forked from DependencyTrack/dependency-track
-
Notifications
You must be signed in to change notification settings - Fork 0
/
odt-odc-comparison.html
175 lines (173 loc) · 6.39 KB
/
odt-odc-comparison.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
---
title: Dependency-Check Comparison
sitemap: true
---
<p>
Identifying risk in supply chains containing third-party and open source components involves identifying known
vulnerabilities, component age and "freshness", license terms, project health, chain of custody, and a host of
other factors. Component analysis is applicable to software being developed, purchased, or as a result of being
embedded in a device (or the device itself). If a vulnerability is possible for a given component (software or
hardware) it can and should be analyzed.
</p>
<p>
One of the most common questions that arise from people familiar with either Dependency-Check or
Dependency-Track is the distinction between the two.
What's the relationship between them and how they are different?
</p>
<table>
<thead>
<tr>
<th width="20%"></th>
<th width="40%">Dependency-Track</th>
<th width="40%">Dependency-Check</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Software type</strong></td>
<td>Platform</td>
<td>
Library with multiple implementations:
<ul>
<li>Command line interface</li>
<li>Build plugins (Maven, Ant, etc)</li>
<li>Jenkins plugin</li>
</ul>
</td>
</tr>
<tr>
<td><strong>Approach</strong></td>
<td>Software Bill-of-Materials (SBOM) which can be automatically generated at build-time or obtained from vendors</td>
<td>Scans files on filesystem and extracts evidence with varying degrees of confidence</td>
</tr>
<tr>
<td><strong>Vulnerability intelligence</strong></td>
<td>
<ul>
<li>Precise matching via NVD</li>
<li>Sonatype OSS Index</li>
<li>GitHub Advisories</li>
<li>VulnDB</li>
</ul>
</td>
<td>
<ul>
<li>Fuzzy matching via NVD</li>
<li>Sonatype OSS Index</li>
<li>NPM Audit API</li>
<li>Retire.js</li>
</ul>
</td>
</tr>
<tr>
<td><strong>Outdated version identification</strong></td>
<td>
<ul>
<li>Cargo (Rust)</li>
<li>Composer (PHP)</li>
<li>Hex (Erlang/Elixir)</li>
<li>RubyGems (Ruby)</li>
<li>Maven (Java)</li>
<li>NPM (JavaScript)</li>
<li>NuGet (.NET)</li>
<li>PyPI (Python)</li>
</ul>
</td>
<td>None</td>
</tr>
<tr>
<td><strong>Ecosystems supported</strong></td>
<td>Ecosystem agnostic (all ecosystems supported)</td>
<td>10+ with varying degrees of maturity</td>
</tr>
<tr>
<td><strong>Reporting</strong></td>
<td>Dynamic intelligence and metrics delivered via REST API or web interface</td>
<td>Per-project statically generated HTML, XML, JSON, and CSV reports</td>
</tr>
<tr>
<td><strong>License support</strong></td>
<td>Resolves over 500 SPDX license IDs as well as supporting unresolved license names</td>
<td>Unresolved license names as evidence</td>
</tr>
<tr>
<td><strong>Jenkins plugin</strong></td>
<td>Yes (bidirectional)</td>
<td>Yes (unidirectional)</td>
</tr>
<tr>
<td><strong>Sonarqube plugin</strong></td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td><strong>Vulnerability aggregation</strong></td>
<td>
<ul>
<li>CodeDx (vendor supported)</li>
<li>Defect Dojo (vendor supported)</li>
<li>Kenna Security (natively supported)</li>
<li>Fortify SSC (natively supported)</li>
<li>Security Compass (vendor supported)</li>
<li>ThreadFix (vendor supported)</li>
</ul>
</td>
<td>
<ul>
<li>CodeDx (vendor supported)</li>
<li>Defect Dojo (vendor supported)</li>
<li>Nucleus Security (vendor supported)</li>
<li>Orchestron (vendor supported)</li>
<li>Security Compass (vendor supported)</li>
<li>ThreadFix (vendor supported)</li>
<li>ZeroNorth (vendor supported)</li>
</ul>
</td>
</tr>
<tr>
<td><strong>Notification support</strong></td>
<td>
<ul>
<li>Slack</li>
<li>Microsoft Teams</li>
<li>Mattermost</li>
<li>Cisco WebEx</li>
<li>Webhooks</li>
<li>Email</li>
<li>Jira</li>
</ul>
</td>
<td>None</td>
</tr>
<tr>
<td><strong>Auditing</strong></td>
<td>Per-project and global auditing workflow supporting analysis decisions, comments, and suppressions that are captured and tracked in a per-finding audit log</td>
<td>Suppression file with support for CPE, filename, and regex pattern matching</td>
</tr>
<tr>
<td><strong>Private vulnerability repository</strong></td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td><strong>Perspectives</strong></td>
<td>
<ul>
<li>Portfolio of projects (applications, services, devices, etc)</li>
<li>Project</li>
<li>Dependency</li>
<li>Component</li>
<li>Vulnerability</li>
<li>License</li>
</ul>
</td>
<td>
<ul>
<li>Project</li>
<li>Dependency</li>
<li>Vulnerability</li>
</ul>
</td>
</tr>
</tbody>
</table>