Global Auditing Views

[rkg-mm]

Current Behavior

Dependency-Track is very project oriented today, which makes sense so far for the usage by each project team. But it lacks features for a global Security Team, which is responsible to have an overview about all projects.

There is a "vulnerabilities" view, but as of today, it lists 23.609 vulnerabilities in my case, which are ALL vulnerabilities from all imported sources, not only the ones, which are found in a project. This makes sense for a specific use case: Managing own vulnerabilities, manually added. Apart from that, it doesn't seem to be very helpful.

Proposed Behavior

A new entry should be in the main menu, which leads to a set of views relevant to a global security team (or auditing team, if you want to include responsibles for license or other policy issues as well). Name to be found, but something like "Global Auditing" would describe it well probably.

This view should host different sub-views. Some examples I came up with or saw in other requests so far:

1. Flat list of Vulnerabilities (see https://github.com/DependencyTrack/dependency-track/issues/1770), which can help to e.g. sort by "newest" occurance date, to go through stuff added in the last days to a project
2. Flat list of Policy violations (also part of https://github.com/DependencyTrack/dependency-track/issues/1770), same as above, would I would separate them due to different fields and possible permissions
   • Including filters to filter for specific policies
3. Vulnerability summary: A list of vulnerabilities currently found in all projects, grouped by vulnerability alias. Showing some vulnerability details (criticality, name, etc.) plus a count, to how many projects it applies. Clicking the entry will show a list of affected projects linking to them.
   • Potentially could have a "comment & surpress in all" feature or similar, though, seems like this feature was decided to be removed according https://github.com/DependencyTrack/dependency-track/issues/1495#issuecomment-1077660514
4. A list of suppressed findings, see https://github.com/DependencyTrack/dependency-track/issues/1495
5. More ideas or known tickets that could be included? -> Put in comments and I'll add them

Each view should have a specific permission required to see it. E.g. somebody responsible for policy violations could only be responsible for licensing issues, while not handling vulnerabilities.

Questions to solve:

1. Will this show all projects information (requiring a permission to see every project independent of ACL) or only projects I have access to (following ACL permissions). Not sure how much impact the ACL checks would have on the performance here.
2. Good name for it?

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[rkg-mm]

Addition: Some filtering options, like filtering for projects with specific tags, or filter for a specific project and its children could be useful possibly too, especially if someone if using top level projects to group by department or similar

[stgarf-sx]

Very excited to see some of the work in this come to fruition @rkg-mm.

[strowi]

Looking forward to this! Without a global overview for policy-violations (and filter) etc. we'll have to go into each project and check, which is more than annoying.

[rkg-mm]

@strowi we have a basically working solution for both, vuln and audit views, we just need to find some time to fix some performance issues for big setups. I hope we can get it done soon and have it in next version.

[strowi]

@rkg-mm thank you for the fast answer and the status update! wasn't sure if the target was short or long-term. Looking forward to it. 😊