
Dependency Track
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Dependency Track Connector integrates with OWASP Dependency-Track, an open-source software composition analysis (SCA) platform. It connects to a Dependency-Track instance over its REST API to synchronize projects, their software components (the SBOM), the installed-package relationships between components and projects, and the vulnerabilities affecting those components. The data is mapped into the Brinqa Unified Data Model (UDM) so that code projects, packages, open-source findings, and finding definitions can be analyzed alongside the rest of your security data.
Data retrieved from Dependency Track
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Project | Yes | CODE_PROJECT |
| Installed Package | Yes | INSTALLED_PACKAGE |
| Component | Yes | PACKAGE |
| Vulnerability | Yes | OPEN_SOURCE_FINDING |
| Vulnerability Definition | Yes | OPEN_SOURCE_FINDING_DEFINITION |
Model relationships
For detailed steps on how to view the data retrieved from Dependency Track in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Dependency Track from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | http://localhost:8080 | Dependency Track API URL |
| API key | Yes | — | Dependency Track API key |
| Page size | No | 100 | Maximum number of records to get per API request |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
| Parallel requests | No | min(4, available CPU cores) | Maximum number of parallel API requests |
| SSL / TLS | No | false | Skip certificate verification |
Authentication
Dependency-Track uses API Key authentication. An API key is generated in Dependency-Track for a team and supplied to the connector through the confidential apiKey configuration property. The connector sends the key on every request in the X-Api-Key header; there is no token-exchange or login step.
Connectivity Test / Validation Endpoint
On configuration test the connector issues a single small paged request to verify the URL and key:
| Method | URL |
|---|---|
GET | {url}/api/v1/project?pageNumber=1&pageSize=1 |
Request Headers
| Header | Value |
|---|---|
X-Api-Key | The configured Dependency-Track API key |
Content-Type | application/json |
User-Agent | BrinqaDependencyConnector/{version} |
Sample Response
A successful test returns HTTP 200 with a JSON array of project records, for example:
[
{
"uuid": "b1d2e3f4-5678-90ab-cdef-1234567890ab",
"name": "example-service",
"version": "1.4.0",
"classifier": "APPLICATION",
"active": true,
"lastBomImport": 1717977600000
}
]
Credential Usage in Subsequent Requests
The same X-Api-Key header is attached to every subsequent data-sync request (projects, components, and vulnerabilities). The key is stored as a confidential, guarded value and is never written to logs or to this document.
How to obtain Dependency Track credentials
Obtain the required credentials (url, apiKey) from your Dependency Track administrator or the Dependency Track admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Project
| Source Field Name | SDM Attribute |
|---|---|
Constant code-repository plus Project.classifier | CATEGORIES |
Project.active | STATUS |
Project.description | DESCRIPTION |
Project.externalReferences[].url | REFERENCES |
Project.isLatest | IS_LATEST |
Project.lastBomImport | LAST_BOM_IMPORT |
Project.lastBomImportFormat | LAST_BOM_FORMAT |
Project.lastInheritedRiskScore | LAST_INHERITED_RISK_SCORE |
Project.lastVulnerabilityAnalysis | LAST_VULNERABILITY_ANALYSIS |
Project.name (falls back to UUID) | NAME |
Project.purl | PURL |
Project.tags[].name | TAGS |
Project.uuid | UID |
Project.version | VERSION |
Installed Package
| Source Field Name | SDM Attribute |
|---|---|
Component.uuid | TYPE |
Generated (MD5 of project UUID + component UUID) | UID |
| Project UUID | PROJECTS |
Component
| Source Field Name | SDM Attribute |
|---|---|
(schema attribute) | PROJECTS |
Component.externalReferences[].url | REFERENCES |
Component.licenseExpression | LICENSES |
Component.name (falls back to UUID) | NAME |
Component.purl | PURL |
Component.repositoryMeta.lastCheck | REPOSITORY_LAST_CHECK_DATE |
Component.repositoryMeta.latestVersion | REPOSITORY_LATEST_VERSION |
Component.repositoryMeta.name | REPOSITORY_NAME |
Component.repositoryMeta.namespace | REPOSITORY_NAMESPACE |
Component.repositoryMeta.published | REPOSITORY_PUBLISHED_DATE |
Component.repositoryMeta.repositoryType | REPOSITORY_TYPE |
Component.sha1 | SHA1 |
Component.uuid | UID |
Component.version | VERSION |
Constant package plus Component.classifier | CATEGORIES |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
| Constant ACTIVE | PROVIDER_STATUS |
Generated (MD5 of project UUID + component UUID + vulnerability UUID) | UID |
| Normalized from ACTIVE | SOURCE_STATUS |
| Project UUID and component UUID | TARGETS |
Vulnerability.vulnId | TYPE |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
| Computed from normalized severity | SEVERITY_SCORE |
| Decomposed from the CVSS v2 / v3 vector strings | CVSS metric attributes |
Normalized from Vulnerability.severity | SEVERITY |
Vulnerability.cvssV2BaseScore | CVSS_V2_BASE_SCORE |
Vulnerability.cvssV2Vector | CVSS_V2_VECTOR |
Vulnerability.cvssV3BaseScore | CVSS_V3_BASE_SCORE |
Vulnerability.cvssV3Vector | CVSS_V3_VECTOR |
Vulnerability.cwes (prefixed CWE-) | CWE_IDS |
Vulnerability.cwes (prefixed CWE-) | WEAKNESSES |
Vulnerability.description | DESCRIPTION |
Vulnerability.epssPercentile | EPSS_PERCENTILE |
Vulnerability.epssScore | EPSS_SCORE |
Vulnerability.published | PUBLISHED_DATE |
Vulnerability.references | REFERENCES |
Vulnerability.severity | SOURCE_SEVERITY |
Vulnerability.updated | SOURCE_LAST_MODIFIED |
Vulnerability.vulnId | UID |
Vulnerability.vulnId | NAME |
Vulnerability.vulnId | CVE_IDS |
Vulnerability.vulnId | CVE_RECORDS |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Project
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/project
Installed Package
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/component/project/{projectUuid}
Component
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/component/project/{projectUuid}
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/vulnerability/component/{componentUuid}
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /api/v1/vulnerability/component/{componentUuid}
Changelog
The Dependency Track connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.0 | Overview The Dependency Track connector integrates with OWASP Dependency-Track to synchronize software composition analysis (SCA) data, including projects, installed packages, components, and their associated vulnerabilities. It maps this data into the Brinqa Unified Data Model so teams can track open-source risk across their applications. Category: Application Security Models | N/A |