dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Display NVD API Attribution Notice

Open jgraglia opened this issue 2 years ago • 3 comments

Current Behavior

Since Dependency Track use NVD Rest API (with the APIKEY provided by the deployer) the product Dependency Track should have to respect the Terms of Use of the NVD API and display somewhere the required notice

This product uses the NVD API but is not endorsed or certified by the NVD.

OWASP Dependency Check had the same issue : https://github.com/jeremylong/DependencyCheck/issues/6105

Steps to Reproduce

Browse the available documentation on the website: no notice google search prompt : site:https://docs.dependencytrack.org/ "This product uses the NVD API but is not"

No notice on the about dialog in v 4.10.0 the NVD appears in the DATASOURCE PROVIDERS but without the notice. image

Expected Behavior

The NVD terms of use should be respected.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Google Chrome

Checklist

jgraglia avatar Dec 12 '23 17:12 jgraglia

Oops... by bad. it is displayed exactly as required in the NVD configuration page admin/vulnerabilitySources/nvd Sorry !

jgraglia avatar Dec 12 '23 17:12 jgraglia

I did have checked this repo for the line... but it is defined in another repo, the frontend one https://github.com/DependencyTrack/frontend/blob/cf09e79bd76dea39526b550a9f86ab6089947482/src/i18n/locales/en.json#L639

jgraglia avatar Dec 12 '23 17:12 jgraglia

@jgraglia, I am re-opening this issue as we do need to do a better job here. The Terms of Use specify that the notice must be displayed prominently... and showing it on a configuration page that can only be seen by administrators is not what anyone would think of as being "prominent".

Within the application, the "About" dialog is probably the best place to display the notice. If need be, perhaps the dialog could be tabbed so that screen real-estate is not a problem.

The Documentation website should also be updated.

msymons avatar Dec 13 '23 16:12 msymons

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Mar 27 '24 10:03 github-actions[bot]