We use CMake which is supported by Dependency Check. What am I misunderstanding?
The misreading I'm referring to is your statement "Dependency Track only seems to pick up dependencies from builds which isn't going to work for us", as picking up dependencies from builds is precisely NOT what dependencyTrack is all about and *mostly* what dependencyCheck is all about.
For your stated use-case: "Is there a way of manually setting up a list of dependencies?" DependencyTrack is the perfect fit. When you code the 'manually setting up a list of dependencies' in the format of a CycloneDX bill-of-materials file you can feed that into DependencyTrack and it will allow you to both list and monitor over time the vulnerabilities in those dependencies.
For DependencyTrack there are various tools that can create the CycloneDX bill-of-materials for you as part of your build, but the core functionality of dependencyTrack is to consume a bill-of-materials from any source and then evaluate the composite for presence of vulnerable components.
The unfortunate part is that (according to google's results for me) there doesn't appear to be a tool to create CycloneDX or SPDX bill-of-materials from CMake (or Yocto), but a 'created by hand' list of dependencies in the CycloneDX or SPDX format will allow you to import it into DependencyTrack for evaluation and monitoring of vulnerable dependencies.
For integration into the build DependencyCheck is a great tool, assuming that there is support with a reasonable false-positive as well as false negative rate in DependencyCheck for all the tools you use.
regards,
Hans