惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

OWASP

Aikido and OWASP bring agentic Code Audit to the global AppSec community | OWASP Foundation Community update regarding Richard Greenberg | OWASP Foundation Juice Shop v20.0.0 — a fresh squeeze of features, now with AI | OWASP Foundation Welcome to the Google Summer of Code 2026! | OWASP Foundation OWASP Foundation Unveils Its Strategic Plan for a World Without Insecure Software | OWASP Foundation The OWASP Foundation appoints Missie Lindsey as Director of Corporate Relations | OWASP Foundation Bridging the Gap in Product Lifecycle Management: How OpenEoX and CLE Work Together | OWASP Foundation Announcing the Retirement of OWASP Meetup Platform | OWASP Foundation The OWASP Foundation appoints Stacey Ebbs as Communications & Marketing Manager | OWASP Foundation OWASP Certified Secure Software Developer | OWASP Foundation GSoC 2025 Recap | OWASP Foundation OWASP Top 10 Community Survey | OWASP Foundation OWASP Elections 2025 - Become a member today! | OWASP Foundation Help Support Sherif Mansour by donating blood today! | OWASP Foundation cdxgen and CycloneDX .NET Join GitHub Secure Open Source Fund | OWASP Foundation InfoSecMap x OWASP Collaboration | OWASP Foundation OWASP x Google Summer of Code 2025 - Enabling 15 opportunities for impact | OWASP Foundation OWASP Enables AI Regulation That Works with OWASP AI Exchange | OWASP Foundation OWASP Calls to Build a Unified Framework for Global Vulnerability Intelligence | OWASP Foundation ASVS 5.0 RC1 is ready for your review! | OWASP Foundation OWASP Education and Training Committee update | OWASP Foundation Committees Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and Third-Party Dependencies | OWASP Foundation OWASP Juice Shop leadership changes & contributor recognition | OWASP Foundation Lifecycle events are part of the secure supply chain | OWASP Foundation More than a Password Day 2024 | OWASP Foundation A workaround for OWASP Foundation emails being blocked by Microsoft Office 365 | OWASP Foundation Securing React Native Mobile Apps with OWASP MAS | OWASP Foundation
OWASP Dependency-Track 5.0 Is Now Generally Available | OWASP Foundation
2026-06-09 · via OWASP
image

Tuesday, June 9, 2026

The largest redesign in the project’s history brings horizontal scaling, fault tolerance, and software supply chain integrity verification to the widely used open source platform.


[Wilmington, DE], June 3, 2026. OWASP Dependency-Track, the open source platform that organizations use to identify and reduce risk in the software supply chain, today announced the general availability of version 5.0. Developed under the codename Hyades, v5 is the most extensive redesign since the platform’s inception. It rebuilds how Dependency-Track scales, survives failure, and reasons about risk, while keeping the workflows teams already rely on.

Version 4 ran as a single API server that held its work queue in memory and its search index on local disk. That shape served smaller deployments well, but it limited any team that needed high availability, predictable resource usage, or clean recovery after a crash. Version 5 targets those limits directly. The platform now scales out, keeps working when individual instances fail, and standardizes on a single mature database engine. Smaller deployments gain the same guarantees with no added complexity.

Those guarantees already hold up in the field. Early adopters running the v5 alphas have ingested upwards of 20,000 SBOMs per hour, and some organizations now operate single v5 instances holding more than 250,000 SBOMs representing tens of millions of software components. Throughput and portfolio sizes at that level put Dependency-Track firmly in enterprise territory.


🛍️ Highlights of Dependency-Track 5.0

  • Horizontal scaling and active/active high availability. Stateless API server instances coordinate through PostgreSQL alone, with no message broker and no peer to peer networking, so a cluster can span availability zones and scale up or down without reconfiguration.

  • Processing that survives crashes. An embedded durable execution engine resumes bill of materials processing, vulnerability analysis, and notification delivery from the exact step they reached, and retries failed steps automatically with backoff instead of waiting for someone to trigger them again.

  • Software supply chain integrity verification. Dependency-Track now flags components whose published hashes do not match what the upstream package registry served, catching typosquatting and registry side tampering, a class of attack that v4 left to tools further down the pipeline.

  • Smarter, expression based policies. A new policy engine built on Common Expression Language (CEL) powers component policies, vulnerability policies that can automatically audit or suppress findings before they reach analysts, and notification filters that can match on any field of an event, such as firing only at or above a chosen severity.

  • One database, fewer failure modes. v5 standardizes on PostgreSQL and moves search, caching, and metrics into the database. The local search index disappears, along with the index corruption and disk space failures that came with it, and metrics become a proper time series with bounded retention.

  • Built for operations. A dedicated management endpoint exposes Prometheus metrics and Kubernetes style liveness and readiness probes on their own port, integration secrets are centralized behind a pluggable provider for easier rotation and audit, and pluggable file storage supports shared volumes or S3 compatible object storage.

  • Governance and data lifecycle. Portfolio access control graduates out of beta with bounded overhead at scale, and configurable retention keeps inactive project versions and time series metrics from growing without bound.


What it means for security leaders

For security leaders, v5 turns Dependency-Track into infrastructure they can depend on at enterprise scale. The strategic value is less about any single feature than about what a platform at this scale makes possible.

Regulation is turning software inventory from good practice into legal obligation. Under the EU Cyber Resilience Act, manufacturers of products with digital elements must produce and maintain a machine readable SBOM, with core obligations phasing in through December 2027 and vulnerability reporting duties arriving sooner. Satisfying that across a real product portfolio means keeping a complete and continuously updated inventory, not a periodic sample. v5 is built to hold exactly that, at the scale where compliance has to operate.

The same foundation reaches well beyond software. A platform that already tracks millions of components is the natural place to inventory everything else an organization ships and runs, including hardware, AI and machine learning models, and the cryptography embedded across its products.

“Dependency-Track has always been about making software bill of materials analysis practical for everyone, and v5 is about making it dependable at any scale, from a single team to enterprise portfolios of hundreds of thousands of projects,” said Steve Springett, founder and project co-lead of OWASP Dependency-Track. “We rebuilt the engine so the platform stays up, never silently loses work, and gives teams stronger guarantees about the integrity of what they ship, without losing the openness that made the project what it is.”

The strategic premise underneath all of it is simple: an organization cannot assess, prioritize, or reduce risk in what it has not inventoried. By making a complete and current component inventory feasible at enterprise scale, v5 gives security and risk teams the foundation that every downstream assessment depends on, whether regulatory, vulnerability, license, cryptographic, or supply chain.


What it means for existing v4 users

Existing Dependency-Track 4.x deployments continue to receive security and high severity fixes on the 4.14.x line for at least roughly six months after this release. v5 does not upgrade in place: it runs on its own PostgreSQL cluster and ingests v4 data through an offline, one time migrator, so teams should plan a maintenance window.

Operators should note the headline breaking changes. PostgreSQL is now the only supported database, replacing H2, MySQL, and Microsoft SQL Server. Notification payloads move to Protobuf, so existing templates need updating. The REST API enforces pagination by default and changes some response schemas. The bundled container image and the executable WAR are discontinued in favor of separate API server and frontend container images. Lucene based fuzzy vulnerability matching is removed. Full upgrade and migration guides, including a rehearsal procedure and a parallel run option, are available in the documentation.

“This release was two years in the making, and not a line of it happened in isolation,” said Niklas Düster, co-leader of OWASP Dependency-Track and lead architect of v5. “Countless individuals and organizations contributed code, infrastructure, funding, and feedback, and many ran the early builds in production so we could scale v5 against real workloads. We are deeply grateful to every one of them. Dependency-Track v5 is a community effort, and it shows.” —

Availability

Dependency-Track 5.0 is available now as container images from Docker Hub and the GitHub Container Registry. Documentation, upgrade guides, and the v4 to v5 migration procedure are published at the project documentation site. Dependency-Track is free and open source under the OWASP Foundation. —

About OWASP Dependency-Track

OWASP Dependency-Track is an OWASP flagship project and an intelligent component analysis platform that helps organizations identify and reduce risk in the software supply chain. It consumes software bill of materials (SBOM) data, including the CycloneDX standard, continuously monitors components for newly disclosed vulnerabilities and policy violations, and integrates with the tools that security and development teams already use. Learn more at dependencytrack.org.

About OWASP

The OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades, corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit owasp.org.