You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of Dependency-Track v4.10.1, Badges can only be activated globally for all projects and versions and the GETs do not require authorization.
Proposed Behavior
I'm proposing basically what @stevespringett suggested here as a future enhancement of the current badges implementation: #252 (comment):
implement a new permission to control access to the badge API. Together with Portfolio Access Control, this would allow for a convenient way to control access on a project basis.
While convenient as a feature, and allowing any downstream stakeholder to display the state of vulnerabilities and violations about a tracked project, activating badges in the current implementation opens up a hole in the security for any attacker to use with knowledge of project names or versions. They can fetch quite a lot of data about a project from that API that way that would otherwise require authorization.
Current Behavior
As of Dependency-Track v4.10.1, Badges can only be activated globally for all projects and versions and the GETs do not require authorization.
Proposed Behavior
I'm proposing basically what @stevespringett suggested here as a future enhancement of the current badges implementation: #252 (comment):
implement a new permission to control access to the badge API. Together with Portfolio Access Control, this would allow for a convenient way to control access on a project basis.
While convenient as a feature, and allowing any downstream stakeholder to display the state of vulnerabilities and violations about a tracked project, activating badges in the current implementation opens up a hole in the security for any attacker to use with knowledge of project names or versions. They can fetch quite a lot of data about a project from that API that way that would otherwise require authorization.
Checklist
The text was updated successfully, but these errors were encountered: