Report Generation

[twright-0x1]

Current Behavior

At the moment, it doesn't appear that the Dependency-Track UI offers users the ability to generate reports.

Proposed Behavior

It would be very useful if one could generate and export a CSV report. It would also be useful, though not necessarily a requirement, if a PDF could be exported.

Reporting at the levels of a specific project and the portfolio of all projects would be desired. The contents of the various dashboards are great, so they would presumably form the options for report metrics.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

To be completely transparent, it is unlikely that DT will support report exports, unless someone contributes this functionality. And even then, it may be too big of a feature to maintain, considering all the different requirements users may have for reports.

Generally, all the information exposed in the UI is available via REST API. Users can pick and choose the data they need, and assemble reports in the form and design they prefer. I have also heard good things about Apache Superset, which you could hook directly into the database. I believe it supports exports, too.

[rkg-mm]

@nscuro How about a very basic email reporting, based on todays email templates? This could solve many peoples needs with not much effort:

1. Create a new alert publisher "Periodical email report"
2. Create a new template for the report, some very basic example to start with (e.g. a possibility to list one projects vulnerabilities in a table in the mail, and a summary on top)
3. Add some config option in the publisher options, to define the reporting times, e.g. for monthly reports. Can use a java scheduler syntax directly
4. Run a scheduler for this report type, look the projects specified in the alert (or all if none specified) and trigger an alert for each, passing a data model of all vulnerabilities and maybe also policy violations in case someone wants that, and some summary counts

That should be simple enough, doesn't need a report engine other than the already present templates, which can be adapted by users to their needs.

Possible extensions could be:

• also include policy violations and use 2 groups (vulnerabilities, policies) in the alert rule, allowing 2 separate templates for these
• to have a checkbox "include project childrens data", which would allow someone to create a project overview over a subtree.

[mieliespoor]

Before formal reports are being provided/supported here, would it not be of more value to provide a dependency-track datasource for something like Grafana? Doing that will allow me to build my own reports in a tool like Grafana.

[nscuro]

@mieliespoor You may want to give https://github.com/jetstack/dependency-track-exporter a try then 😁

[valentijnscholten]

What I have seen from other tools is that it's very hard to provide reporting functionality that works for everyone. It might be useful to provide some instructions or examples on how people could get some reporting done "easily" using PowerBI or whatever tool.

I do still think that some basic CSV export would be useful and not too hard to maintain. Sometimes people just need to quickly send an export of all vulnerabilities in a project to a product owner or somebody who doesn't have access to DT.