New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS Index: Allow exclusion of components to scan #303
Comments
The same exclusions should likely apply to outdated component analysis |
Good point. Yes, they should. |
This idea of implementing the idea of "teaching" Dependency-Track about internal components is pretty much the same enhancement that I had been thinking for a while "I really need to log this", although @nscuro identified a use case (preventing exposure of internal information) that I had not considered. Nice one!
..is vulnerable to:
|
Another justification for exclusion of components from scanning that may be applicable to VulnDB... MONEY! In #443 , Steve wrote that "....as the (VulnDN) service may be licensed on the number of requests per month." |
…ted via BOM upload. Added capability of analyzing only a small list of components or the entire portfolio
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Issue Type:
Current Behavior:
When using the OSS Index scanner, Dependency-Track will send the packageURLs of all components to OSS Index. This of course includes those of internal components. The namespace of a packageURL may contain the company's name, making it fairly easy to find out who's making the requests and what their application landscape may look like.
Someone with access to OSS Index's request logs may be able to find out how often a given project is built, how many vulnerable components it has and how quickly vulnerable components get patched. The main issue here is that we simply cannot know what Sonatype does with the data being sent to it.
Although I'm explicitly mentioning Sonatype's OSS Index here, I'm sure this also affects other scanners that work similarly.
Expected Behavior:
It should be possible to exclude information about specific components from being sent to external services like OSS Index.
It should be considered that new projects (so potentially new namespaces) will be added dynamically (e.g. through the Jenkins plugin), which is why I'm certain that a Regex or "namespace contains" type of exclusion list would be optimal. E.g.:
Exclude namespaces:
^com\.acme.*
.*mycompanyname.*
Environment:
The text was updated successfully, but these errors were encountered: