Stowage/dependency-track
2
0
Fork 0
mirror of https://github.com/DependencyTrack/dependency-track.git synced 2025-11-03 15:10:57 +00:00
Code Issues Projects Releases Packages Wiki Activity
dependency-track/docs/_docs/FAQ.md

53 lines
2.8 KiB
Markdown
Raw Normal View History

feat: add FAQ file
2020-03-11 12:03:39 +02:00
---
title: Frequently Asked Questions
category: FAQ
re-order chapter numbers
2020-03-11 12:12:31 +01:00
chapter: 10
feat: add FAQ file
2020-03-11 12:03:39 +02:00
order:
---
Frequently asked questions about Dependency Track functionality that may not be covered by the documentation. If you don't find an answer here, try reaching out to the Slack channel related to dependency track.
<!--A link will be added later when we're done to directly take the reader to the slack channel-->
#### Dependency Check and Dependency Track Comparison
add FAQ related to OSS Index and Analyzers
2020-03-11 15:15:48 +01:00
This topic is heavily explained in the [Dependency Check Comparison](./../odt-odc-comparison/) to Dependency Track.
#### I expect to see vulnerable components but I don't
Most common reason: You have to enabled the [Sonatype OSS Index Analyzer](./../datasources/ossindex/). It is not
enabled by default but is necessary to scan dependencies represented by
[Package URLs](./../terminology/#package-url-purl).
#### Why is Sonatype OSS Index Analyzer disabled by default?
Sonatype OSS Index Analyzer is disabled because you need an account and need to configure it first. See
[Sonatype OSS Index Analyzer](./../datasources/ossindex/).
add FAQ: wait for analyzers to be run
2020-03-17 13:12:08 +01:00
#### I have just enabled OSS Index Analyzer but still don't see results
The analyzers run asynchronously. After you enable an analyzer it is not immediately run.
You have to wait some time until the analyzers are scheduled, currently 6 hours.
Restarting Dependency Track will not run the analyzers either, it will just reset the clock.
add FAQ related to OSS Index and Analyzers
2020-03-11 15:15:48 +01:00
#### Why is the local NVD mirror not used?
The local NVD mirror is used for dependencies that are identified by a [CPE](./../terminology/#cpe). These are mostly
components like operating systems, applications, and hardware. That's what CPE was designed to represent.
[Package URLs](./../terminology/#package-url-purl) (PURL) on the other hand are designed to represent all kinds of software
dependencies like packages, libraries, and frameworks. In the local mirror there is no mapping from the PURL to CPE/CVE.
So the local mirror is used, but not for dependencies represented by PURL. Dependency Track will use the Analyzer best
suited to analyze a given dependency.
add FAQ regarding depdendency check support
2020-03-11 15:25:38 +01:00
#### I updated Dependency Track and now I can not upload Dependency-Check reports
Starting with Dependency Track v3.6.0 support for Dependency-Check XML reports was disabled by default. It was finally
removed with v3.7.0. The fundamental concepts of Dependency-Check and Dependency Track are different, so the support
was dropped. A comparison can be found in the [Dependency Check Comparison](./../odt-odc-comparison/).
add FAQ: container crashes
2020-03-17 13:31:21 +01:00
#### Dependency Track crashes when run as a container
Make sure the container is allowed to allocate enough RAM. For memory requirements see
[Deploying Docker Container](./../getting-started/deploy-docker/). A common source for limited memory is Docker for
Windows's default memory limit of 2GB which is too less. You can change this in docker's settings.
Reference in a new issue Copy permalink