VIEW_PORTFOLIO: Display Vulnerabilities Listing for Project

[msymons]

Current Behavior:

In DT v3.4.1, a user who has only VIEW_PORTFOLIO Permission can navigate to:

• Dashboard: displays vulnerability graphs and metrics
• Projects: displays vulnerabilities column with correct counts
• Project -> Dependency Tab: vulnerabilities column with correct counts
• Component: Lists vulnerabilities, and the links to each vulnerability all work.

However, the Project screens do not have a tab that lists all vulnerabilities. Not unless the permission VULNERABILITY_ANALYSIS is granted... and this is not desired (grants too much).

The lack of this tab means that it can be really difficult to see the big picture in a project that has many vulnerable components (i have seen a project with 121 vulnerabilities covering 27 components)

Proposed Behavior:

• Rename project Audit tab to "Vulnerabilities". It should be obvious that clicking on this tab will access auditing for those who have permission to audit.
• Display this tab for both VIEW_PORTFOLIO and VULNERABILITY_ANALYSIS permissions.
• When user has VULNERABILITY_ANALYSIS Permission, perhaps display hint that audit is performed by clicking on a component.
• Do not open auditing if user with VIEW_PORTFOLIO only should click on a component.

[stevespringett]

VIEW_PORTFOLIO is intended for personas that only need component inventory and license information, so non-security users.

I think I prefer having a new permission that grants only VIEW_VULNERABILITY. Used in combination with VIEW_PORTFOLIO, I think it would achieve the results you're looking for.

[msymons]

A new VIEW_VULNERABILITY permission sounds like a good way solve the problem.

VIEW_PORTFOLIO is intended for personas that only need component inventory and license information, so non-security users.

So does that mean that the security information that is currently displayed to users with this permission (eg Projects: displays vulnerabilities column) is not desired behaviour and that implementation of VIEW_VULNERABILITY should be implemented alongside changes to VIEW_PORTFOLIO that removes the vulnerability column from projects page, etc?

[chris-sansone-angi]

+1 for this

I agree that it would be very nice to see a VIEW_VULNERABILITY permission that while on a project specific page (https://<domain>/project/?uuid=<uuid>) would allow users to click a tab that lists all of the vulnerabilities affecting a specific project.

It would also be nice for users with this permission to see/view all of the same details that are currently on the Audit tab but WITHOUT the ability to add comments, change the analysis, or flip the suppression flag.

For example a person with the VULNERABILITY_ANALYSIS permission would see something like this:

whereas a person with the VIEW_VULNERABILITY permission would see something like this:

[msymons]

With Dependency-Track 4.3.6, a VIEW_VULNERABILITY permission would still be as useful as it ever was.

I believe that it is not acceptable to let developers have access to making audit decisions (ie, grant them VULNERABILITY_ANALYSIS permission) but there is very much a justification for allowing them to view the decisions that have been made.

Just one example: when one still has a Java 7 project (yes, there are still some aroun) it might not be possible to fix a vulnerability via a simple dependecy upgrade unless also upgrading the project to support Java 8 (or higher). A developer needs to be able to see the audit comment that states this so that they know the reason why they should not just update the dependency without also updating the whole project.

[nscuro]

After checking back with @msymons, this issue has been sufficiently addressed in #1373 (which was released with v4.4.0). Closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.