-
-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VIEW_PORTFOLIO: Display Vulnerabilities Listing for Project #338
Comments
VIEW_PORTFOLIO is intended for personas that only need component inventory and license information, so non-security users. I think I prefer having a new permission that grants only VIEW_VULNERABILITY. Used in combination with VIEW_PORTFOLIO, I think it would achieve the results you're looking for. |
A new VIEW_VULNERABILITY permission sounds like a good way solve the problem.
So does that mean that the security information that is currently displayed to users with this permission (eg Projects: displays vulnerabilities column) is not desired behaviour and that implementation of VIEW_VULNERABILITY should be implemented alongside changes to VIEW_PORTFOLIO that removes the vulnerability column from projects page, etc? |
With Dependency-Track 4.3.6, a VIEW_VULNERABILITY permission would still be as useful as it ever was. I believe that it is not acceptable to let developers have access to making audit decisions (ie, grant them VULNERABILITY_ANALYSIS permission) but there is very much a justification for allowing them to view the decisions that have been made. Just one example: when one still has a Java 7 project (yes, there are still some aroun) it might not be possible to fix a vulnerability via a simple dependecy upgrade unless also upgrading the project to support Java 8 (or higher). A developer needs to be able to see the audit comment that states this so that they know the reason why they should not just update the dependency without also updating the whole project. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior:
In DT v3.4.1, a user who has only VIEW_PORTFOLIO Permission can navigate to:
However, the Project screens do not have a tab that lists all vulnerabilities. Not unless the permission VULNERABILITY_ANALYSIS is granted... and this is not desired (grants too much).
The lack of this tab means that it can be really difficult to see the big picture in a project that has many vulnerable components (i have seen a project with 121 vulnerabilities covering 27 components)
Proposed Behavior:
The text was updated successfully, but these errors were encountered: