Get the release date of components

[pachulo]

Current Behavior:

Dependency-track does not show the release date for dependencies.

Proposed Behavior:

It would be great to have a column with the release date for every component.
With this information in place, being able to also set a threshold to warn when dependencies older than X are used, would also help us a lot.

I know that the information is available for packages on maven.org, in the “Updated” column. For example: https://search.maven.org/search?q=g:com.squareup.retrofit2%20AND%20a:adapter-rxjava&core=gav

And also on npmjs.org, as “Published date”. For example: https://www.npmjs.com/package/lodash

This is somehow related to #257 (comment), but I thought that it would get more visibility as a separate issue.

[stevespringett]

This information is already being tracked for some ecosystems. Not all repos include a published date.

https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/tasks/repositories/RepositoryMetaAnalyzerTask.java#L94

So, it would be a matter of exposing this data for the ecosystems that support it and possibly integrate this with future policy work as well.

[msymons]

The addition of this enhancement really would open up scope for future policy work.

For instance, the component that is already running the latest version... but a policy could alert that this latest version is actually 8 years old.

[melba-lopez]

@msymons is this still a P2? i for one would like this feature, but too much information can overwhelm a user. so if there was a policy dashboard that could enable this view that could help.

[an0nymisss]

Hi all, I have created a Python script that addresses this issue and fetches release dates for NPM, Maven, and PyPi.
I'm currently working on adding more integrations supported by DependencyTrack.
You can check out my script here: https://github.com/an0nymisss/SBOM-Analysis-DependencyTrack