search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.66k stars 568 forks source link

Document Outbound External Connections #4228

Open leec94 opened 2 weeks ago

leec94 commented 2 weeks ago

Current Behavior

Dependency Track currently reaches out to various APIs for gather vulnerability data and to package managers for detailed component information. For certain deployments, it would be helpful to have a list of the outbound connections so access can be properly restricted.

Currently Dependency Track reaches out to the following:

Integrates with multiple sources of vulnerability intelligence including:

Ecosystem agnostic with built-in repository support for:

  • Cargo (Rust)
  • Composer (PHP)
  • Gems (Ruby)
  • Hex (Erlang/Elixir)
  • Maven (Java)
  • NPM (Javascript)
  • CPAN (Perl)
  • NuGet (.NET)
  • PyPI (Python)

From README: https://github.com/DependencyTrack/dependency-track?tab=readme-ov-file#features

Proposed Behavior

Documentation provides a list of outbound connections from Dependency Track so access can be properly restricted.

This issue would help provision Dependency Track in private network environments where network policy needs to be updated to allow for outbound connections.

Checklist

nscuro commented 1 week ago

This is already documented in services.bom.json, which gets merged with DT's SBOM during release, so it's also included here: https://github.com/DependencyTrack/dependency-track/releases/download/4.12.0/bom.json

leec94 commented 1 week ago

That's great! Maybe this could be added as an FAQ item, then pointed to the services.bom.json file? It didn't seem clear that this information was available when searching for it.