Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions for "Download BOM" #2053

Closed
msymons opened this issue Mar 2, 2022 · 2 comments · Fixed by DependencyTrack/frontend#812
Closed

Permissions for "Download BOM" #2053

msymons opened this issue Mar 2, 2022 · 2 comments · Fixed by DependencyTrack/frontend#812
Labels
defect Something isn't working
Milestone
4.11

Comments

@msymons
Copy link
Member

msymons commented Mar 2, 2022
edited
Loading

Current Behavior:

Functionality for downloading a BOM via the Front-End was introduced in v4.4.0. Even though it is query-only in it's nature, it is controlled by the permission PORTFOLIO_MANAGEMENT. This is inappropriate because this permission is for the "the creation, modification, and deletion of data in the portfolio"

Steps to Reproduce:

Using a Managed User, it can be confirmed by adding/removing permissions that "Download BOM" (displayed as a button on the Components tab of a project page) is enabled via PORTFOLIO_MANAGEMENT

Expected Behavior:

The "Download BOM" button provides 3 options:

  • Inventory: should be usable via VIEW_PORTFOLIO permission
  • Inventory with Vulnerabilities: should be usable via VIEW_PORTFOLIO permission
  • Vulnerability Exploitability Exchange (VEX): should be usable via VIEW_VULNERABILITY permission

Environment:

  • Dependency-Track Version: 4.4.1
  • Client Browser: Firefox
  • Client O/S: Windows 10.

Additional Details:

I presume that a future version of DT will expand the download choices with a forth option to dowload CycloneDX 1.4 "Inventory with VEX". If so, I would expect that to be covered by VIEW_VULNERABILITY
@nscuro nscuro transferred this issue from DependencyTrack/frontend Oct 16, 2022
@Robbilie
Copy link

the api server seems to already require the view_portfolio permission, just the frontend then?

https://github.com/DependencyTrack/dependency-track/blob/4.7.1/src/main/java/org/dependencytrack/resources/v1/BomResource.java#L95

ill create a PR for that…

@Robbilie Robbilie mentioned this issue Apr 12, 2023
Closed
2 tasks
@nscuro nscuro mentioned this issue Apr 14, 2024
Merged
1 task
@nscuro nscuro added defect Something isn't working and removed in triage labels Apr 14, 2024
@nscuro nscuro added this to the 4.11 milestone Apr 14, 2024
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
4.11
Development

Successfully merging a pull request may close this issue.

Require VIEW_PORTFOLIO permission for BOM download nscuro/dependency-track-frontend
3 participants
@Robbilie @msymons @nscuro