dependencytrack / dependency-track Goto Github PK

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Home Page: https://dependencytrack.org/

License: Apache License 2.0

Java 99.75% Shell 0.08% Dockerfile 0.09% HTML 0.01% Python 0.07%

owasp appsec security bom vulnerabilities component-analysis nvd software-security software-composition-analysis sca

dependency-track's Introduction

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.

Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments.

Ecosystem Overview

Features

Consumes and produces CycloneDX Software Bill of Materials (SBOM)
Consumes and produces CycloneDX Vulnerability Exploitability Exchange (VEX)
Component support for:
- Applications
- Libraries
- Frameworks
- Operating systems
- Containers
- Firmware
- Files
- Hardware
- Services
Tracks component usage across every application in an organizations portfolio
Quickly identify what is affected, and where
Identifies multiple forms of risk including
- Components with known vulnerabilities
- Out-of-date components
- Modified components
- License risk
- More coming soon...
Integrates with multiple sources of vulnerability intelligence including:
- National Vulnerability Database (NVD)
- GitHub Advisories
- Sonatype OSS Index
- Snyk
- Trivy
- OSV
- VulnDB from Risk Based Security
- More coming soon.
Helps to prioritize mitigation by incorporating support for the Exploit Prediction Scoring System (EPSS)
Maintain a private vulnerability database of vulnerability components
Robust policy engine with support for global and per-project policies
- Security risk and compliance
- License risk and compliance
- Operational risk and compliance
Ecosystem agnostic with built-in repository support for:
- Cargo (Rust)
- Composer (PHP)
- Gems (Ruby)
- Hex (Erlang/Elixir)
- Maven (Java)
- NPM (Javascript)
- CPAN (Perl)
- NuGet (.NET)
- PyPI (Python)
- More coming soon.
Identifies APIs and external service components including:
- Service provider
- Endpoint URIs
- Data classification
- Directional flow of data
- Trust boundary traversal
- Authentication requirements
Includes a comprehensive auditing workflow for triaging results
Configurable notifications supporting Slack, Microsoft Teams, Mattermost, Webhooks, Webex, Email and Jira
Supports standardized SPDX license ID’s and tracks license use by component
Easy to read metrics for components, projects, and portfolio
Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
API-first design facilitates easy integration with other systems
API documentation available in OpenAPI format
OAuth 2.0 + OpenID Connect (OIDC) support for single sign-on (authN/authZ)
Supports internally managed users, Active Directory/LDAP, and API Keys
Simple to install and configure. Get up and running in just a few minutes

Quickstart (Docker Compose)

# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Starts the stack using Docker Compose
docker-compose up -d

Quickstart (Docker Swarm)

# Downloads the latest Docker Compose file
curl -LO https://dependencytrack.org/docker-compose.yml

# Initializes Docker Swarm (if not previously initialized)
docker swarm init

# Starts the stack using Docker Swarm
docker stack deploy -c docker-compose.yml dtrack

Quickstart (Manual Execution)

# Pull the image from the Docker Hub OWASP repo
docker pull dependencytrack/bundled

# Creates a dedicated volume where data can be stored outside the container
docker volume create --name dependency-track

# Run the bundled container with 8GB RAM on port 8080
docker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:/data dependencytrack/bundled

NOTICE: Always use official binary releases in production.

Distributions

Dependency-Track has three distribution variants. They are:

Package	Package Format	Recommended	Supported	Docker	Download
API Server	Executable WAR	✅	✅	✅	✅
Frontend	Single Page Application	✅	✅	✅	✅
Bundled	Executable WAR	❌	☑️	✅	✅

API Server

The API Server contains an embedded Jetty server and all server-side functionality, but excludes the frontend user interface. This variant is new as of Dependency-Track v4.0.

Frontend

The Frontend is the user interface that is accessible in a web browser. The Frontend is a Single Page Application (SPA) that can be deployed independently of the Dependency-Track API Server. This variant is new as of Dependency-Track v3.8.

Bundled

The Bundled variant combines the API Server and the Frontend user interface. This variant was previously referred to as the executable war and was the preferred distribution from Dependency-Track v3.0 - v3.8. This variant is supported but deprecated and will be discontinued in a future release.

Traditional

The Traditional variant combines the API Server and the Frontend user interface and must be deployed to a Servlet container. This variant is not supported, deprecated, and will be discontinued in a future release.

Deploying on Kubernetes with Helm

Refer to https://github.com/DependencyTrack/helm-charts.

Contributing

Interested in contributing to Dependency-Track? Please check CONTRIBUTING.md to see how you can help!

Resources

Website: https://dependencytrack.org/
Documentation: https://docs.dependencytrack.org/
Component Analysis: https://owasp.org/www-community/Component_Analysis

Community

Twitter: https://dependencytrack.org/twitter
YouTube: https://dependencytrack.org/youtube
Slack: https://dependencytrack.org/slack (Invite: https://dependencytrack.org/slack/invite)
Discussion (Groups.io): https://dependencytrack.org/discussion

Copyright & License

Permission to modify and redistribute is granted under the terms of the Apache License 2.0.

Dependency-Track makes use of several other open source libraries. Please see the notices file for more information.

dependency-track's People

Contributors

Stargazers

Watchers

Forkers

srimanthbk janaroj bezda rjdkolb pombredanne jhulick wjase bramp ch4cal1 nerdlife-zz gumtreeuk cptplastic konstantinshemyak schup securestep9 dchisarick pamir michaelgissingnc gitter-badger eastmadc kaato137 magnologan chubbymaggie m1a0yu3 adioss xuezs shenliehuozhi srxh1314 r00tak safe3 5up3rc zminjiao lee-0x00 sporiyano jack51706 eoftedal opt9 anandtiwarics wolfwhoami rjmarwil beerandgin ldmara slumdunking jskov-jyskebank-dk tiandiyixian mariuszkrzaczkowski vizzdoom doshyt kobalt60 dawidma seishuchen security-prince liyang-star c4nnibal mjunx iantal hxl1987 expdb2015 rrialq pixeljonas linuxshark pekramp ramos-dev wittmannj israel-romero-fijo svenlange j4ckzh0u grayguest ptriller lichnak modulexcite petermosmans daytona675 msander adaptivui mathuriga angrylogic awesome-security rezaduty a1kaid midevsec leomoot aramrami zozozoeli aamen110 richard163 benhe119 william-guowei sunyv 33ss33ss33 swarkentin sommersol cyjaysun triplekill wangjie66 victormbalves sessa93 sculeb sullis lockoncode

dependency-track's Issues

Empty screens and Connection reset error when downloading NIST CVE data

Hi, I have downloaded the v1.0 GA using link from

https://www.owasp.org/index.php/OWASP_Dependency_Track_Project

Deployed with Tomcat7. All component/vendor dropdowns are blank. Checked the logs and they say:

2017-01-07 12:14:39,363 INFO [pool-1-thread-1] [NistDataMirrorUpdater.java:111]
Downloading https://nvd.nist.gov/download/nvdcve-2007.xml.gz
2017-01-07 12:14:39,670 WARN [pool-1-thread-1] [NistDataMirrorUpdater.java:133]
An error occurred during the download or saving of NIST XML data: Connection res
et
2017-01-07 12:14:39,671 INFO [pool-1-thread-1] [NistDataMirrorUpdater.java:111]
Downloading https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2007.xml.gz
2017-01-07 12:14:39,984 WARN [pool-1-thread-1] [NistDataMirrorUpdater.java:133]
An error occurred during the download or saving of NIST XML data: Connection res
et
2017-01-07 12:14:39,984 INFO [pool-1-thread-1] [NistDataMirrorUpdater.java:111]
Downloading https://nvd.nist.gov/download/nvdcve-2008.xml.gz
2017-01-07 12:14:40,309 WARN [pool-1-thread-1] [NistDataMirrorUpdater.java:133]
An error occurred during the download or saving of NIST XML data: Connection res
et
2017-01-07 12:14:40,310 INFO [pool-1-thread-1] [NistDataMirrorUpdater.java:111]
Downloading https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2008.xml.gz
2017-01-07 12:14:40,837 WARN [pool-1-thread-1] [NistDataMirrorUpdater.java:133]
An error occurred during the download or saving of NIST XML data: Connection res
et
2017-01-07 12:14:40,838 INFO [pool-1-thread-1] [NistDataMirrorUpdater.java:111]
Downloading https://nvd.nist.gov/download/nvdcve-2009.xml.gz
2017-01-07 12:14:41,325 WARN [pool-1-thread-1] [NistDataMirrorUpdater.java:133]
An error occurred during the download or saving of NIST XML data: Connection res
et

There is no issue when downloading the files using curl/wget (e.g. Internet connection is fine!)

Add ability to import dependencies

It would be a really useful feature to be able to import dependencies via an XML file. These could be XML files generated by OWASP Dependency Check as well as some other generic format. This would be helpful to automate the tracking of dependencies in one's system.

Allow Hierarchical Library/Application model

Where I work we maintain both applications and libraries with which we wish to maintain info on CVE's. At the moment DT has two hard and fast categories of things: libraries and applications. I'd like to see these two concepts harmonised into a tree of artifacts (not unlike maven's model of the world). That way I can get reports on vulerabilities on libraries, applications or even subsystems comprising several applications.
What are currently classed as 'Applications' in DT would simply become "artifacts of interest" which could then be reported upon. What constitutes an artifact of interest could either be flagged or rule-based. ie I'm interested in reported on any com.mycompany artifact.
This would allow more complicated suites or hardware/software combinations to be more intuitively managed

Components page doesnt work

I started dtrack with mvn clean package and then java -jar dtrack.war and was able to create an application with version. If I press the Components link, the page says Generic Error Message. the log shows :

javax.el.PropertyNotFoundException: The class 'java.lang.String' does not have t
he property 'licensename'.
at javax.el.BeanELResolver.getBeanProperty(BeanELResolver.java:730) ~[ja

Add tracking of EOS/EOL to library versions

Add the ability to track End-of-support / End-of-life of library versions. Additionally, add an option to report or sort on library versions that are EOS/EOL.

Could not resolve placeholder 'pom.version' in string value "${pom.version}"

I've downloaded Dependency Tracker via:

git clone https://github.com/stevespringett/dependency-track.git

After that I've started the application with:

mvn spring-boot:run

Build seems to be successful. I have not modified anything. But after I've logged in as admin:admin I always get this exception:

java.lang.IllegalArgumentException: Could not resolve placeholder 'pom.version' in string value "${pom.version}"

Also the webserver gives me an 500 error message and the execution of the application is canceled.

Full Stacktrace:

16:22:00.642 [http-nio-8080-exec-2] INFO o.o.d.c.LoginController - Login successful: admin
2016-04-07 16:22:01.479 ERROR 3112 --- [nio-8080-exec-3] o.a.c.c.C.[.[localhost].[/dtrack].[jsp] : Servlet.service() for servlet jsp threw exception

java.lang.IllegalArgumentException: Could not resolve placeholder 'pom.version' in string value "${pom.version}"
at org.springframework.util.PropertyPlaceholderHelper.parseStringValue(PropertyPlaceholderHelper.java:174) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.util.PropertyPlaceholderHelper.replacePlaceholders(PropertyPlaceholderHelper.java:126) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.AbstractPropertyResolver.doResolvePlaceholders(AbstractPropertyResolver.java:204) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.AbstractPropertyResolver.resolveRequiredPlaceholders(AbstractPropertyResolver.java:178) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.AbstractPropertyResolver.resolveNestedPlaceholders(AbstractPropertyResolver.java:195) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.PropertySourcesPropertyResolver.getProperty(PropertySourcesPropertyResolver.java:87) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.PropertySourcesPropertyResolver.getProperty(PropertySourcesPropertyResolver.java:60) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.core.env.AbstractEnvironment.getProperty(AbstractEnvironment.java:531) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_66-internal]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_66-internal]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_66-internal]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_66-internal]
at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:113) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:129) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.MethodReference.access$000(MethodReference.java:49) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:342) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:120) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:242) ~[spring-expression-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.tags.EvalTag.doEndTag(EvalTag.java:116) ~[spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.jsp.WEB_002dINF.views.templates.footer_jsp._jspx_meth_spring_005feval_005f1(footer_jsp.java:214) ~[na:na]
at org.apache.jsp.WEB_002dINF.views.templates.footer_jsp._jspService(footer_jsp.java:138) ~[na:na]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:720) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:584) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:523) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:935) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jsp.WEB_002dINF.views.templates.page_jsp._jspService(page_jsp.java:303) [dtrack/:na]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:720) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:584) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:523) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:935) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jsp.WEB_002dINF.views.dashboardPage_jsp._jspService(dashboardPage_jsp.java:137) [dtrack/:na]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) [tomcat-embed-jasper-8.0.32.jar:8.0.32]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:720) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:168) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:303) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1244) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1027) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:971) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-embed-websocket-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.boot.actuate.autoconfigure.EndpointWebMvcAutoConfiguration$ApplicationContextHeaderFilter.doFilterInternal(EndpointWebMvcAutoConfiguration.java:242) [spring-boot-actuator-1.3.0.RELEASE.jar:1.3.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [shiro-core-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111) [spring-boot-actuator-1.3.0.RELEASE.jar:1.3.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.0.RELEASE.jar:1.3.0.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.3.RELEASE.jar:4.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.32.jar:8.0.32]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.32.jar:8.0.32]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_66-internal]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_66-internal]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.32.jar:8.0.32]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_66-internal]

Enhanced Dashboard

In previous releases, the dashboard was a simple line chart displaying the total number of high, medium, and low vulnerabilities over time. An enhanced dashboard should display:

Top (x) CVEs affecting projects
Top (x) CWEs affecting projects
Best performing projects by IRS
Least performing projects by IRS
Most at risk components
IRS per project over time
H/M/L per project over time

The initial version of the dashboard will not be configurable, rather a means to collect, retrieve, organize, and present the data in meaningful ways.

Add RBAC

System needs to have three roles for the next release: VIEWER, EDITOR, ADMIN.

Make sign-up link on login page optional

This 'feature' should be optional, but only after which point that an admin panel (with user management capabilities) is provided.

dependency-check

Hi,

dev-03 branch uses older version of dependency-check plugin. While using dependency-track it will be good to set maven local repository to get the benefit of dependency-check remote nexus analyzer.
company : groupId
artifact: artifactId
version: version

This way Sha1 will be gathered from file system.

Kind Regards
Pamir

Missing javascript assets

When trying to run 3.0-dev branch, the login page gets blank.
Checking browser developer tools, there are two files with 404 HTTP status.

/assets/functions.js
/assets/bind.min.js

I tried two approaches, with same results:

deploying to a fresh tomcat instance
running through docker

Those files aren't available in the repository.

Adding new vulnerabilities

Since the dependency check look for vulnerabilities in the NVD, I think it could be interesting to be able to add vulnerabilities through another mechanism.
I can figure out that adding another database to look for vulnerabilities there is not in the scope of this project, however, adding the possibility to add new vulnerabilities manually could be interesting.
What do you think about this idea, and which is, in your opinion, the best approach?

I would be interested in contributing to this new feature.

Dynamic report is not adding MD5/SHA1 correctly

I've noticed that the dynamic report created by the dependency-track does not correctly add the SHA1 and MD5 of the dependency. It adds the "libraryVersion.getUndashedUuid()" since, the libraryVersion.getSha1() is null.
I've realized about this issue when trying to suppress some vulnerabilities, because copying the suppression code into the supression.xml file cause a problem when parsing this xml (libraryVersion.getUndashedUuid() does not have 40 characters as SHA1 requests).

I've solved this updating the performAnalysis method in the DependencyCheckAnalysis class. You can see the code below:

for (LibraryVersion libraryVersion : libraryVersions) {
            final Library library = libraryVersion.getLibrary();
            final Dependency dependency =
                new Dependency(new File(FileUtils.getBitBucket()));

            final License license = library.getLicense();
            if (license != null) {
                dependency.setLicense(library.getLicense()
                    .getLicensename());
            }
            dependency.setDescription(String.valueOf(libraryVersion
                .getId()));
            dependency.getVendorEvidence().addEvidence("dependency-track",
                "vendor", library.getLibraryVendor().getVendor(),
                Confidence.HIGHEST);
            dependency.getProductEvidence().addEvidence(
                "dependency-track", "name", library.getLibraryname(),
                Confidence.HIGHEST);
            dependency.getVersionEvidence().addEvidence(
                "dependency-track", "version",
                libraryVersion.getLibraryversion(), Confidence.HIGHEST);

            // Adding the SHA1 and MD5 of the dependency (Update)
            libraryVersion.setSha1(dependency.getSha1sum());
            libraryVersion.setMd5(dependency.getMd5sum());


            dependencies.add(dependency);

        }

Surely this is not the best solution, since it does not work well when a new dependency is added, but it works well with dependencies added before.

Vendor list is empty when adding a component

When I attempt to add new component, I see no vendors in the dropdown vendor list. I can add my "own vendor" ("test-vendor" in the screenshot).

appHome/log/dependency-track.log contains no errors. All NIST CVE files are successfully downloaded.

Add metadata registry

Need to support a md5, sha1, sha256 hash database consisting of hashes and component information.

Registry should be a combination of user editable within the UI (or via REST), as well as provide metadata replicated from Maven Central and potentially other repositories (npm).

Refer to:
https://repo1.maven.org/maven2/.index/
https://github.com/apache/maven-indexer

<dependency>
    <groupId>org.sonatype.nexus</groupId>
    <artifactId>nexus-indexer</artifactId>
    <version>3.0.4</version>
</dependency>

Database should be searchable via UI as well as a REST service that accepts hashes as input and provides component metadata in response.

To compliment service, an analyzer needs to be created for Dependency-Check.

Add update password function

Like the ability to update password, etc

Dashboard / vulnerability visibility

Provide a dashboard that provides at-a-glance visibility into the use of libraries containing vulnerable libraries across multiple applications and versions.

Feature should provide quick insight into to most at-risk applications (and versions of an applicaiton).

Vulnerability count doesn't account for suppressed findings

Hi, I've installed the prebuilt WAR under apache-tomcat-8.0.33 on Windows 10 and everything looks okay, but when I try to add a dependency to my project or add a component I don't get any entries in the dropdowns.

default login seems not to work

I installed dependency track in a tomcat7 environment running on ubuntu and also get the login screen but the default login credentials admin/admin do not work (athentication failure invalid username or password)

IE doesn't work

Modals in IE 10 do not work properly. Pre-populated drop-downs from Modals in IE 11 do not work properly. Many cosmetic UI issues including spacing and alignment also exist only in IE.

There are no immediate plans to support IE. IE 11 changed it's user agent (it no longer identifies itself as MSIE) without actually fixing many of the necessary workarounds required to support IE. As a result, there are no plans to support IE 11. Additionally, it doesn't make sense to support older versions of IE (9/10) without supporting newer (11) versions.

Support for Microsoft's Edge browser is planned.

Add configurable password policy

NPE thrown on first request

Hello,

Tried to run dtrack last week and now, today, but still can't get it to work. Am I doing something wrong, need to specify some configuration, etc? I've compiled dtrack from latest sources, and tried both with winstone and jetty. But it always ends with NPE thrown on first request, i.e, accessing http://localhost:8080/. It redirects to /login and returns this error:

HTTP ERROR 500

Problem accessing /login. Reason:

    Server Error
Caused by:

org.apache.jasper.JasperException: java.lang.NullPointerException
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:440)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:473)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:377)
    at org.eclipse.jetty.jsp.JettyJspServlet.service(JettyJspServlet.java:103)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:595)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:191)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:72)
    at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:238)
    at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:264)
    at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1201)
    at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:986)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:933)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
    at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:497)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:245)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
    at org.apache.jsp.WEB_002dINF.views.loginPage_jsp._jspx_meth_c_if_0(loginPage_jsp.java:379)
    at org.apache.jsp.WEB_002dINF.views.loginPage_jsp._jspService(loginPage_jsp.java:134)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:411)
    ... 68 more
Caused by:

java.lang.NullPointerException
    at org.apache.jsp.WEB_002dINF.views.loginPage_jsp._jspx_meth_c_if_0(loginPage_jsp.java:379)
    at org.apache.jsp.WEB_002dINF.views.loginPage_jsp._jspService(loginPage_jsp.java:134)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:411)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:473)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:377)
    at org.eclipse.jetty.jsp.JettyJspServlet.service(JettyJspServlet.java:103)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:595)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:191)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:72)
    at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:238)
    at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:264)
    at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1201)
    at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:986)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:933)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:800)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
    at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
    at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
    at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
    at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
    at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
    at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
    at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:497)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:245)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)

Add NVD data model and update mirroring

Dependency-Track already supports mirroring of the NVD data feeds.

The NVD feeds will soon be updated to support CVSSv3 as well as be available in JSON format. Per contact with NVD, beta feeds are expected at the end of April 2017 or beginning of May 2017. The feeds are subject to change.

DT needs to be able to:

Support CVSSv3 and optionally CVSSv2
Enhance the existing mirroring capability to mirror the new format
Use the mirrored data to import the entire NVD into the DT database.
Ensure the NVD data gets updated

By doing this, DT will have a complete mirror of the NVD allowing users to search for vulns. If the CVE is found, all relevant data will be displayed, as well as any tracked components or projects that may be affected by the CVE.

Plus sign is not allowed in component names

...this does not let to enter components such as, for example, xerces-c++. As a workaround, it can be entered, and is showing, as xerces-c%2b%2b.

docker image

please create a Docker image with the dependency-track deployed

Add license resolution

Now that SPDX has been implemented (#48) and hundreds of open source licenses are part of Dependency-Track, it should be possible to automatically resolve the licenses for some of the components.

DC reports may include the SPDX license ID, the name of the license, or the license URL as evidence. It will be possible to resolve the licenses in these cases.

It would also be possible to add a basic rule engine that could come with pre-configured rules (as well as user-definable ones) that if the rules are matched, a particular license would be resolved. Example: if evidence contains groupId and groupId = 'org.apache', then resolve the Apache 2.0 license. Or if filename equals commons-io-* then resolve Apache 2.0 license.

uuid column

in 3.0-dev branch

After enhancing with datanucleus tomcat gets the exception below

SEVERE: Error thrown executing ALTER TABLE LICENSE ADD COLUMN UUID VARCHAR(36) NOT NULL : NULL not allowed for column "UUID"; SQL statement:
ALTER TABLE LICENSE ADD COLUMN UUID VARCHAR(36) NOT NULL [23502-176]
org.h2.jdbc.JdbcSQLException: NULL not allowed for column "UUID"; SQL statement:
ALTER TABLE LICENSE ADD COLUMN UUID VARCHAR(36) NOT NULL [23502-176]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:344)
at org.h2.message.DbException.get(DbException.java:178)
at org.h2.message.DbException.get(DbException.java:154)
at org.h2.table.Column.validateConvertUpdateSequence(Column.java:308)
at org.h2.table.Table.validateConvertUpdateSequence(Table.java:726)
at org.h2.command.dml.Insert.addRow(Insert.java:196)
at org.h2.command.dml.Select.queryFlat(Select.java:545)
at org.h2.command.dml.Select.queryWithoutCache(Select.java:646)
at org.h2.command.dml.Query.query(Query.java:323)
at org.h2.command.dml.Insert.insertRows(Insert.java:168)
at org.h2.command.dml.Insert.update(Insert.java:115)
at org.h2.command.ddl.CreateTable.update(CreateTable.java:184)
at org.h2.command.ddl.AlterTableAlterColumn.execute(AlterTableAlterColumn.java:448)
at org.h2.command.ddl.AlterTableAlterColumn.cloneTableStructure(AlterTableAlterColumn.java:348)
at org.h2.command.ddl.AlterTableAlterColumn.copyData(AlterTableAlterColumn.java:226)
at org.h2.command.ddl.AlterTableAlterColumn.update(AlterTableAlterColumn.java:158)
at org.h2.command.CommandContainer.update(CommandContainer.java:79)
at org.h2.command.Command.executeUpdate(Command.java:254)
at org.h2.jdbc.JdbcStatement.executeInternal(JdbcStatement.java:186)
at org.h2.jdbc.JdbcStatement.execute(JdbcStatement.java:160)
at org.apache.commons.dbcp.DelegatingStatement.execute(DelegatingStatement.java:264)
at org.apache.commons.dbcp.DelegatingStatement.execute(DelegatingStatement.java:264)
at org.datanucleus.store.rdbms.table.AbstractTable.executeDdlStatement(AbstractTable.java:879)
at org.datanucleus.store.rdbms.table.AbstractTable.executeDdlStatementList(AbstractTable.java:830)
at org.datanucleus.store.rdbms.table.TableImpl.validateColumns(TableImpl.java:257)
at org.datanucleus.store.rdbms.RDBMSStoreManager$ClassAdder.performTablesValidation(RDBMSStoreManager.java:3398)
at org.datanucleus.store.rdbms.RDBMSStoreManager$ClassAdder.run(RDBMSStoreManager.java:2896)
at org.datanucleus.store.rdbms.AbstractSchemaTransaction.execute(AbstractSchemaTransaction.java:119)
at org.datanucleus.store.rdbms.RDBMSStoreManager.createSchemaForClasses(RDBMSStoreManager.java:3877)
at org.datanucleus.store.schema.SchemaTool.createSchemaForClasses(SchemaTool.java:499)
at org.datanucleus.PersistenceNucleusContextImpl.initialiseSchema(PersistenceNucleusContextImpl.java:953)
at org.datanucleus.PersistenceNucleusContextImpl.initialise(PersistenceNucleusContextImpl.java:481)
at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.freezeConfiguration(JDOPersistenceManagerFactory.java:842)
at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.createPersistenceManagerFactory(JDOPersistenceManagerFactory.java:333)
at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.getPersistenceManagerFactory(JDOPersistenceManagerFactory.java:212)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)

Add Dependency-Track remote importer for ThreadFix

This is a placeholder/reminder to create a remote importer for ThreadFix so that it can pull in vulnerability information from Dependency-Track via it's APIs.

Update Dependency-Check to use Dependency-Track metadata as the sole source of evidence

A change may be required in Dependency-Check to make this possible.

Installation instructions

I'm trying to get Dependency Track running, but I don't know how to properly setup a user with admin rights. I used the signup link on the login page, but the created user apparently isn't allowed to create applications, etc.

Could you please provide some instructions regarding a working setup?

P.S.: I'm using the latest snapshot version, i.e. HEAD.

Add smart search

Add smart search functionality that can retrieve results based on multiple categories including:

Project
Component
Vulnerability
License

This functionality will require a server-side index (Lucene) along with a REST resource that can process requests.

The following will be indexed:

Project: name, version, properties, description
Component: name, group, version, sha1, description
Vulnerability: vulnId, description
License: name, licenseId

A list of results (separated by category) will be displayed and clicking on a result will take you to the individual project, component, vulnerability, or license.

3.0-Dev branch failure on launch

I recognize that 3.0 is a dev branch, so you may be aware of this failure already, but I just cloned the repo, ran mvn package, then deployed the WAR to a Tomcat server. Here are the resulting stacktraces I received:

01-Feb-2017 23:03:32.187 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory
 javax.jdo.JDOFatalUserException: A property named javax.jdo.PersistenceManagerFactoryClass must be specified, or a jar file with a META-INF/services/javax.jdo.PersistenceManagerFactory entry must be in the classpath, or a property named javax.jdo.option.PersistenceUnitName must be specified.
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:866)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:1104)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:924)
	at org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory.contextInitialized(LocalPersistenceManagerFactory.java:52)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4720)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5154)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
	at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917)
	at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
NestedThrowablesStackTrace:
javax.jdo.JDOFatalDataStoreException: Connection is broken: "java.net.ConnectException: Connection refused (Connection refused): localhost" [90067-176]
	at org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:529)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.freezeConfiguration(JDOPersistenceManagerFactory.java:855)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.createPersistenceManagerFactory(JDOPersistenceManagerFactory.java:333)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.getPersistenceManagerFactory(JDOPersistenceManagerFactory.java:212)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at javax.jdo.JDOHelper$16.run(JDOHelper.java:1970)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.jdo.JDOHelper.invoke(JDOHelper.java:1965)
	at javax.jdo.JDOHelper.invokeGetPersistenceManagerFactoryOnImplementation(JDOHelper.java:1171)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:849)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:1104)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:924)
	at org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory.contextInitialized(LocalPersistenceManagerFactory.java:52)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4720)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5154)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
	at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917)
	at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
NestedThrowablesStackTrace:
org.h2.jdbc.JdbcSQLException: Connection is broken: "java.net.ConnectException: Connection refused (Connection refused): localhost" [90067-176]
	at org.h2.message.DbException.getJdbcSQLException(DbException.java:344)
	at org.h2.message.DbException.get(DbException.java:167)
	at org.h2.engine.SessionRemote.connectServer(SessionRemote.java:434)
	at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:311)
	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:107)
	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:91)
	at org.h2.Driver.connect(Driver.java:74)
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
	at java.sql.DriverManager.getConnection(DriverManager.java:208)
	at org.apache.commons.dbcp.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:78)
	at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
	at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1148)
	at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.java:106)
	at org.datanucleus.store.rdbms.ConnectionFactoryImpl$ManagedConnectionImpl.getConnection(ConnectionFactoryImpl.java:483)
	at org.datanucleus.store.rdbms.RDBMSStoreManager.<init>(RDBMSStoreManager.java:297)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.datanucleus.plugin.NonManagedPluginRegistry.createExecutableExtension(NonManagedPluginRegistry.java:606)
	at org.datanucleus.plugin.PluginManager.createExecutableExtension(PluginManager.java:301)
	at org.datanucleus.NucleusContextHelper.createStoreManagerForProperties(NucleusContextHelper.java:190)
	at org.datanucleus.PersistenceNucleusContextImpl.initialise(PersistenceNucleusContextImpl.java:422)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.freezeConfiguration(JDOPersistenceManagerFactory.java:842)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.createPersistenceManagerFactory(JDOPersistenceManagerFactory.java:333)
	at org.datanucleus.api.jdo.JDOPersistenceManagerFactory.getPersistenceManagerFactory(JDOPersistenceManagerFactory.java:212)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at javax.jdo.JDOHelper$16.run(JDOHelper.java:1970)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.jdo.JDOHelper.invoke(JDOHelper.java:1965)
	at javax.jdo.JDOHelper.invokeGetPersistenceManagerFactoryOnImplementation(JDOHelper.java:1171)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:849)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:1104)
	at javax.jdo.JDOHelper.getPersistenceManagerFactory(JDOHelper.java:924)
	at org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory.contextInitialized(LocalPersistenceManagerFactory.java:52)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4720)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5154)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
	at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917)
	at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at org.h2.util.NetUtils.createSocket(NetUtils.java:123)
	at org.h2.util.NetUtils.createSocket(NetUtils.java:103)
	at org.h2.engine.SessionRemote.initTransfer(SessionRemote.java:100)
	at org.h2.engine.SessionRemote.connectServer(SessionRemote.java:430)
	... 48 more

01-Feb-2017 23:03:32.196 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStop Exception sending context destroyed event to listener instance of class org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory
 java.lang.NullPointerException
	at org.owasp.dependencytrack.persistence.LocalPersistenceManagerFactory.contextDestroyed(LocalPersistenceManagerFactory.java:56)
	at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4767)
	at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5371)
	at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:160)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
	at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917)
	at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Normally I might troubleshoot a bit, but since it is a dev branch, I did not want to spend too much time debugging in case you were already aware of this.

Add NSP mirror

The contents of NSP should be mirrored (with credits).

Proposed strategy:
GET
https://api.nodesecurity.io/advisories?offset=0
and retrieve the total number of findings. Use this number to know how many offset requests to make.
https://api.nodesecurity.io/advisories?offset=100
https://api.nodesecurity.io/advisories?offset=200
https://api.nodesecurity.io/advisories?offset=300

A total of 317 advisories should have a max offset of 300 which would only return the remaining 17 advisories.

Create scheduler to start Dependency-Check scans

Option to handle incomplete NVD version information

I'm using Dependency Track "for real", monitoring several products and hundreds of components.

Sometimes DTrack does not report a vulnerability I know is applicable. The reason is that the "affected version" information in NVD XML sources is incomplete. A frequent example is that only the version in which the vulnerability is found is reported, nothing being said about earlier versions. When the set of the affected versions is nontrivial (happens regularly with e.g. OpenSSL), it is seldom fully correct in the NVD XML.

I see this as a showstopper for many users: the purpose of DTrack is to not miss the vulnerabilities.

But obviously the report cannot be better than the source data it is based upon.

One idea might be to give an option to "report vulnerabilities for all versions" for a given component when the user selects a component version in the application. This way the user will get also non-applicable vulnerabilities, but will never miss the relevant ones (if only the product name is correct).

I do not know how such "feature request" fits in the present vision of DTrack. But otherwise I found that I'm reading the XML diff to be sure that I have not missed something critical, which kind of defeats the purpose of using DTrack.

Html/XML reports Error 500

Hi,

I have found a problem in the HTML and XML reporting.
Almost always (just once i could access) I get an 500 error after clicking on HTML or XML button (http://localhost:8080/dtrack/dependencyCheckReport/2.html).
I can't figure out why has just worked once.

I'm using a tomcat 8 for the deploy.

Thanks!

Dynamic report does not suppress vulnerabilities

Hi,
I've noticed that the dynamic report created by the application does not reflect the suppressions specified in the suppressions.xml file.
It is weird since the report created by the dependecy-check, and stored in the app-dir, takes into account the suppression entries added in the corresponding file.

Add support for SPDX

The ability to export a project versions' BOM in SPDX format may be useful.

Additionally, it may be possible to import a SPDX RDF and use that as a source of evidence, similar to how the dependency-check-report.xml is. Needs investigating.

https://spdx.org/

Add rule engine with condition/action editor

Implement a generic rule engine that would perform an action when a condition is met.

A few sample rules:

If a dependency is added that has a specific license, send an email notification to one or more recipients.
If a dependency is added for a specific library or version, deny the addition of the dependency and send an email notification.
If a dependency is added that contains a known vulnerability (as identified by Dependency-Check) display an alert in the browser and send an email notification.

Rules and actions should be configurable by users with the 'Admin' role or with this specific permission. Display and email actions should be included.

No any data shown in the portal

Hi Steve,

The idea of this project looks great. I deployed and started the application. But I didn't see any data in from the portal. I add a component but then how should I trigger it to show me all vulnerabilities for this component? Is this function already available? If yes, could you please provide a more information in the document?

Thanks!
William

Import libraries from Dependency-Check

Auto-populate Dependency-Track database with library identification from Dependency-Check

Administrative tools

Add an admin role and provide a page that allows users with this role to manage users and view change logs.

Add ThreadFix integration

When viewing vulnerabilities, provide an option for a user to create an issue in ThreadFix. This feature will require a system-wide configuration option in which an admin can specify the URL and API KEY to use when connecting to ThreadFix.

Update dependencies to current major version

The following dependencies need to be updated to the current major GA release:

SpringFramework
Hibernate
BootStrap

v3.0-dev fails to start after f1afad42

After commit f1afad4, DTrack fails to deploy with the following message:

SEVERE: An exception was thrown while adding/validating class(es) : Constraint "SCAN_UUID_IDX" already exists; SQL statement:
ALTER TABLE SCAN ADD CONSTRAINT SCAN_UUID_IDX UNIQUE (UUID) [90045-176]
org.h2.jdbc.JdbcSQLException: Constraint "SCAN_UUID_IDX" already exists; SQL statement:
ALTER TABLE SCAN ADD CONSTRAINT SCAN_UUID_IDX UNIQUE (UUID) [90045-176]
        at org.h2.message.DbException.getJdbcSQLException(DbException.java:344)
        at org.h2.message.DbException.get(DbException.java:178)
...

Full app server log after a fresh start attached (extension 'txt' added as required by Github).

catalina.out.txt

Not able to deploy dtrack.war which is generated from source

Hi Steve,

I have followed steps which is mention on following link:

https://github.com/stevespringett/dependency-track/wiki/Getting-Started

downloaded src
did maven clean package
and try to deploy dtrack.war generated in target folder.

But i am facing issue. PFA of error log
error log.txt

while deploying war file given at same place, it is getting deployed successfully.

Looking at the exception, it is pointing with JDK vresion competibility issue, But I have also check the version of class file from war file which is generated from war. which is jdk 7+ so, i dont feel that can be a issue

I have also compare both the war file and found that web.xml is not getting generated in src war. and copied same at in web-inf folder, and generated dtrack.war again. and tried to deploy again but still facing same issue.

could you kindly help me.

Add KennaSecurity Integration

Missed vulnerabilities, which are correctly listed in NVD XML

Configure a product apache:tomcat version 7.0.67.
Check its DTrack report; ensure that e.g. CVE-2016-3092 is reported. This confirms that the component name is entered correctly.
Observe that CVE-2017-5648 is not reported.
In the NIST XML file nvdcve-2.0-2017.xml.gz, observe that this product version is (correctly) marked as vulnerable to CVE-2017-5648:

  <entry id="CVE-2017-5648">
[...]
      <vuln:product>cpe:/a:apache:tomcat:7.0.67</vuln:product>

Other vulnerabilities for this same product which are missed:
CVE-2017-5647
CVE-2016-8735
CVE-2016-6816

Used DTrack version: 1.0.0.

Dependency Track does not work behind HTTP proxy

Especially for corporate environments this can be a complete blocker.

Add key/value store per application

Organizations that want to track attributes that are application specific should be able to do so via the UI and API.

@jtmelton