search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.58k stars 542 forks source link

BOM_UPLOAD permissions doesnot grant users with download BOM option #3223

Open visagansanthanam-unisys opened 10 months ago

visagansanthanam-unisys commented 10 months ago

Current Behavior

Granting a user with BOM_UPLOAD permission currently does not provide access for the members the ability to download SBOM. currently only the PROJECT_CREATION_UPLOAD permission grants access to download SBOM image

Steps to Reproduce

  1. Add a user
  2. Assign BOM_UPLOAD permissions
  3. open the project and go to components tab
  4. check for the buttons 'Upload BOM' and 'Download BOM'

Expected Behavior

Both Upload BOM and Download BOM options should be be enabled.

Dependency-Track Version

4.9.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

chamacs commented 7 months ago

I would like to propose that a separate "Download BOM" permission be introduced instead. Uploaded BOMs do not typically have vulnerability information, but the download BOM options allow for vuln data to come with it. We'd like to better control who has access to the more sensitive downloaded BOM files, independently from the upload BOM permission.