dependency-track/docs/_docs/usage/supply-chain-component-analysis.md

title	category	chapter	order	redirect_from
Supply Chain Component Analysis	Usage	2	3	/usage/scrm/

Component Analysis, as defined by OWASP, is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. Component Analysis is a function within an overall Cyber Supply Chain Risk Management (C-SCRM) framework.

Dependency-Track fulfills much of the guidance laid out by OWASP and SAFECode.

• Tracks application, library, framework, operating system, and hardware components
• Tracks component usage among all projects in the enterprise
• Adapts to changes in component dependencies used among the various projects
• Tracks various metadata for each component including:
  • Group / Vendor
  • Component Name
  • Component Version
  • Description
  • Copyright
  • License
  • File Hashes
  • Ecosystem
  • more...
• Continuously analyzes components for known, publicly disclosed vulnerabilities
• Reports component vulnerability metrics to higher-level projects that have dependencies on them
• Reports vulnerability metrics for all projects in an organizations portfolio
• Provides vulnerability metrics over a customizable period of time for individual components, projects, or an organizations entire portfolio
• Identifies out-of-date components where the version used is not the latest available