dependencytrack / frontend Goto Github PK
View Code? Open in Web Editor NEWFrontend UI for Dependency-Track
Home Page: https://dependencytrack.org/
License: Apache License 2.0
Frontend UI for Dependency-Track
Home Page: https://dependencytrack.org/
License: Apache License 2.0
Project pages should also be reachable by providing the name and version.
The project page has a URL of type /projects/{uuid}
. SVG Badges can be used with name and version using the URL pattern /api/v1/badge/vulns/project/{name}/{version}
. In this case, it is not possible to provide a link to the project page because this would require the knowledge of the uuid. If the uuid would be known, the SVG badge would have been used with the uuid.
It should also be possible to reach a project page using a URL of type /projects/{name}/{version}
.
The defect may already be reported! Please search for the defect before creating one.
When either accessing a link to dependency-track ( usually links to vulnerability pages ) or directly ctrl+clicking to a link to open it on a new tab asks you to re-log in instead of loading the requested page (when you already just logged in before). Also, when you log in again you are not redirected to the previously requested page but to the home page instead.
This issue impacts usability of the platform as it makes difficult to navigate to child views or access a specific page from a link provided by an alert or any other source where that link might have been copy-pasted/sent to/from.
ctrl+click a vulnerability link or open a previously generated link to a vulnerability description.
Page is loaded without needing to re-authenticate.
In case the token is really expired it should re-direct to the previously requested page instead of the homepage.
Dependency-Track displays dates in a couple of different formats:
Basically, consistency.. eg resolve:
I log this as an enhancement... perhaps date display preference could be specified via a property? This would allow European and US users to each display dates in their preferred formats.
When discover some vuln from NVD in Dtrack interface (e.g. https://dtrack/vulnerabilities/NVD/CVE-2020-11844
) there is no direct link to NVD page (https://nvd.nist.gov/vuln/detail/CVE-2020-11844
). You can only read the saved details for this vuln. So you need to search CVE for the issue in the web or on NVD site.
Let's add such link into Dtrack interface vuln page? Same could be for NPM and others.
The defect may already be reported! Please search for the defect before creating one.
In Portfolio Access Control, when you want to add projectS to a specific team, you can't.
I should be able to select projects on page 1, and to select projects on page 2, and ..., and then confirm my selection to add multiple projects
In a corporate environment that has deployed multiple dependency-track servers, it can sometimes be difficult to recognise that one is looking at the wrong server. Especially when the servers have been given confusingly similar FQDNs. Example:
Implement an optional banner text that can be displayed at the top of the screen in a similar way to a banner in (say) JIRA.
The banner can then be configured to read (say):
https://foo.bar.com
Note: this enhancement might be considered alongside #93 but serves a different purpose. Favicons is useful for the power user who is deliberately using two DTs at the same time. This enhancement is aimed at holding the hand of the normal user.
The files in the frontend Docker image is owned by root and the container itself runs as root. Best practice would be to change the ownership of all the files in use by the application to a non-root user, aswell as let the container run with a non-root user. In the older bundled release (https://github.com/DependencyTrack/dependency-track/blob/master/src/main/docker/Dockerfile), this was achieved by chowning the files to UID/GID 1000, and running as that user.
I'm in progress of reworking the Helm Charts for DT in order to support the new architecture, but the way it is right now with root ownership of the files, I'm consistently getting permission denied as the entrypoint script wants to move config.json from /tmp/ to the app directory.
Change ownership of files and runuser in the Docker image to a non-root UID/GID for enhanced security and for compatibility with Kubernetes/OpenShift Security Context.
I'll create a PR with the proposed changes for review soon.
After spinning up the latest official docker-compose example, it starts normally without errors , but the login does nothing (returns 405) when I try to login using either admin:admin or LDAP creds. I tried to spin up the compose in 2 different machines, same happens. I've read other articles mentioning about - API_BASE_URL=http://localhost:8081, I tested it using various URLS and ports, including the external, or 127.0.0.1 instead of localhost etc. So no luck with that as well, any suggestions?
On any machine running docker, use the official example of compose: https://github.com/DependencyTrack/dependency-track/blob/master/src/main/docker/docker-compose.yml with or without modifications.
On any machine running docker, use my custom compose :
version: '3.9'
networks:
dependency_track_network:
services:
mysql-db:
image: mysql:5.7.29
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: dtdb
MYSQL_ROOT_HOST: '%'
ports:
- "3306:3306"
command: ['mysqld', '--sql_mode=ANSI_QUOTES,STRICT_TRANS_TABLES,ONLY_FULL_GROUP_BY,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION']
volumes:
- mysql-data-2:/var/lib/mysql
restart: unless-stopped
networks:
- dependency_track_network
dtrack-apiserver:
image: dependencytrack/apiserver
environment:
- ALPINE_DATABASE_MODE=external
- ALPINE_DATABASE_URL=jdbc:mysql://mysql-db:3306/dtdb?allowPublicKeyRetrieval=true&autoReconnect=true&useSSL=false
- ALPINE_DATABASE_DRIVER=com.mysql.cj.jdbc.Driver
- ALPINE_DATABASE_DRIVER_PATH=/extlib/mysql-connector-java-8.0.22.jar
- ALPINE_DATABASE_USERNAME=root
- ALPINE_DATABASE_PASSWORD=password
- ALPINE_DATABASE_POOL_ENABLED=true
- ALPINE_DATABASE_POOL_MAX_SIZE=10
- ALPINE_DATABASE_POOL_IDLE_TIMEOUT=600000
- ALPINE_DATABASE_POOL_MAX_LIFETIME=600000
- ALPINE_LDAP_ENABLED=true
- ALPINE_LDAP_SERVER_URL=ldap://zmail.company.com:389
- ALPINE_LDAP_BASEDN=ou=people,dc=company,dc=com
- ALPINE_LDAP_SECURITY_AUTH=simple
- ALPINE_LDAP_AUTH_USERNAME_FORMAT=%s
- ALPINE_LDAP_ATTRIBUTE_NAME=uid
- ALPINE_LDAP_ATTRIBUTE_MAIL=mail
- ALPINE_LDAP_USERS_SEARCH_FILTER=(&(objectClass=zimbraAccount)(uid={login}))
- ALPINE_LDAP_USER_PROVISIONING=true
- ALPINE_LDAP_TEAM_SYNCHRONIZATION=true
ports:
- '8081:8080'
volumes:
- dt-data-2:/data
restart: unless-stopped
deploy:
resources:
limits:
memory: 12288m
reservations:
memory: 8192m
networks:
- dependency_track_network
depends_on:
- mysql-db
restart: unless-stopped
dtrack-frontend:
image: dependencytrack/frontend
depends_on:
- dtrack-apiserver
environment:
# The base URL of the API server.
# NOTE:
# * This URL must be reachable by the browsers of your users.
# * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
# * When deploying to dedicated servers, please use the external IP or domain of the API server.
- API_BASE_URL=http://vm_name.domain.com:8081
# - "OIDC_ISSUER="
# - "OIDC_CLIENT_ID="
# - "OIDC_SCOPE="
# - "OIDC_FLOW="
# - "OIDC_LOGIN_BUTTON_TEXT="
# volumes:
# - "/host/path/to/config.json:/app/static/config.json"
ports:
- "8080:8080"
restart: unless-stopped
volumes:
dt-data-2:
driver: local
driver_opts:
type: none
device: /data/dt-data-2
o: bind
mysql-data-2:
driver: local
driver_opts:
type: none
device: /data/mysql-data-2
o: bind
Login normally
After installing through docker-compose , the login page not giving any response with admin:admin
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)
UI does not go through each transitive dependency in the dependency data to build out a complete dependency graph, resulting in a limited depth of dependencies shown in the UI.
UI should follow each transitive dependency in the data, check if it has further dependencies, and render a complete dependency graph in the UI.
Dependency-Track provides the ability to "Upload BOM" via a Projects's "Components" tab.
If one clicks the "Upload" button on the dialog without first selecting a file then DT displays a "BOM Uploaded" message and closes the dialog.... even though nothing was actually uploaded (tested using v4.2.2).
The api-server log reports:
WARN [BomUploadProcessingTask] The BOM uploaded is not in a supported format.
Supported formats include CycloneDX XML and JSON
The "Upload" button on the dialog should be inactive until a file is selected.
the WAR Include front-end code。
When adding several comments to an Audit Trail, only the first comment appears in the UI.
"another comment" appears in the Audit Trail box but it does not. Refreshing the webpage reveals that the second comment was added to the Audit Trail but was just not displayed when added.
I would also have expected a comment in the Comment box to be cleared when it is added to the Audit Trail.
None
The currently used base image runs as root:
Line 22 in 53a1734
Check the Dockerfile
reference above.
Use the official docker-nginx-unprivileged as base image.
1.1.0
N/A
N/A
N/A
See above
Focus should not change automatically. The user should be allowed to enter their data into the field.
Perhaps this control can be provided by adding a "submit" button to the screen? This would allow the user to double-check everything that they have changed before committing anything.
The Dependency Graph implementation is currently displays all dependencies (excepting #85) but lacks functionality that would aide using it as a tool.
Add filtering so that one can cut through the noise of a 300 component maven project (or 1000 component npm project!).
DT v4.1 introduced support for vulnerabilities in policy violations. In DT 4.3.1, the"Overview" tab for individual projects does not include Security Risk in the Policy Violations Breakdown chart:
This screenshot was taken from a project with 0 licence violations and 0 operational violations (ie, stats are correct) but which does have 2 security policy violations.
subject == SEVERITY && value IS MEDIUM
(or whatever can guarantee at least one violation)The Policy Violations by Classification Chart should include "security risk" and the number should match what you counted on the Policy Violations tab.
I am guessing that the problem relates to the code in ChartPolicyViolationBreakdown.vue that is commented out and marked TODO.
Replace static data on projects page with data fetched from API.
Each page has "Dependency-Track" as its title. Navigating through the browsing history when every page has the same title is terrible.
Unique pages should have their own page title.
Dependency-Track Frontend uses the standard Dependency-Track Project logo as its' favicon
. This works great.. except when one deploys two or more separate DT servers, Then things can get a bit confusing in the browser.
One tab is for my production DT and the other is my test DT. It's not possible to tell which is which without clicking on them.
Allow a way for the favicon
image to be configured. Perhaps via settings? Configuration via UI would be overkill.
The Projects page offers the following columns:
ie, no display of policy violations
Add a sortable "Policy Violations" column to the page. This will make it easy to perform tasks such as:
Note that a simple count of total violations would include License and Operability Risk... so maybe a bit more nuance might be needed.
Should we do more validation in the client side? Currently, there aren't that many forms in the application, but they depend on server errors for validating the input. We could do more robust validation in eg. the password force reset flow (basic checking of fields having values, but also covering password re-use, password matching etc.) before even contacting the server.
The server seems to be somewhat inconsistent on how it treats errors. For example, the /v1/user/forceChangePassword
route sometimes returns error code strings, but can also return plain error messages. Doing validation based on the plain error messages can be a bit tricky / brittle.
I just wanted to file an issue about this to discuss if doing more robust client side validation is something we would like to do in this project and if it's okay to add eg. form validation dependencies to achieve that.
https://github.com/DependencyTrack/frontend/blob/master/docker/docker-entrypoint.sh#L6
checks for a mount, this does work well with configmaps in kubernetes. Configmaps is seen as a good practice.
could it instead simply check that the file exists, and if it does, ignore it. Also note that in case of configmaps it is not a ordinary file, but rather a symlink:
/app/static # ls -l conf*
lrwxrwxrwx 1 root root 18 Mar 2 19:56 config.json -> ..data/config.json
/app/static # ls -l /app/static/config.json
lrwxrwxrwx 1 root root 18 Mar 2 19:56 /app/static/config.json -> ..data/config.json
/app/static # ls -l /app/static/..data
lrwxrwxrwx 1 root root 31 Mar 2 19:56 /app/static/..data -> ..2021_03_02_19_56_07.520397086
/app/static #
Steps to reproduce:
See additional button with icon and label "OpenID"
It is a typical case to use OIDC as SSO solution and will be clear to the end user see on this button custom text, e.g. "Log in as Company employee". So it's good to make this text configurable via OIDC frontend config (https://docs.dependencytrack.org/getting-started/openidconnect-configuration/).
The enhancement may already be reported! Please search for the enhancement before creating one.
Currently the frontend container requires an API_BASE_URL environment variable to populate the static/config.json, which hard couples the frontend to a domain URL.
Since the frontend and apiserver can be deployed on the same domain, it would be nice if the frontend could dynamically just make a request to the domain it's hosted from. This alleviates potential CORS issues when hosted on the same domain, as browsers will default deny all other domains making requests to it.
A pattern for this i've used before, is if a base url isn't configured, fallback to using document.location
to build the base URL.
The enhancement may already be reported! Please search for the enhancement before creating one.
Frondend expose port 8080 via http.
Provide user option configuring port 8443 via https, with preloaded server key/crt.
When hovering the mouse pointer over any graph in Dependency-Track (the main dashboard has the most graphs) then one can point at "now" (the point on the far right of any graph) and yet the tooltip data only shows info from a few days ago.
Wave your mouse pointer over any DT graph. When pointing at the right-most point on any graph, the displayed tooltip data is not current, It represents a point on the graph to the left of where your mouse is pointing.
Using Zoom (in or out) does not help.
Mouse-over should support displaying data relevent to whatever point on on the graph the mouse is hovering over,
In DT 3.7.1, creation of a new "Managed User" has password
and confirm password
as mandatory fields.
After a "Managed User" is created, administrators can perform the following password-related configuration for the user:
There is no option for the administrator to actually change the password. This causes a problem when the user forgets their password.
Allow administrator to change the password of a managed user. If checked, the functionality "User must change password at next login" will ensure that the user then changes the new password to something of their own choosing (and something that the administrator does not know).
The defect may already be reported! Please search for the defect before creating one.
UI uses window.sessionStorage for auth token
It should be stored in HTTP Only Cookie (better with secure flag).
The Project "overview" displays graphs of:
The "Overview graph" behaviour can be seen in this screenshot, where a project had a total of some 50 vulnerabilities from 1st February (the time of project creation) to today (at least one automated BOM upload every day), and then all vulnerabilities were addressed in a single go.
The screenshot shows before and after for the merge that committed all the component updates.
When vulnerabilities are fixed the graph should step down, not slope down.
When vulberabilities appear (eg new CVE for existing component) the graph should step up, not slope up.
I've just launch the api server jar in port localhost:8080/dtrack, and I would like to deploy the frontend in a context different than root.
When I use the Apache with frontend files in root context and API_SERVER_URL=http://localhost:8080/dtrack all works nice.
But when I move the frontend files to another context it doesn't works. Frontend seems to expect files on root context.
Is there any variable I could change to point to the new context?
There are some mentions about the place that we can install dependency track on Kubernetes, however there are no guides for this in the documentation. Any suggestions for someone new to kubernetes?
The new frontend in the latest version of dependency track is only working on Google Chrome.
When using the REST API to retrieve an analysis trail using GET:
/v1/analysis
..there are 3 UUID parameters, the last two of which are required:
There seem to be two problems with using vulnerability UUID.
/vulnerability/?source=NVD&vulnId=CVE-2018-8088
..but using this vulnID as vulnerability UUID results in an HTTP 400 response with body:
[
{
"input": "CVE-2018-8088",
"message": "Vulnerability is not a valid UUID"
}
]
The second problem (more of a quibble) is that the Swagger browser extension reports that the 400 response is undocumented.
Use DT UI to choose a valid component UUID XXX that does have an audit trail for vulnerability CVE-YYYY. Use with curl, where ZZZ is a valid authentication token.
curl -X GET "https://dependency-track.card.co.uk/api/v1/analysis?component=XXX&vulnerability=CVE-YYYY" -H "accept: application/json" -H "X-Api-Key: ZZZ"
The expected behaviour depends on what the correct vulnerability UUID should be. If "CVE-2018-8088" is the correct format then this is a defect as it does not work. If its is NOT the correct format then the expectation would just be to have some documentation.
Also, expect code 400 response to be documented in swagger.
The enhancement may already be reported! Please search for the enhancement before creating one.
The PR #47 introduced a functionality to redirect the browser to a protected URL. In the documentation it is stated, that a wildcard needs to be used in the callback to allow multiple targets as in:
https://dependencytrack.dev.ibmega.net/static/oidc-callback.html*
Unfortunately, we are using the Dex (https://github.com/dexidp/dex) as a provider for single sign on with our GitHub Enterprise, which does not support having wildcards in their redirectURIs
configuration.
I tried to register at least the entrypoint as https://dependencytrack.dev.ibmega.net/static/oidc-callback.html?redirect=/dashboard
, but that leads to a white browser page (oidc-callback.html) with a JavaScript error on the console. It would not have been practical anyway to add the whole bunch of potential redirect callbacks anyway.
I had to roll back to frontend v1.2.0
Make the redirection option configurable for the frontend. When turned off, the OIDC flow should just work as in version 1.2.0 with a simple static https://dependencytrack.dev.ibmega.net/static/oidc-callback.html
It would be very useful to see the vulnerability status for each listed component in the Components view. Individual vulnerability status for each component provides useful insight to help remediation.
Such status was provided in an earlier version of DepTrack.
Front End works fine for a few days until suddenly it does not... displaying a blank white screen in Firefox. On digging a bit, the response seems to be HTTP 403 with no content (explaining the white screen).
Trying to access the login URL directly gives an HTTP 404.
The last time this problem occurred I checked that the last successful login was recorded 8 days prior to "white screen" being noticed (Logout is not logged) and that the last succesful login was some 8 days after the server had started. As this is on a test server and I had not been playing much whilst awaiting 4.0.0 Beta 2, I wonder if the problem could possibly be related to lack of user activity
With Dependency-Track running normally, just leave it alone for a few days. Sooner or later, the Front End will fail.
Front End is more stable after running for a few days.
Add support for changing the initial admin password on first login. See the solution in existing UI: https://github.com/DependencyTrack/dependency-track/blob/c4f469bf735731a02e57e549fa9dda89abfd8977/src/main/webapp/assets/common.js#L175-L223.
An administrative account is created on initial startup with the following credentials:
username: admin
password: admin
Upon first login, the admin user is required to change the password.https://docs.dependencytrack.org/getting-started/initial-startup/
Hello,
I would like to share with you a problem I am having on version v3.7.1.
Indeed, we have a lot of projects created and to monitor them we use the alerts by mattermost.
Unfortunately, today I wanted to create a 101st alert and it does not appear in the list on the page: Notification> Alert.
After a few checks, when creating the alert, the browser does receive a code 201 indicating the successful creation of the resource. In the database, the new alert is indeed created but does not appear in the list in the GUI.
Finally, it is a pagination problem which limits the number of items to 100.
Can't see more than 100 items in Notifications > Alert.
Create 100 items + 1. You won't see the 101st item.
See more than 100 items.
Thank you in advance,
Technoo'
Filter in the project dependencies tab does not worked.
After trying filter by Vulnerabilities got empty table
Get filtered list of Dependencies by vulnerabilities count.
P.S. Maybe this issue for backend part in Dependency Track
Request URL: https://dependencytrack/api/v1/dependency/projects/<project_uid>?searchText=&sortName=metrics&sortOrder=desc&pageSize=10&pageNumber=1
Request Method: GET
Status Code: 500 Server Error
Alpine images can cause some incompatibility issues due to its use on musl instead of glibc.
This ticket is to track the migration of the Dockerfile from using an Alpine base image to one based on Debian slim.
Related to DependencyTrack/dependency-track#1054
API Server: DependencyTrack/dependency-track#1090
The defect may already be reported! Please search for the defect before creating one.
When deep linking into a page in deptrack, you first get redirected to the login page (despite being logged in already), and then you get deposited into the overview page, rather than the deep link you were following.
Go directly to the project page.
Login is configured to use LDAP
With a totally fresh install of Dependency-Track 4.2.2, the Vulnerability page very quickly "fleshes out" to display more than 125k rows. This provides a usability issue with getting an overall view of "what is affecting me".
Provide a checkbox similar to the " Show inactive projects" displayed on the Projects screen. The checkbox would act to include/exclude all vulnerabilities that have 0 affected projects, with the suggested default being to exclude. This would reduce the displayed listing from 125k to a (hopefully) a nice low number. Even if there 1000 vulnerabilities it would still only take 10 clicks to navigate from beginning to end with display set to 100 per page.
One use case for this suggested functionality is that it would make it possible to sort vulnerabilities by "Published" and then simply scroll down to see the most recent vulnerabilities to appear in the portfolio. Useful should notifications be unconfigured (or directed to the wrong people, etc).
Currently the JWT token is stored in session storage, but token validity or login status is never checked on application initialization and authorization status defaults to false. This leads to the user having to login at every page refresh.
App init should check for a saved JWT token and verify it's validity by querying the API (for example the /v1/user/self
route or something else that every user can call). If the token exists and is valid, we should go to the requested route, otherwise we clear session storage and reroute to login
The defect may already be reported! Please search for the defect before creating one.
When navigating back from a UI page to a previous page the UI state is not remembered. Hence,where there are several tabs to be selected it does not remember the previous selection and always loads the page at the first tab, any opened audit descriptions are closed, any edits lost and any scrolled lists are set to be at the top again.
This behaviour impacts usability of the UI when navigating to and from child views as it may also cause analysis comments that are being written to be lost when accessing the vulnerability/component detailed view to get more information if the user does not ctrl+click the link.
When performing the above mentioned steps any UI interactions made that changed the UI state are lost and the UI is set to its default state as if it had been loaded as the first time ( it probably is ).
Individual vulnerabilities are listed with an "Overview" tab and an "Affected Projects" tab. The latter has two columns... name and version. ie, name of project and version of project. When a vulnerability is suppressed then it is removed from this listing.
Thus, for a vulnerability that is suppressed in 60 projects we see:
Empty!
This makes it harder to "audit the auditing".
Add a column to show when an occurrence of the vulnerability has been suppressed. For consistency, this might be accompanied by the same "Show suppressed findings" checkbox as used on the project screen.
It might also be desirable to link the display of the column (and the checkbox) to the permission VULNERABILITY_ANALYSIS. This could be extended later to include VIEW_VULNERABILITY (if such is created via dependency-track/338)
When you want to add a project to a team, the list contains all projects that exist.
I don't see any interest by displaying projects that are already present in the team.
I think that they should not be listed ( OR ) the checkbox should be checked to show to the user that this project was already included.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.