search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.57k stars 540 forks source link

VIEW_PORTFOLIO permissions ability to download the SBOM #2295

Open webmutation opened 1 year ago

webmutation commented 1 year ago

Current Behavior

Hello Currently to enable users to download the SBOM image

We have to grant them PORTFOLIO_MANAGEMENT permission, this has a lot of privileges, namely the ability to delete a project, etc... that we do not want to grant to read only viewers. They may need to download the SBoM for report purposes, but that is the only operation they are required.

Proposed Behavior

Allow VIEW_PORTFOLIO to download the SBOM (enable the SBOM button to be visible).

This will allow us to enforce least privilege access principle.

Checklist

msymons commented 1 year ago

VIEW_PORTFOLIO should grant permission to download the "Inventory" BOM VIEW_VULNERABILITY should additionally grant permission to download the "Inventory with Vulnerabilities" and "VDR" variants