Add support for ad-hoc vulnerability scanning of BOMs

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.68k stars 577 forks source link

Add support for ad-hoc vulnerability scanning of BOMs #1125

Open nscuro opened 3 years ago

nscuro commented 3 years ago

Current Behavior:

In order to scan components for vulnerabilties, users have to create a project first. Projects are great for continuously scanning components, but they're too heavyweight for use cases where only a single scan is desired.

Proposed Behavior:

Dependency-Track should support ad-hoc vulnerability scanning of components in a given uploaded BOM, without creating a project for it.

This is related to #374. But instead of having to check each component individually, uploading a BOM should suffice.

msymons commented 2 years ago

This functionality would be very useful for developers that are working on feature branches, who might need a confirmation that all is looking OK before they create a PR.

I would expect that it would be possible for (say) Jenkins DT plugin to display a report in Jenkins (albeit without a link to the project in DT because the project/version would not exist).

mmishil commented 2 years ago

Today we struggle to manage multiple branches scanning with Dependency Track and we are obliged to suggest teams to manage several DT-projects for the same repository: Create at least have 1 project for the production ready branch to keep the tracked metrics stable and another one for development branches. Having multiple branch management in a single DT project would be a valuable feature for a lot of teams :)

Delwaulle commented 1 year ago

Hi, any news on this high value-added feature? Because we're thinking more and more about building our own scripts for branch management, but it would be a shame to throw it all away if this feature is delivered soon :) Thank you!

nscuro commented 1 year ago

No definitive progress here. But we appreciate there's great interest in it, and in fact we eagerly want it too!

We have some related efforts ongoing that will lay the groundwork to enable this feature though, stay tuned 🚧

khaledgithubwl commented 1 year ago

Hello @nscuro do you have any news regarding the branch management feature, is it something you are planning on implementing soon? if yes, can you tell us if it will be based on the Hierarchical Project Relationship feature?

Best Regards,

calderonth commented 1 year ago

Also keen to have this feature implemented.

jeremytbrun commented 11 months ago

Would be great to see this feature!