/dependency-track/)  Dependency-Track is an intelligent [Component Analysis] platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of [Software Bill of Materials] (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve. Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments. ## Ecosystem Overview  ## Features * Consumes and produces [CycloneDX] Software Bill of Materials (SBOM) * Consumes and produces [CycloneDX Vulnerability Exploitability Exchange (VEX)](https://cyclonedx.org/capabilities/vex/) * Component support for: * Applications * Libraries * Frameworks * Operating systems * Containers * Firmware * Files * Hardware * Services * Tracks component usage across every application in an organizations portfolio * Quickly identify what is affected, and where * Identifies multiple forms of risk including * Components with known vulnerabilities * Out-of-date components * Modified components * License risk * More coming soon... * Integrates with multiple sources of vulnerability intelligence including: * [National Vulnerability Database] (NVD) * [GitHub Advisories] * [Sonatype OSS Index] * [Snyk] * [Trivy] * [OSV] * [VulnDB] from [Risk Based Security] * More coming soon. * Helps to prioritize mitigation by incorporating support for the [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/) * Maintain a private vulnerability database of vulnerability components * Robust policy engine with support for global and per-project policies * Security risk and compliance * License risk and compliance * Operational risk and compliance * Ecosystem agnostic with built-in repository support for: * Cargo (Rust) * Composer (PHP) * Gems (Ruby) * Hex (Erlang/Elixir) * Maven (Java) * NPM (Javascript) * CPAN (Perl) * NuGet (.NET) * PyPI (Python) * More coming soon. * Identifies APIs and external service components including: * Service provider * Endpoint URIs * Data classification * Directional flow of data * Trust boundary traversal * Authentication requirements * Includes a comprehensive auditing workflow for triaging results * Configurable notifications supporting Slack, Microsoft Teams, Mattermost, Webhooks, Webex, Email and Jira * Supports standardized SPDX license ID’s and tracks license use by component * Easy to read metrics for components, projects, and portfolio * Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo * API-first design facilitates easy integration with other systems * API documentation available in OpenAPI format * OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ) * Supports internally managed users, Active Directory/LDAP, and API Keys * Simple to install and configure. Get up and running in just a few minutes <hr>  ### Quickstart (Docker Compose) ```bash # Downloads the latest Docker Compose file curl -LO https://dependencytrack.org/docker-compose.yml # Starts the stack using Docker Compose docker-compose up -d ``` ### Quickstart (Docker Swarm) ```bash # Downloads the latest Docker Compose file curl -LO https://dependencytrack.org/docker-compose.yml # Initializes Docker Swarm (if not previously initialized) docker swarm init # Starts the stack using Docker Swarm docker stack deploy -c docker-compose.yml dtrack ``` ### Quickstart (Manual Execution) ```bash # Pull the image from the Docker Hub OWASP repo docker pull dependencytrack/bundled # Creates a dedicated volume where data can be stored outside the container docker volume create --name dependency-track # Run the bundled container with 8GB RAM on port 8080 docker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:/data dependencytrack/bundled ``` **NOTICE: Always use official binary releases in production.** ## Distributions Dependency-Track has three distribution variants. They are: | Package | Package Format | Recommended | Supported | Docker | Download | |:-----------|:------------------------|:-----------:|:---------:|:------:|:--------:| | API Server | Executable WAR | ✅ | ✅ | ✅ | ✅ | | Frontend | Single Page Application | ✅ | ✅ | ✅ | ✅ | | Bundled | Executable WAR | ❌ | ☑️ | ✅ | ✅ | #### API Server The API Server contains an embedded Jetty server and all server-side functionality, but excludes the frontend user interface. This variant is new as of Dependency-Track v4.0. #### Frontend The [Frontend](https://github.com/DependencyTrack/frontend) is the user interface that is accessible in a web browser. The Frontend is a Single Page Application (SPA) that can be deployed independently of the Dependency-Track API Server. This variant is new as of Dependency-Track v3.8. #### Bundled The Bundled variant combines the API Server and the Frontend user interface. This variant was previously referred to as the executable war and was the preferred distribution from Dependency-Track v3.0 - v3.8. This variant is supported but deprecated and will be discontinued in a future release. #### Traditional The Traditional variant combines the API Server and the Frontend user interface and must be deployed to a Servlet container. This variant is not supported, deprecated, and will be discontinued in a future release. ## Deploying on Kubernetes with Helm Refer to https://github.com/DependencyTrack/helm-charts. ## Contributing Interested in contributing to Dependency-Track? Please check [`CONTRIBUTING.md`](./CONTRIBUTING.md) to see how you can help! ## Resources * Website: <https://dependencytrack.org/> * Documentation: <https://docs.dependencytrack.org/> * Component Analysis: <https://owasp.org/www-community/Component_Analysis> ## Community * Twitter: <https://dependencytrack.org/twitter> * YouTube: <https://dependencytrack.org/youtube> * Slack: <https://dependencytrack.org/slack> (Invite: <https://dependencytrack.org/slack/invite>) * Discussion (Groups.io): <https://dependencytrack.org/discussion> ## Copyright & License Dependency-Track is Copyright (c) OWASP Foundation. All Rights Reserved. Permission to modify and redistribute is granted under the terms of the [Apache License 2.0]. Dependency-Track makes use of several other open source libraries. Please see the [notices] file for more information. [National Vulnerability Database]: https://nvd.nist.gov [GitHub Advisories]: https://www.github.com/advisories [Sonatype OSS Index]: https://ossindex.sonatype.org [Snyk]: https://snyk.io [Trivy]: https://www.aquasec.com/products/trivy/ [OSV]: https://osv.dev [VulnDB]: https://vulndb.cyberriskanalytics.com [Risk Based Security]: https://www.riskbasedsecurity.com [Component Analysis]: https://owasp.org/www-community/Component_Analysis [Software Bill of Materials]: https://owasp.org/www-community/Component_Analysis#software-bill-of-materials-sbom [CycloneDX]: https://cyclonedx.org [license-image]: https://img.shields.io/badge/license-apache%20v2-brightgreen.svg [Apache License 2.0]: https://github.com/DependencyTrack/dependency-track/blob/master/LICENSE.txt [notices]: https://github.com/DependencyTrack/dependency-track/blob/master/NOTICES.txt [Alpine]: https://github.com/stevespringett/Alpine ", Assign "at most 3 tags" to the expected json: {"id":"4815","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"