2018-12-23 21:23:17 -06:00
---
title: Dependency-Check Comparison
2018-12-23 21:29:47 -06:00
sitemap: true
2018-12-23 21:23:17 -06:00
---
< p >
Identifying risk in supply chains containing third-party and open source components involves identifying known
vulnerabilities, component age and "freshness", license terms, project health, chain of custody, and a host of
other factors. Component analysis is applicable to software being developed, purchased, or as a result of being
embedded in a device (or the device itself). If a vulnerability is possible for a given component (software or
hardware) it can and should be analyzed.
< / p >
< p >
One of the most common questions that arise from people familiar with either Dependency-Check or
Dependency-Track is the distinction between the two.
What's the relationship between them and how they are different?
< / p >
< table >
< thead >
< tr >
< th width = "20%" > < / th >
< th width = "40%" > Dependency-Track< / th >
< th width = "40%" > Dependency-Check< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > < strong > Software type< / strong > < / td >
< td > Platform< / td >
< td >
Library with multiple implementations:
< ul >
< li > Command line interface< / li >
< li > Build plugins (Maven, Ant, etc)< / li >
< li > Jenkins plugin< / li >
< / ul >
< / td >
< / tr >
< tr >
< td > < strong > Approach< / strong > < / td >
2019-09-28 22:59:32 -05:00
< td > Software Bill-of-Materials (SBOM) which can be automatically generated at build-time or obtained from vendors< / td >
2018-12-23 21:23:17 -06:00
< td > Scans files on filesystem and extracts evidence with varying degrees of confidence< / td >
< / tr >
< tr >
< td > < strong > Vulnerability intelligence< / strong > < / td >
< td >
< ul >
2019-12-13 14:28:28 -06:00
< li > Precise matching via NVD< / li >
2019-09-28 22:59:32 -05:00
< li > Sonatype OSS Index< / li >
2022-02-15 11:36:48 -06:00
< li > GitHub Advisories< / li >
2018-12-23 21:23:17 -06:00
< li > VulnDB< / li >
< / ul >
< / td >
< td >
< ul >
< li > Fuzzy matching via NVD< / li >
2019-09-28 22:59:32 -05:00
< li > Sonatype OSS Index< / li >
2018-12-23 21:23:17 -06:00
< li > NPM Audit API< / li >
< li > Retire.js< / li >
< / ul >
< / td >
< / tr >
< tr >
< td > < strong > Outdated version identification< / strong > < / td >
< td >
< ul >
2022-02-15 11:36:48 -06:00
< li > Cargo (Rust)< / li >
< li > Composer (PHP)< / li >
< li > Hex (Erlang/Elixir)< / li >
< li > RubyGems (Ruby)< / li >
< li > Maven (Java)< / li >
< li > NPM (JavaScript)< / li >
< li > NuGet (.NET)< / li >
2024-04-02 16:06:00 -04:00
< li > PyPI (Python)< / li >
2018-12-23 21:23:17 -06:00
< / ul >
< / td >
< td > None< / td >
< / tr >
< tr >
< td > < strong > Ecosystems supported< / strong > < / td >
< td > Ecosystem agnostic (all ecosystems supported)< / td >
< td > 10+ with varying degrees of maturity< / td >
< / tr >
< tr >
< td > < strong > Reporting< / strong > < / td >
2019-12-13 14:28:28 -06:00
< td > Dynamic intelligence and metrics delivered via REST API or web interface< / td >
2018-12-23 21:23:17 -06:00
< td > Per-project statically generated HTML, XML, JSON, and CSV reports< / td >
< / tr >
< tr >
< td > < strong > License support< / strong > < / td >
2019-12-13 14:28:28 -06:00
< td > Resolves over 500 SPDX license IDs as well as supporting unresolved license names< / td >
2018-12-23 21:23:17 -06:00
< td > Unresolved license names as evidence< / td >
< / tr >
< tr >
< td > < strong > Jenkins plugin< / strong > < / td >
< td > Yes (bidirectional)< / td >
< td > Yes (unidirectional)< / td >
< / tr >
< tr >
< td > < strong > Sonarqube plugin< / strong > < / td >
< td > No< / td >
< td > Yes< / td >
< / tr >
< tr >
< td > < strong > Vulnerability aggregation< / strong > < / td >
< td >
< ul >
2022-02-15 11:36:48 -06:00
< li > CodeDx (vendor supported)< / li >
2019-12-13 14:28:28 -06:00
< li > Defect Dojo (vendor supported)< / li >
2018-12-23 21:23:17 -06:00
< li > Kenna Security (natively supported)< / li >
< li > Fortify SSC (natively supported)< / li >
2020-11-02 21:56:42 -06:00
< li > Security Compass (vendor supported)< / li >
2018-12-23 21:23:17 -06:00
< li > ThreadFix (vendor supported)< / li >
< / ul >
< / td >
< td >
< ul >
< li > CodeDx (vendor supported)< / li >
< li > Defect Dojo (vendor supported)< / li >
2019-12-13 14:28:28 -06:00
< li > Nucleus Security (vendor supported)< / li >
< li > Orchestron (vendor supported)< / li >
2020-11-02 21:56:42 -06:00
< li > Security Compass (vendor supported)< / li >
2018-12-23 21:23:17 -06:00
< li > ThreadFix (vendor supported)< / li >
2019-12-13 14:28:28 -06:00
< li > ZeroNorth (vendor supported)< / li >
2018-12-23 21:23:17 -06:00
< / ul >
< / td >
< / tr >
< tr >
< td > < strong > Notification support< / strong > < / td >
< td >
< ul >
< li > Slack< / li >
< li > Microsoft Teams< / li >
2022-06-10 17:15:46 +02:00
< li > Mattermost< / li >
2022-02-15 11:36:48 -06:00
< li > Cisco WebEx< / li >
2018-12-23 21:23:17 -06:00
< li > Webhooks< / li >
< li > Email< / li >
2022-11-16 20:57:59 +01:00
< li > Jira< / li >
2018-12-23 21:23:17 -06:00
< / ul >
< / td >
< td > None< / td >
< / tr >
< tr >
< td > < strong > Auditing< / strong > < / td >
< td > Per-project and global auditing workflow supporting analysis decisions, comments, and suppressions that are captured and tracked in a per-finding audit log< / td >
< td > Suppression file with support for CPE, filename, and regex pattern matching< / td >
< / tr >
< tr >
< td > < strong > Private vulnerability repository< / strong > < / td >
< td > Yes< / td >
< td > No< / td >
< / tr >
< tr >
< td > < strong > Perspectives< / strong > < / td >
< td >
< ul >
< li > Portfolio of projects (applications, services, devices, etc)< / li >
< li > Project< / li >
< li > Dependency< / li >
< li > Component< / li >
< li > Vulnerability< / li >
< li > License< / li >
< / ul >
< / td >
< td >
< ul >
< li > Project< / li >
< li > Dependency< / li >
< li > Vulnerability< / li >
< / ul >
< / td >
< / tr >
< / tbody >
2019-09-28 22:59:32 -05:00
< / table >
