Tag Management

[msymons]

Current Behavior:

Dependency-Track v3.7.1 allows tags to be added to (or removed from) projects by users who have PORTFOLIO_MANAGEMENT permission. This permission includes the ability to create new tags.

• There is no mechanism to limit this ability by project (ie, allow users to change tags on projects 1-10 but not on projects 11-20)
• The only tag-related REST API functionality is the ability to return a list of all projects by tag. There is no ability to query the list of available tags, etc.
• There is no functionality to delete a tag from the system, or to edit existing tags.

Proposed Behavior:

Some items (such as tag deletion and enforcing lower-case) are discussed in #238).

• Add functionality that would allow listing all tags
• Add functionality to allow editing tags. This would be useful when teams change their names or a customer changes their name, etc.
• Allow for tags to be deleted (cleaned up).
• Only allow lower-case tags (this helps avoid duplication)
• Split the permission to create/edit/delete tags from the permission to add/remove tags from a project. I want to restrict the former more than I want to restrict the latter.
• Extending on this, it should be possible to link these permissions to projects, ie, teams A and B and C can change tags on projects 1-20 but team A can only modify tags on 1-10 and team B can only modify tags on 11-20, and team C can modify tags on any project. See restrict access to projects #140, currently in milestone 3.9.
• Enhance UI so that users can pick tags from a list when adding tags to a project.
• Extend functionality to REST so that (say) automated BOM upload from dependency-trak plugin could be enhanced to include tag specification.

[msymons]

Logged JENKINS-61741 to request tag support in Dependency-Track Jenkins plugin.

[sephiroth-j]

It would be great if tags can be created during upload of the bom.

[clemlesne]

This feature would be much appreciated.

[fbuchmeier-abi]

Hi folks,

due to a "misconfiguration" we have around 500k tags in our database. This slows down dependency track considerably. We would like to get rid of all the tags that we do not actually need but cannot seem to find an API endpoint to delete tags.

• Is there any progress on this issue in regards to the deletion of tags?
• Would it be OK to clean up the TAG table in the database manually?

Thanks and best regards,
Florian.

[nscuro]

@fbuchmeier-abi There is currently no one actively working on it AFAIK. As always, contributions would help getting it delivered sooner. :)

Would it be OK to clean up the TAG table in the database manually?

Yes. Just keep in mind that the PROJECTS_TAGS table has a foreign key relationship with the TAG table. As a first step you could try deleting tags whose IDs are not present in the PROJECTS_TAGS table. After that, you likely want to re-wire the remaining relationships, so all projects only have tags that you want to keep.

[rkg-mm]

Looking into this I wonder why
endpoint /v1/tag/{policyUuid} is related to policies. The description "Returns a list of all tags" is misleading as well, as it only returns a list of tags associated with a policy.

In my opinion this should be URL /v1/policy/{policyUuid}/tags instead, so /v1/tag/{name} or /v1/tag/{tagId} can be used to manage tags. However, this would be a breaking change in the API to clean this up. :(

Luckily policies are UUIDs and tags use LONG as id and string as name, so we can identify the difference and offer both. But this should probably be a deprecated legacy support then as it makes the API dirty