search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.46k stars 536 forks source link

Add ability to get listing of vulnerable components and the projects they are used by #415

Open chris-sansone-angi opened 4 years ago

chris-sansone-angi commented 4 years ago

Current Behavior:

Right now there is no easy way to get listing of vulnerable components and the projects they are used by. It would likely involve lots of queries made to the /project, /finding, /dependency, /component, and /vulnerability APIs.

This is a typical use case where a new vulnerability is announced on component/library and an organization wants to quickly analyze which projects (that use the component) need to be remediated.

Proposed Behavior:

Add a new endpoint (or modify an existing endpoint) so that way the relevant data could be retrieved.

stevespringett commented 4 years ago

This seems to be the inverse of the findings API https://docs.dependencytrack.org/integrations/file-formats/

Instead of taking a project centric approach and listing out all the finding data (component, vulns, analysis), this enhancement may take the same data from the findings API and take a component centric approach.

stevespringett commented 4 years ago

Slack conversation: https://owasp.slack.com/archives/C6R3R32H4/p1565357983074900