dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

different enhacements possible

Open redaabdellah21 opened this issue 2 years ago • 3 comments

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

1- components page empty, until search. 2- vulnerabilities order in the vulnerabilities page. 3- alerts mail list have to be written by hand. 4- uploading a BOM deletes every component that already exsits. 5- show inactive projects button have to be activated each time you come back to the projects page.

Proposed Behavior:

1- show all components and filter by search, like the projects page. 2- order vulnerabilities by severity or the number of affected projects in the vulnerabilities page. 3- get the mails from the users mapped to the project associated with the alert. 4- auto merge the exsisting components with the new BOM. 5- once the button activated it should stay like that until deactivated.

what would be an amazing update is to propose CPEs, SWIDs, PURLs when trying to add a component. like the user can type in the input and it will give suggetions. i know that it would need more database tables, storage and getting all CPEs that exsist, but sometimes it is hard for normal users to find the right CPE of a component.

redaabdellah21 avatar May 10 '22 09:05 redaabdellah21

show all components and filter by search, like the projects page.

Not possible. We removed the global object model in DT 4.0 and as a result you would end up with multiple components with the same identity in the list

auto merge the exsisting components with the new BOM.

I think this violates the basic use case which is that SBOM is an assertion of fact. If we append and never drop components off, the inventory will get out of sync with reality. There's a ticket open for DT to support merging multiple BOMs on upload. Search for that ticket if you're interested.

order vulnerabilities by severity or the number of affected projects in the vulnerabilities page.

I think there's already a ticket open for this

get the mails from the users mapped to the project associated with the alert.

What does this mean? Can you clarify?

once the button activated it should stay like that until deactivated.

Can you clarify? What button and what context?

sometimes it is hard for normal users to find the right CPE of a component.

Agreed. It's hard even when you have the data as the CPE dictionary is an utter mess.

stevespringett avatar May 10 '22 16:05 stevespringett

thank you for your response, and sorry for getting back to you late.

  • to order vulnerabilities by severity and project number should be easy, you only need to make "sortable" true (works for the severity but not the project number, can't understand why)

  • for the mailing problem, what i mean is that when you create an alert and assign it to a project, you have to add the mailing list manually, a good thing to do is go see the users working on the project, get their mails, and add them to the mailing list automatically. this way if we have many users we would not have to enter their mails one by one. and if we take a user off a project, we might forget to take off his mail from the alert. another (and for me more optimal) solution can be: add an alert option in the project details, when you activate it you will only have to choose the alerts you want to send about this particular project, it will get the users working on it and send alerts to their mails

  • i am talking about the toggle button, if you turn it on (show inactive projects) everytime you refresh the page it will turn off. Capture

  • i am working on a project where we need to show only the vulnerabilities and components that concern our projects, than show the projects affected.

  • we also want to add a button to upload the tables in a csv file. we will be glad to contribute if these changes go well with the direction of DT.

redaabdellah21 avatar May 12 '22 08:05 redaabdellah21

  • The mail proposal could be tackled by my proposal here, might need an option to inform the complete team, which in my opinion is rarely a good idea, but at least a project responsible or something would be good.: https://github.com/DependencyTrack/dependency-track/issues/1608
  • The toggle button is actually only one example. I would prefer a general feature that user settings are stored somewhere (either DB or maybe at least in browser). Including: Toggle button for inactive projects, Shown projects per page, table column visibility settings etc.

rkg-mm avatar Jun 10 '22 11:06 rkg-mm