dependencytrack / frontend Goto Github PK

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

UI uses window.sessionStorage for auth token

Expected Behavior:

It should be stored in HTTP Only Cookie (better with secure flag).

Why?

• Session Storage / Local storage isn't considered to be a secure storage for auth tokens: https://auth0.com/blog/secure-browser-storage-the-facts/
• Now you can't effectively work with Dependency Track using several tabs as each tab has it's own Session Storage. Many users think that it's a bug as absolute majority of the websites share auth session between tabs.

There are some mentions about the place that we can install dependency track on Kubernetes, however there are no guides for this in the documentation. Any suggestions for someone new to kubernetes?

Current Behavior:

UI does not go through each transitive dependency in the dependency data to build out a complete dependency graph, resulting in a limited depth of dependencies shown in the UI.

Proposed Behavior:

UI should follow each transitive dependency in the data, check if it has further dependencies, and render a complete dependency graph in the UI.

Alpine images can cause some incompatibility issues due to its use on musl instead of glibc.

This ticket is to track the migration of the Dockerfile from using an Alpine base image to one based on Debian slim.

Related to DependencyTrack/dependency-track#1054

API Server: DependencyTrack/dependency-track#1090

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

when i update th dt and frontend to 4.3.2 and 4.3.0,the frontend all Paging query is failed

Environment:

• Dependency-Track Version:4.3.2
• Client Browser: chrome,firefox
• Client O/S: docker

the WAR Include front-end code。

Currently the JWT token is stored in session storage, but token validity or login status is never checked on application initialization and authorization status defaults to false. This leads to the user having to login at every page refresh.

App init should check for a saved JWT token and verify it's validity by querying the API (for example the /v1/user/self route or something else that every user can call). If the token exists and is valid, we should go to the requested route, otherwise we clear session storage and reroute to login

Current Behavior:

When discover some vuln from NVD in Dtrack interface (e.g. https://dtrack/vulnerabilities/NVD/CVE-2020-11844) there is no direct link to NVD page (https://nvd.nist.gov/vuln/detail/CVE-2020-11844). You can only read the saved details for this vuln. So you need to search CVE for the issue in the web or on NVD site.

Proposed Behavior:

Let's add such link into Dtrack interface vuln page? Same could be for NPM and others.

Issue Type:

• defect report
• enhancement request

Current Behavior:

Dependency-Track displays dates in a couple of different formats:

• Last BOM Import: 6 Feb 2019 at 10:44:22
• Last Measurement: 27 Feb 2019 at 12:34:21
• Dashboard Graph: Feb 01
• Project Overview Graph: Feb 01

Expected Behavior:

Basically, consistency.. eg resolve:

• Feb 01 vs 1 Feb (where one has a leading zero and one does not)
• Feb 26 vs 26 Feb (Localization issue)

I log this as an enhancement... perhaps date display preference could be specified via a property? This would allow European and US users to each display dates in their preferred formats.

Environment:

• Dependency-Track Version: 3.4.0
• Browser: Firefox v65.0.1

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

Frondend expose port 8080 via http.

Proposed Behavior:

Provide user option configuring port 8443 via https, with preloaded server key/crt.

Steps to reproduce:

1. Enable OIDC
2. Navigate to DependencyTrack login page

Current Behavior:

See additional button with icon and label "OpenID"

Proposed Behavior:

It is a typical case to use OIDC as SSO solution and will be clear to the end user see on this button custom text, e.g. "Log in as Company employee". So it's good to make this text configurable via OIDC frontend config (https://docs.dependencytrack.org/getting-started/openidconnect-configuration/).

Current Behavior:

https://github.com/DependencyTrack/frontend/blob/master/docker/docker-entrypoint.sh#L6
checks for a mount, this does work well with configmaps in kubernetes. Configmaps is seen as a good practice.

Proposed Behavior:

could it instead simply check that the file exists, and if it does, ignore it. Also note that in case of configmaps it is not a ordinary file, but rather a symlink:

/app/static # ls -l conf*
lrwxrwxrwx    1 root     root            18 Mar  2 19:56 config.json -> ..data/config.json
/app/static # ls -l /app/static/config.json 
lrwxrwxrwx    1 root     root            18 Mar  2 19:56 /app/static/config.json -> ..data/config.json
/app/static # ls -l /app/static/..data
lrwxrwxrwx    1 root     root            31 Mar  2 19:56 /app/static/..data -> ..2021_03_02_19_56_07.520397086
/app/static # 

Current Behavior:

DT v4.1 introduced support for vulnerabilities in policy violations. In DT 4.3.1, the"Overview" tab for individual projects does not include Security Risk in the Policy Violations Breakdown chart:

This screenshot was taken from a project with 0 licence violations and 0 operational violations (ie, stats are correct) but which does have 2 security policy violations.

Steps to Reproduce:

• Create a security policy such as subject == SEVERITY && value IS MEDIUM (or whatever can guarantee at least one violation)
• For purpose of demonstration there is no need to restrict the policy to a particular project... although this can be done in order to reduce "noise".
• Navigate to a project that will be in violation of this policy
• The Policy Violations tab on the project page will list violations of type "security". Count them.
• The Overview tab on the project page displays a Policy Violations chart, broken down by Classification. Observe that there is no info on security violations.

Expected Behavior:

The Policy Violations by Classification Chart should include "security risk" and the number should match what you counted on the Policy Violations tab.

Environment:

• Dependency-Track Version: 4.3.1
• Client Browser: Firefox 90.0
• Client O/S: Windows 10.

Additional Details:

I am guessing that the problem relates to the code in ChartPolicyViolationBreakdown.vue that is commented out and marked TODO.

Project pages should also be reachable by providing the name and version.

Current Behavior:

The project page has a URL of type /projects/{uuid}. SVG Badges can be used with name and version using the URL pattern /api/v1/badge/vulns/project/{name}/{version}. In this case, it is not possible to provide a link to the project page because this would require the knowledge of the uuid. If the uuid would be known, the SVG badge would have been used with the uuid.

Proposed Behavior:

It should also be possible to reach a project page using a URL of type /projects/{name}/{version}.

Current Behavior:

When you want to add a project to a team, the list contains all projects that exist.

Proposed Behavior:

I don't see any interest by displaying projects that are already present in the team.
I think that they should not be listed ( OR ) the checkbox should be checked to show to the user that this project was already included.

I've just launch the api server jar in port localhost:8080/dtrack, and I would like to deploy the frontend in a context different than root.
When I use the Apache with frontend files in root context and API_SERVER_URL=http://localhost:8080/dtrack all works nice.

But when I move the frontend files to another context it doesn't works. Frontend seems to expect files on root context.
Is there any variable I could change to point to the new context?

Current Behavior:

The currently used base image runs as root:

Steps to Reproduce:

Check the Dockerfile reference above.

Expected Behavior:

Use the official docker-nginx-unprivileged as base image.

Environment:

• Dependency-Track Version: 1.1.0
• Client Browser: N/A
• Client O/S: N/A

Additional Details:

N/A

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

In Portfolio Access Control, when you want to add projectS to a specific team, you can't.

Steps to Reproduce:

Expected Behavior:

I should be able to select projects on page 1, and to select projects on page 2, and ..., and then confirm my selection to add multiple projects

Environment:

• Dependency-Track Version: 4.3.6
• Distribution: [ Docker ]
• BOM Format & Version: X
• Database Server: [MSSQL ]
• Browser: Chrome

Additional Details:

Current Behavior:

When adding several comments to an Audit Trail, only the first comment appears in the UI.

Steps to Reproduce:

1. In DT, open a project and then the Audit Vulnerabilities tab.
2. Expand a vulnerability (click on >) to reveal the vuln details.
3. Enter "a comment" into the Comment box and click Add Comment. The comment appears in the Audit Trail box above.
4. Enter "another comment" into the Comment box and click Add Comment.

Expected Behavior:

"another comment" appears in the Audit Trail box but it does not. Refreshing the webpage reveals that the second comment was added to the Audit Trail but was just not displayed when added.

I would also have expected a comment in the Comment box to be cleared when it is added to the Audit Trail.

Environment:

• Dependency-Track Version: 4.1.0
• Distribution: Docker
• BOM Format & Version:
• Database Server: H2
• Browser: Chrome Version 88.0.4324.182 (Official Build) (64-bit)

Additional Details:

None

Current Behavior:

When using the REST API to retrieve an analysis trail using GET:

/v1/analysis

..there are 3 UUID parameters, the last two of which are required:

• project
• component
• vulnerability

There seem to be two problems with using vulnerability UUID.

• What is the vulnerability UUID? The UI displays vulnerabilities with a URL (example):

/vulnerability/?source=NVD&vulnId=CVE-2018-8088

..but using this vulnID as vulnerability UUID results in an HTTP 400 response with body:

[
  {
    "input": "CVE-2018-8088",
    "message": "Vulnerability is not a valid UUID"
  }
]

The second problem (more of a quibble) is that the Swagger browser extension reports that the 400 response is undocumented.

Steps to Reproduce:

Use DT UI to choose a valid component UUID XXX that does have an audit trail for vulnerability CVE-YYYY. Use with curl, where ZZZ is a valid authentication token.

curl -X GET "https://dependency-track.card.co.uk/api/v1/analysis?component=XXX&vulnerability=CVE-YYYY" -H "accept: application/json" -H "X-Api-Key: ZZZ"

Expected Behavior:

The expected behaviour depends on what the correct vulnerability UUID should be. If "CVE-2018-8088" is the correct format then this is a defect as it does not work. If its is NOT the correct format then the expectation would just be to have some documentation.

Also, expect code 400 response to be documented in swagger.

Environment:

• Dependency-Track Version: 3.5.0
• Distribution: [Executable WAR]
• BOM Format & Version: CycloneDX 1.0
• Database Server: [PostgreSQL]
• Browser: Firefox 67.0.2 with swagger extension.

Current Behavior:

The Projects page offers the following columns:

• Project Name
• Version
• Last BOM Import
• BOM Format
• Risk Score
• Active
• Vulnerabilities

ie, no display of policy violations

Proposed Behavior:

Add a sortable "Policy Violations" column to the page. This will make it easy to perform tasks such as:

• Sort by risk and check for low policy violaton count... which may be an indication that policies are incorrectly configured.
• Sort by policy violation count to see the worst offending projects. When policies are "mature" then these projects should perhaps be focused on first.

Note that a simple count of total violations would include License and Operability Risk... so maybe a bit more nuance might be needed.

It would be very useful to see the vulnerability status for each listed component in the Components view. Individual vulnerability status for each component provides useful insight to help remediation.
Such status was provided in an earlier version of DepTrack.

Current Behavior:

In DT 3.7.1, creation of a new "Managed User" has password and confirm password as mandatory fields.

After a "Managed User" is created, administrators can perform the following password-related configuration for the user:

• User must change password at next login
• Password never expires

There is no option for the administrator to actually change the password. This causes a problem when the user forgets their password.

Proposed Behavior:

Allow administrator to change the password of a managed user. If checked, the functionality "User must change password at next login" will ensure that the user then changes the new password to something of their own choosing (and something that the administrator does not know).

Replace static data on projects page with data fetched from API.

Current Behavior:

Front End works fine for a few days until suddenly it does not... displaying a blank white screen in Firefox. On digging a bit, the response seems to be HTTP 403 with no content (explaining the white screen).

Trying to access the login URL directly gives an HTTP 404.

The last time this problem occurred I checked that the last successful login was recorded 8 days prior to "white screen" being noticed (Logout is not logged) and that the last succesful login was some 8 days after the server had started. As this is on a test server and I had not been playing much whilst awaiting 4.0.0 Beta 2, I wonder if the problem could possibly be related to lack of user activity

Steps to Reproduce:

With Dependency-Track running normally, just leave it alone for a few days. Sooner or later, the Front End will fail.

Expected Behavior:

Front End is more stable after running for a few days.

Environment:

• Dependency-Track Version: 3.8.0 or 4.0.0 Beta 1 using embedded WAR
• Client Browser: Any
• Client O/S:

Additional Details:

• Database is H2 (as this is a test server)
• No errors in any log. The logs indicate that the back-end seems to still be running normally
• Access control is via Microsoft Active Directory.

Hello,

I would like to share with you a problem I am having on version v3.7.1.
Indeed, we have a lot of projects created and to monitor them we use the alerts by mattermost.

Unfortunately, today I wanted to create a 101st alert and it does not appear in the list on the page: Notification> Alert.

After a few checks, when creating the alert, the browser does receive a code 201 indicating the successful creation of the resource. In the database, the new alert is indeed created but does not appear in the list in the GUI.

Finally, it is a pagination problem which limits the number of items to 100.

Current Behavior:

Can't see more than 100 items in Notifications > Alert.

Steps to Reproduce:

Create 100 items + 1. You won't see the 101st item.

Expected Behavior:

See more than 100 items.

Environment:

• Dependency-Track Version: v3.7.1
• Distribution: Traditional WAR
• BOM Format & Version: /
• Database Server: PostgreSQL
• Browser: Firefox / Chrome / Brave

Thank you in advance,
Technoo'

Current Behavior:

Dependency-Track provides the ability to "Upload BOM" via a Projects's "Components" tab.

If one clicks the "Upload" button on the dialog without first selecting a file then DT displays a "BOM Uploaded" message and closes the dialog.... even though nothing was actually uploaded (tested using v4.2.2).

The api-server log reports:

WARN [BomUploadProcessingTask] The BOM uploaded is not in a supported format.
 Supported formats include CycloneDX XML and JSON

Proposed Behavior:

The "Upload" button on the dialog should be inactive until a file is selected.

Current Behavior:

The Dependency Graph implementation is currently displays all dependencies (excepting #85) but lacks functionality that would aide using it as a tool.

Proposed Behavior:

Add filtering so that one can cut through the noise of a 300 component maven project (or 1000 component npm project!).

• Filter by vulnerabilities. Thus, if (X depends on Y and Y depends on Z) and Z has a vulnerability, then seeing that on the graph might point one in the direction of first checking if an update is available for X.
• Filter by license policy violation... I want to know how a problem license is getting into the project
• Indicate when dependencies have scope "optional". A problem dependency that is optional can be excluded!
• Indicate on the tree when dependencies have updates available. In the XYZ example above, this might point one to updating Y is there is no update available for X, or Z itself (the vulnerable component) is no updates exist for X or Y.

Current Behavior:

When hovering the mouse pointer over any graph in Dependency-Track (the main dashboard has the most graphs) then one can point at "now" (the point on the far right of any graph) and yet the tooltip data only shows info from a few days ago.

Steps to Reproduce:

Wave your mouse pointer over any DT graph. When pointing at the right-most point on any graph, the displayed tooltip data is not current, It represents a point on the graph to the left of where your mouse is pointing.

Using Zoom (in or out) does not help.

Expected Behavior:

Mouse-over should support displaying data relevent to whatever point on on the graph the mouse is hovering over,

Environment:

• Dependency-Track Version: 3.8.0, 4.3.3
• Client Browser: Firefox, Chrome, Microsoft Edge
• Client O/S: Windows 10, Mac.

Current Behavior:

After spinning up the latest official docker-compose example, it starts normally without errors , but the login does nothing (returns 405) when I try to login using either admin:admin or LDAP creds. I tried to spin up the compose in 2 different machines, same happens. I've read other articles mentioning about - API_BASE_URL=http://localhost:8081, I tested it using various URLS and ports, including the external, or 127.0.0.1 instead of localhost etc. So no luck with that as well, any suggestions?

Steps to Reproduce:

On any machine running docker, use the official example of compose: https://github.com/DependencyTrack/dependency-track/blob/master/src/main/docker/docker-compose.yml with or without modifications.

On any machine running docker, use my custom compose :

version: '3.9'
networks:
  dependency_track_network: 

services:
  mysql-db:
    image: mysql:5.7.29
    environment:
      MYSQL_ROOT_PASSWORD: password
      MYSQL_DATABASE: dtdb
      MYSQL_ROOT_HOST: '%'
    ports: 
      - "3306:3306"
    command: ['mysqld', '--sql_mode=ANSI_QUOTES,STRICT_TRANS_TABLES,ONLY_FULL_GROUP_BY,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION']
    volumes:
      - mysql-data-2:/var/lib/mysql   
    restart: unless-stopped
    networks:
      - dependency_track_network
      
  dtrack-apiserver:
    image: dependencytrack/apiserver
    environment:
      - ALPINE_DATABASE_MODE=external
      - ALPINE_DATABASE_URL=jdbc:mysql://mysql-db:3306/dtdb?allowPublicKeyRetrieval=true&autoReconnect=true&useSSL=false
      - ALPINE_DATABASE_DRIVER=com.mysql.cj.jdbc.Driver
      - ALPINE_DATABASE_DRIVER_PATH=/extlib/mysql-connector-java-8.0.22.jar
      - ALPINE_DATABASE_USERNAME=root
      - ALPINE_DATABASE_PASSWORD=password
      - ALPINE_DATABASE_POOL_ENABLED=true
      - ALPINE_DATABASE_POOL_MAX_SIZE=10
      - ALPINE_DATABASE_POOL_IDLE_TIMEOUT=600000
      - ALPINE_DATABASE_POOL_MAX_LIFETIME=600000
      - ALPINE_LDAP_ENABLED=true
      - ALPINE_LDAP_SERVER_URL=ldap://zmail.company.com:389
      - ALPINE_LDAP_BASEDN=ou=people,dc=company,dc=com
      - ALPINE_LDAP_SECURITY_AUTH=simple
      - ALPINE_LDAP_AUTH_USERNAME_FORMAT=%s
      - ALPINE_LDAP_ATTRIBUTE_NAME=uid
      - ALPINE_LDAP_ATTRIBUTE_MAIL=mail
      - ALPINE_LDAP_USERS_SEARCH_FILTER=(&(objectClass=zimbraAccount)(uid={login}))
      - ALPINE_LDAP_USER_PROVISIONING=true
      - ALPINE_LDAP_TEAM_SYNCHRONIZATION=true   
    ports:
      - '8081:8080'
    volumes:
      - dt-data-2:/data
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 12288m
        reservations:
          memory: 8192m
    networks:
      - dependency_track_network
    depends_on:
      - mysql-db
    restart: unless-stopped

  dtrack-frontend:
    image: dependencytrack/frontend
    depends_on:
      - dtrack-apiserver
    environment:
      # The base URL of the API server.
      # NOTE:
      #   * This URL must be reachable by the browsers of your users.
      #   * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
      #   * When deploying to dedicated servers, please use the external IP or domain of the API server.
      - API_BASE_URL=http://vm_name.domain.com:8081
      # - "OIDC_ISSUER="
      # - "OIDC_CLIENT_ID="
      # - "OIDC_SCOPE="
      # - "OIDC_FLOW="
      # - "OIDC_LOGIN_BUTTON_TEXT="
      # volumes:
      # - "/host/path/to/config.json:/app/static/config.json"
    ports:
      - "8080:8080"
    restart: unless-stopped    

volumes:
  dt-data-2:
    driver: local
    driver_opts:
      type: none
      device: /data/dt-data-2
      o: bind
  mysql-data-2:
    driver: local
    driver_opts:
      type: none
      device: /data/mysql-data-2
      o: bind

Expected Behavior:

Login normally

Environment:

• Dependency-Track Version: Latest (Both UI/API)
• Client Browser: Chrome, Mozilla, Edge
• Client O/S: CentOS 7

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

When deep linking into a page in deptrack, you first get redirected to the login page (despite being logged in already), and then you get deposited into the overview page, rather than the deep link you were following.

Steps to Reproduce:

• Log in to deptrack.
• Copy a deep link to some project.
• Paste link into a new browser tab

Expected Behavior:

Go directly to the project page.

Environment:

• Dependency-Track Version: v3.8.0
• Distribution: Docker
• BOM Format & Version: SBOM?
• Database Server: PostgreSQL
• Browser: Chrome

Additional Details:

Login is configured to use LDAP

Current Behavior:

Each page has "Dependency-Track" as its title. Navigating through the browsing history when every page has the same title is terrible.

Proposed Behavior:

Unique pages should have their own page title.

After installing through docker-compose , the login page not giving any response with admin:admin

Environment:

• Dependency-Track Version:
• Client Browser: firefox
• Client O/S: redhat 6

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

Current Behavior:

The files in the frontend Docker image is owned by root and the container itself runs as root. Best practice would be to change the ownership of all the files in use by the application to a non-root user, aswell as let the container run with a non-root user. In the older bundled release (https://github.com/DependencyTrack/dependency-track/blob/master/src/main/docker/Dockerfile), this was achieved by chowning the files to UID/GID 1000, and running as that user.

I'm in progress of reworking the Helm Charts for DT in order to support the new architecture, but the way it is right now with root ownership of the files, I'm consistently getting permission denied as the entrypoint script wants to move config.json from /tmp/ to the app directory.

Proposed Behavior:

Change ownership of files and runuser in the Docker image to a non-root UID/GID for enhanced security and for compatibility with Kubernetes/OpenShift Security Context.

I'll create a PR with the proposed changes for review soon.

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

When navigating back from a UI page to a previous page the UI state is not remembered. Hence,where there are several tabs to be selected it does not remember the previous selection and always loads the page at the first tab, any opened audit descriptions are closed, any edits lost and any scrolled lists are set to be at the top again.

This behaviour impacts usability of the UI when navigating to and from child views as it may also cause analysis comments that are being written to be lost when accessing the vulnerability/component detailed view to get more information if the user does not ctrl+click the link.

Steps to Reproduce:

• Navigate to Projects>[Project]
• Select the Audit Tab and scroll down + open several vulnerability analysis + write some analysis without committing.
• Click the link for any vulnerability
• Navigate back to the previous page.

Expected Behavior:

When performing the above mentioned steps any UI interactions made that changed the UI state are lost and the UI is set to its default state as if it had been loaded as the first time ( it probably is ).

Environment:

• Dependency-Track Version: 3.8
• Distribution: Docker
• BOM Format & Version: Does not Apply
• Database Server: Mysql
• Browser: Chrome v83

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

Currently the frontend container requires an API_BASE_URL environment variable to populate the static/config.json, which hard couples the frontend to a domain URL.

Proposed Behavior:

Since the frontend and apiserver can be deployed on the same domain, it would be nice if the frontend could dynamically just make a request to the domain it's hosted from. This alleviates potential CORS issues when hosted on the same domain, as browsers will default deny all other domains making requests to it.

A pattern for this i've used before, is if a base url isn't configured, fallback to using document.location to build the base URL.

Current Behavior:

In a corporate environment that has deployed multiple dependency-track servers, it can sometimes be difficult to recognise that one is looking at the wrong server. Especially when the servers have been given confusingly similar FQDNs. Example:

• Connecting to test server instead of the production server
• Connecting to an old server instead of a new server. In my environment, DT 4.3.1 was deployed as a complete fresh install but the old 3.8.0 server is still in place until I have migrated all the tags, etc. But people have bookmarks and keep trying to look at the old server!

Proposed Behavior:

Implement an optional banner text that can be displayed at the top of the screen in a similar way to a banner in (say) JIRA.

The banner can then be configured to read (say):

• Test server: data & configuration may change. Speak to Fred if needing to run long-running tests.
• Old server: update your bookmarks to https://foo.bar.com
• Link to documentation: xxxx
• Scheduled downtime on Thurday 30th at 08:00 for 1 hour

Note: this enhancement might be considered alongside #93 but serves a different purpose. Favicons is useful for the power user who is deliberately using two DTs at the same time. This enhancement is aimed at holding the hand of the normal user.

Current Behavior:

Individual vulnerabilities are listed with an "Overview" tab and an "Affected Projects" tab. The latter has two columns... name and version. ie, name of project and version of project. When a vulnerability is suppressed then it is removed from this listing.

Thus, for a vulnerability that is suppressed in 60 projects we see:

Empty!

This makes it harder to "audit the auditing".

Proposed Behavior:

Add a column to show when an occurrence of the vulnerability has been suppressed. For consistency, this might be accompanied by the same "Show suppressed findings" checkbox as used on the project screen.

It might also be desirable to link the display of the column (and the checkbox) to the permission VULNERABILITY_ANALYSIS. This could be extended later to include VIEW_VULNERABILITY (if such is created via dependency-track/338)

The new frontend in the latest version of dependency track is only working on Google Chrome.

Should we do more validation in the client side? Currently, there aren't that many forms in the application, but they depend on server errors for validating the input. We could do more robust validation in eg. the password force reset flow (basic checking of fields having values, but also covering password re-use, password matching etc.) before even contacting the server.

The server seems to be somewhat inconsistent on how it treats errors. For example, the /v1/user/forceChangePassword route sometimes returns error code strings, but can also return plain error messages. Doing validation based on the plain error messages can be a bit tricky / brittle.

I just wanted to file an issue about this to discuss if doing more robust client side validation is something we would like to do in this project and if it's okay to add eg. form validation dependencies to achieve that.

Current Behavior:

With a totally fresh install of Dependency-Track 4.2.2, the Vulnerability page very quickly "fleshes out" to display more than 125k rows. This provides a usability issue with getting an overall view of "what is affecting me".

Proposed Behavior:

Provide a checkbox similar to the " Show inactive projects" displayed on the Projects screen. The checkbox would act to include/exclude all vulnerabilities that have 0 affected projects, with the suggested default being to exclude. This would reduce the displayed listing from 125k to a (hopefully) a nice low number. Even if there 1000 vulnerabilities it would still only take 10 clicks to navigate from beginning to end with display set to 100 per page.

One use case for this suggested functionality is that it would make it possible to sort vulnerabilities by "Published" and then simply scroll down to see the most recent vulnerabilities to appear in the portfolio. Useful should notifications be unconfigured (or directed to the wrong people, etc).

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

When either accessing a link to dependency-track ( usually links to vulnerability pages ) or directly ctrl+clicking to a link to open it on a new tab asks you to re-log in instead of loading the requested page (when you already just logged in before). Also, when you log in again you are not redirected to the previously requested page but to the home page instead.

This issue impacts usability of the platform as it makes difficult to navigate to child views or access a specific page from a link provided by an alert or any other source where that link might have been copy-pasted/sent to/from.

Steps to Reproduce:

ctrl+click a vulnerability link or open a previously generated link to a vulnerability description.

Expected Behavior:

Page is loaded without needing to re-authenticate.
In case the token is really expired it should re-direct to the previously requested page instead of the homepage.

Environment:

• Dependency-Track Version: 3.8
• Distribution: Docker
• BOM Format & Version: Does not Apply
• Database Server: Mysql
• Browser: Chrom v83

Current Behavior:

Filter in the project dependencies tab does not worked.
After trying filter by Vulnerabilities got empty table

Steps to Reproduce:

1. Go into any your project in Dependency Track like: https://dependencytrack/projects/<project_uid>
2. Click on the Dependencies tab
3. Click on the filter Vulnerabilities in the right column table

Expected Behavior:

Get filtered list of Dependencies by vulnerabilities count.

Environment:

• Dependency-Track Version: 3.8.0

Additional info:

P.S. Maybe this issue for backend part in Dependency Track

Request URL: https://dependencytrack/api/v1/dependency/projects/<project_uid>?searchText=&sortName=metrics&sortOrder=desc&pageSize=10&pageNumber=1
Request Method: GET
Status Code: 500 Server Error

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

The PR #47 introduced a functionality to redirect the browser to a protected URL. In the documentation it is stated, that a wildcard needs to be used in the callback to allow multiple targets as in:
https://dependencytrack.dev.ibmega.net/static/oidc-callback.html*

Unfortunately, we are using the Dex (https://github.com/dexidp/dex) as a provider for single sign on with our GitHub Enterprise, which does not support having wildcards in their redirectURIs configuration.

I tried to register at least the entrypoint as https://dependencytrack.dev.ibmega.net/static/oidc-callback.html?redirect=/dashboard, but that leads to a white browser page (oidc-callback.html) with a JavaScript error on the console. It would not have been practical anyway to add the whole bunch of potential redirect callbacks anyway.

I had to roll back to frontend v1.2.0

Proposed Behavior:

Make the redirection option configurable for the frontend. When turned off, the OIDC flow should just work as in version 1.2.0 with a simple static https://dependencytrack.dev.ibmega.net/static/oidc-callback.html

Issue Type:

• defect report
• enhancement request

Current Behavior:

The Project "overview" displays graphs of:

• Project Vulnerabilities
• Auditing Progress
• Components
  The slope of the graph for "Project Vulnerabilities" is incorrect, displaying a slope instead of step-changes. By contrast, the main DT dashboard seems to display step changes just fine.

The "Overview graph" behaviour can be seen in this screenshot, where a project had a total of some 50 vulnerabilities from 1st February (the time of project creation) to today (at least one automated BOM upload every day), and then all vulnerabilities were addressed in a single go.

The screenshot shows before and after for the merge that committed all the component updates.

Steps to Reproduce (if defect):

• Create a project and upload a BOM that will result in several vulnerabilities.
• Upload a new BOM every day for a few days so that the graph consists of several horizontal trend lines (ie, nothing fixed and nothing introduced (all other things being equal).
• Now upload a BOM that fixes one or more vulnerabilities

Expected Behavior:

When vulnerabilities are fixed the graph should step down, not slope down.
When vulberabilities appear (eg new CVE for existing component) the graph should step up, not slope up.

Environment:

• Dependency-Track Version: 3.4.0
• Distribution: [Executable WAR]
• BOM Format & Version: cyclonedx-maven-plugin-1.3.1
• Database Server: [PostgreSQL]
• Browser: Firefox v65.0.1

Issue Type:

• defect report
• enhancement request

Current Behavior:

• Within DT v3.4.0 UI, navigate Administration -> Alerts -> Create Alert
• Create an alert with publisher "Email"
• Now open up your new alert and try to edit Destination.
• When you click in the "Destination" field, the border colour changes from yellow to blue, indicating that this field has focus. This colour change is correct.
• If you start typing immediately and continiously, then there are no problems... you can enter the destination.
• The defect occurs should you stop typing (ie, looking away to double-check that what is being entered is correct): after about 1 second, focus is lost and the field border changes back to yellow.

Steps to Reproduce (if defect):

See above

Expected Behavior:

Focus should not change automatically. The user should be allowed to enter their data into the field.
Perhaps this control can be provided by adding a "submit" button to the screen? This would allow the user to double-check everything that they have changed before committing anything.

Environment:

• Dependency-Track Version: 3.4.0
• Distribution: [Executable WAR]
• Database Server: [PostgreSQL]
• Browser: Firefox 66.0.2

Current Behavior:

Dependency-Track Frontend uses the standard Dependency-Track Project logo as its' favicon. This works great.. except when one deploys two or more separate DT servers, Then things can get a bit confusing in the browser.

One tab is for my production DT and the other is my test DT. It's not possible to tell which is which without clicking on them.

Proposed Behavior:

Allow a way for the favicon image to be configured. Perhaps via settings? Configuration via UI would be overkill.

Add support for changing the initial admin password on first login. See the solution in existing UI: https://github.com/DependencyTrack/dependency-track/blob/c4f469bf735731a02e57e549fa9dda89abfd8977/src/main/webapp/assets/common.js#L175-L223.

An administrative account is created on initial startup with the following credentials:

username: admin
password: admin
Upon first login, the admin user is required to change the password.

https://docs.dependencytrack.org/getting-started/initial-startup/

When you stop tipping the team's name for a few seconds it saves the record, but you can't continue to tape it.
So you have to know the name of the team before tipping it.

The textfield should keep the input even after saving it