Dependency management and Software Bill of Materials (SBOMs) are more important than ever. With the upcoming EU Cyber Resilience Act, they are becoming a legal mandate for many organizations. Even beyond compliance, using SBOMs in combination with reproducible builds as your "source of truth" for dependencies is a good security practice.
DependencyTrack is a great tool from OWASP for managing SBOMs and auditing vulnerabilities of used dependencies. DependencyTrack is built around projects. While a project type (e.g., Application, Container Image) is technically just a label, how you structure them matters.
I recommend creating a standalone project for each component of your application (e.g., separate projects for your frontend and backend). This separation provides:
- Contextual Auditing: Vulnerabilities are easier to triage when you know exactly which layer they affect.
- Statistical Transparency: Clearer metrics on component counts per service.
- Hierarchical Organization: Better integration with Collection Projects.
Collection Projects allow you to organize projects in a tree based structure. As an example, for an app My Calendar you can create a parent collection project that aggregates data from its child projects (Frontend and Backend). These collection project can't contain any direct components but rather aggregate them from their child projects dependent on the configuration.
As you probably already guessed, they are great to structure multiple apps, containing multiple components deployed across different environments such as dev or prod:
- My-Shop
- Basket Service
- Basket Service (Dev)
- Basket Service Frontend (Dev)
- Basket Service Backend (Prod)
- Basket Service (Prod)
- Baskend Service Frontend (Dev)
- Basket Service Frontend (Prod)
- Payment Service
...
The main hurdle to this granular approach is the manual effort required to set up dozens of nested projects. This is where the DependencyTrack Terraform Provider becomes essential.
The provider automates the creation of nested structures, teams, permissions, and LDAP mappings. If you want to dive straight into a "Product Group" approach - grouping services like Payment, Basket, and Inventory into a single functional unit - I’ve developed a Terraform Module to handle the heavy lifting for you.
Even if you don't use my module, you should treat your DependencyTrack configuration as code. Moving away from manual clicks ensures:
- Auditability: Every change is tracked in version control.
- Disaster Recovery: Easily restore your entire project structure if a database is lost.
- Living Documentation: Your HCL files explain the setup better than a "lost" colleague ever could.
Top comments (0)