Threats: Attribution and Timestamping

[msymons]

Current Behavior:

Dependency-Track does not provide information on the source of the data for a threat. Neither does it provide timestamps so that one can see when a threat was first identified or when it was introduced into a project.

Proposed Behavior:

1) Provide attribution information for threats. ie, OSS Index, NPM, Internal,VulnDB, etc.

Attribution information would be useful when tracking down the source of false positives or negatives.

2) Provide timestamp information for threat identification and introduction. These timestamps are already provided in alerts... but not recorded.

Time-stamping would complement attribution info, but also help a lot with general triaging/ management.

• Work out response time for triaging.
• See specific dates for when "old" threats are being introduced into projects. Or vice versa... sometimes one might think that a threat had already been resolved once in a project but the timestamp could say otherwise... that it was introduced (say) 18 months ago.

[msymons]

Testing using v4.0.0 Beta 2, I see that we have display of both "Analyzer" and "Attributed on" in the "Audit Vulnerabilities" tab for each project.

...and that the Analyzer link opens in a new browser tab (nice!)

However, this same info is not displayed on:

• The main Vulnerability screen (/vulnerabilities)
• Screen for vulnerability itself (/vulnerabilities/NVD/CVE-2020-27216 in this example).
• Screen for component that has the vulnerability (can live without this if vulnerability details screen contains the info).

This is not just important for ease of Navigation... not everyone has access to the "Audit Vulnerabilities" tab.

[msymons]

Retesting with 4.3.1 and thinking about things a bit more...

Bullets 1 (main vulnerability screen) and 2 (screen for vulnerability itself) are actually not applicable. That is because Attribution Date is the date that a vulnerability is attributed to a component. Thus, it is a property of the component and not the vulnerability. It might be useful to record a timestamp for vulnerabilities... I would like to know when they first impacted the portfolio. I have logged #1137 for this.

However, I think that Attribution Date should be displayed on a component's "Vulnerabilities" tab.