msymons
commented
3 months ago The publish date should be displayed as a sortable (and optional) column on the project component tab. In a project with hundreds of components, the date would be really hard to work with if the column were not sortable.
Use cases
- I already have a policy that checks for age of (say) 3 years. But how much older than 3 years are my "failing" components?
- With my existing age policy of 3 years I might have no components that breach policy. But how many are getting close?
- I know that I have a component that is 5 years old and which should be in breach of my 3 year age policy... but it is not. I need to see the publish date "known to DT" so that I have the basis for investigating.
If publish date is also available on the /components screen then another use would be:
- Component X in Project Y is in breach of age policy. Search portfolio for other occurrences of the component... are there other projects that are successfully using newer versions of the component that are not in breach of policy?
Current Behavior
Dependency-Track can retrieve the publish date for components by looking them up in external package repositories like Maven Central.
Currently, the UI only displays a small indicator if a component is not the newest available version. The UI does not currently show the components actual age.
With #398, it will be possible to define policies for component age. This will cause policy violations to be generated whenever a component exceeds a certain age, but users will not be able to see how old the respective components actually are.
Proposed Behavior
We should display the component age in the UI, given we have this information.
There should probably be a disclaimer that this date reflects when the component was last published or modified, and not necessarily when it was released. If organizations upload legacy libraries to their internal repository, the publish date we get will be misleading.
Checklist