dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Tracking Timestamps for Components and Dependencies

Open msymons opened this issue 6 years ago • 3 comments

Issue Type:

  • [ ] defect report
  • [X] enhancement request

Current Behavior:

I believe that it would be useful to track timestamps for "first seen" info for both components and dependencies. The timestamps should be displayed in the UI in sortable columns (and perhaps not displayed by default).

Examples: For dependencies, (Project tab -> Dependencies), seeing which dependencies are new would let one quickly see that there are (or are not) associated vulnerabilities. Or help one identify which components are the likely cause of an increase in "Total components"

For components, it would be useful to know when each unique component was first uploaded tio Dependency-Track:

  • Component tab: eg, filter by (say) "jackson-databind" and see just one instance with vulnerabilities that is brand new, emphasising the need for closer inspection
  • Project Tab -> Dependencies. Use in conjunction with the dependency timestamp to see that (say) a threat relates to a component that is brand new to both DT itself and to the project. Or that the vulnerable component is brand new to the project as a dependency but has been known to DT "for ages" (something that would make me question why a vulnerability is being introduced that we already know about from other projects).

Environment:

  • Dependency-Track Version: 3.4.0

msymons avatar Feb 27 '19 17:02 msymons

An 'added on' and 'added by' field already exists for Dependency. These fields do not exist on Component but could easily be added.

stevespringett avatar Feb 28 '19 23:02 stevespringett

Ah ha! Using my trusty Swagger browser extension I see the addedOn in the v3.4.0 dependency REST API. Although I cannot see addedBy.

My hope is that addedOn can be displayed in the UI.

msymons avatar Mar 05 '19 10:03 msymons

Although this enhancement was logged for Dependency-Track v3.4.0 and the data model was changed in v4.0.0 such that the references to "dependencies" are no longer valid, I do believe that the addedOn timestamp would still be very useful for components.

There are many use cases.

  • See that version 2 of a component was added to some projects on a date BEFORE version 1 of the same component was added to other projects. Are the "version 1 project" devs not paying attention?
  • See that whether any component with vulnerability X was added to any projects AFTER a date that one knows was the date when some other projects were already addressing X. (although this one is sort of a restatement of user case 2 in the original description from 2019.
  • Check to see whether components known to be EOL were added to any projects after the EOL date. Perhaps there is a need for the "DT cat-herder" to think about adding a policy to cover this?

msymons avatar May 21 '22 19:05 msymons