Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved Usage of Outdated Dependency Version Identification #257

Open
msymons opened this issue Dec 14, 2018 · 2 comments
Open

Improved Usage of Outdated Dependency Version Identification #257

msymons opened this issue Dec 14, 2018 · 2 comments
Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk

Comments

@msymons
Copy link
Member

msymons commented Dec 14, 2018

Dependency Track has provided support for "Outdated Dependency Version Identification" since v3.1 (see #126), displaying "risk" icons in Project -> Dependencies

  • yellow warning triangle: outdated component, mouse-over text provides latest version number.
  • green warning triangle: component is up to date

There are a couple of accessibility problems with this...

  • use of colour alone to differentiate icons can cause issues for those who are colour blind.
  • information (latest version) hard to access without a lot of mouse-work. This impacts all users... consider a project with a couple of hundred dependencies where 100 are out if date. Also, (but I have not tested) I wonder whether usability on tablets/mobiles might be problematic.

I suggest:

  • Display latest version in a separate column.
  • Indicate when a later version addresses a threat. ie, if one sees 2 components with threats and only 1 has a fix, then it's clear which is immediately (or easily) actionable.
  • Display this column (and fix availability) on the audit screen.
  • Display also on components screen. It's here that one can get a nice global picture and then zoom in (click on component and then on projects")
@stevespringett
Copy link
Member

There already is a column for this in the dependencies table I believe. It's optional and unchecked by default.

Dependency-Track will likely never be able to identify if a specific version fixes a vulnerability. Currently NPM provides this in an unstructred way and Sonatype OSS Index doesn't yet provide this data in their feed. I've recommended to Sonatype that they add this data - they already have the inverse of this (all affected versions). The data in the NVD is just too unreliable for this to be useful. This is one area where commercial sources of vuln intel are useful.

The other UI aspects are certainly doable. This is related to #208 and #83. The feature has always been planned, just haven't gotten around to it yet.

@stevespringett stevespringett added enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk labels Dec 14, 2018
@pachulo
Copy link

pachulo commented Jul 29, 2019
edited
Loading

There already is a column for this in the dependencies table I believe. It's optional and unchecked by default.

I confirm that's the case; it would be great if the application remembered if it was selected so you don't have to do it every time.

I would also add to the list by @msymons this:

  • Display a column with the date of release of the dependency.

That would also give useful information IMHO.

@pachulo pachulo mentioned this issue Oct 31, 2019
Open
@msymons msymons mentioned this issue Jan 10, 2023
Open
@walterdeboer walterdeboer mentioned this issue Mar 7, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pachulo @stevespringett @msymons