Remove "Enable SVG Badge support (unauthenticated)" checkbox in favor of authenticated badge API #967
Labels
enhancement
New feature or request
Comments
5 tasks
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
Currently, Dependency-Track's badge API's functionality can be enabled or disabled by use of the checkbox
Enable SVG Badge support (unauthenticated)under Administration > Configuration > General. By default it is disabled.Proposed Behavior
Because in the current implementation, enabling badge support exposes them to anyone with network access to the Dependency-Track API server who knows a project name and project version without the need for authentication. Then, anyone can access vulnerability and policy summary metrics. This was was made before ACLs were implemented in Dependency-Track.
DependencyTrack/dependency-track#4059 aims to put badges behind an API permission, thereby allowing to control access to badges more granularly through ACLs and a dedicated permission, instead of the checkbox.
If the maintainers find it acceptable to remove unauthenticated access to badges without a grace period, i.e. do not mind this being a breaking change, this enhancement aims to remove the checkbox entirely.
Checklist
The text was updated successfully, but these errors were encountered: