Install and set up vulnerability analysis tool
This article describes two tools used for vulnerability analysis:(Dependency Track, OSV API)It contains installation/execution methods and troubleshooting.
Recommended order:Quickly search using the OSV API first,Afterwards, we establish a continuous monitoring system with Dependency Track.
Install and run Dependency Track
Dependency Track is an open source tool that automatically scans for vulnerabilities and displays them on a dashboard when you upload SBOM. The initial NVD data synchronization takes 10 to 30 minutes.,We recommend that you run it in advance when conducting self-study.
Docker Compose file(docker-compose.yml):
version: '3'
services:
dtrack-apiserver:
image: dependencytrack/apiserver:latest
ports:
- '8080:8080'
volumes:
- dtrack-data:/data
environment:
- ALPINE_DATABASE_MODE=internal
dtrack-frontend:
image: dependencytrack/frontend:latest
ports:
- '8081:8080'
environment:
- API_BASE_URL=http://localhost:8080
volumes:
dtrack-data:
execution:
# after saving docker-compose.yml
docker compose up -d
# wait for initialization (3-5 min)
# access: http://localhost:8081
# initial account: admin / admin (must be changed)
SBOM Upload and vulnerability scan steps:
- Projects menu → Create Project (name,Enter version)
- Click on the created project → Components tab
- Click the Upload BOM button
- Select
output/sbom/sbom.cdx.jsonand upload - Check the results in the Vulnerabilities tab(Analysis takes 1-2 minutes)
Fast lookup with OSV API(Without Dependency Track)
OSV is an open source vulnerability database operated by Google. You can search for vulnerabilities in a specific package with a single line of curl without Docker.
Check specific package vulnerabilities:
# log4j-core 2.14.1 query vulnerability
curl -X POST https://api.osv.dev/v1/query \
-H "Content-Type: application/json" \
-d '{
"package": {
"name": "log4j-core",
"ecosystem": "Maven"
},
"version": "2.14.1"
}'
Batch inquiry(Multiple packages simultaneously):
curl -X POST https://api.osv.dev/v1/querybatch \
-H "Content-Type: application/json" \
-d '{
"queries": [
{"package": {"name": "log4j-core", "ecosystem": "Maven"}, "version": "2.14.1"},
{"package": {"name": "requests", "ecosystem": "PyPI"}, "version": "2.25.0"}
]
}'
The vulnerability-analyst agent automatically reads the CycloneDX SBOM files in output/sbom/ and queries the OSV API for each component.,The results are organized into a report. There is no need to enter the curl command directly.
Troubleshooting
| Symptoms | Cause | Solution |
|---|---|---|
| Dependency Track not connected | Initializing | Wait 3~5 minutes and retry |
| 0 vulnerabilities | Loading NVD data | Wait 10~30 minutes(On first run) |
| OSV API unresponsive | network problems | curl -I https://Check connection with api.osv.dev |
| SBOM Upload error | File Format Issues | CycloneDX Check JSON format,Check for existence of bomFormat field |
| agent execution error | SBOM file not found | Check whether file .cdx.json exists in output/sbom/ |