dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Document Outbound External Connections

Open leec94 opened this issue 1 year ago • 2 comments

Current Behavior

Dependency Track currently reaches out to various APIs for gather vulnerability data and to package managers for detailed component information. For certain deployments, it would be helpful to have a list of the outbound connections so access can be properly restricted.

Currently Dependency Track reaches out to the following:

Integrates with multiple sources of vulnerability intelligence including:

Ecosystem agnostic with built-in repository support for:

  • Cargo (Rust)
  • Composer (PHP)
  • Gems (Ruby)
  • Hex (Erlang/Elixir)
  • Maven (Java)
  • NPM (Javascript)
  • CPAN (Perl)
  • NuGet (.NET)
  • PyPI (Python)

From README: https://github.com/DependencyTrack/dependency-track?tab=readme-ov-file#features

Proposed Behavior

Documentation provides a list of outbound connections from Dependency Track so access can be properly restricted.

This issue would help provision Dependency Track in private network environments where network policy needs to be updated to allow for outbound connections.

Checklist

leec94 avatar Oct 08 '24 15:10 leec94

This is already documented in services.bom.json, which gets merged with DT's SBOM during release, so it's also included here: https://github.com/DependencyTrack/dependency-track/releases/download/4.12.0/bom.json

nscuro avatar Oct 09 '24 13:10 nscuro

That's great! Maybe this could be added as an FAQ item, then pointed to the services.bom.json file? It didn't seem clear that this information was available when searching for it.

leec94 avatar Oct 09 '24 14:10 leec94

This is already documented in services.bom.json, which gets merged with DT's SBOM during release, so it's also included here: https://github.com/DependencyTrack/dependency-track/releases/download/4.12.0/bom.json

Would you be open to a small FAQ entry on the docs site that points admins to

  • services.bom.json (source of truth) and
  • the merged SBOM attached to each release

so they can quickly locate the list when hardening outbound traffic?
Happy to submit a PR if that’s helpful.

dmtkfs avatar May 16 '25 13:05 dmtkfs

@dmtkfs Yeah that would be great!

nscuro avatar May 19 '25 11:05 nscuro

@nscuro Hello, all docs changes done; Codacy and test checks haven’t run because this comes from a fork. Let me know if there’s anything else you need from me. Thanks!

dmtkfs avatar May 20 '25 20:05 dmtkfs

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Jun 22 '25 10:06 github-actions[bot]