Enhance badge API to require authorization
SaberStrat opened this issue · comments
Current Behavior
As of Dependency-Track v4.10.1, Badges can only be activated globally for all projects and versions and the GETs do not require authorization.
Proposed Behavior
I'm proposing basically what @stevespringett suggested here as a future enhancement of the current badges implementation: #252 (comment):
implement a new permission to control access to the badge API. Together with Portfolio Access Control, this would allow for a convenient way to control access on a project basis.
While convenient as a feature, and allowing any downstream stakeholder to display the state of vulnerabilities and violations about a tracked project, activating badges in the current implementation opens up a hole in the security for any attacker to use with knowledge of project names or versions. They can fetch quite a lot of data about a project from that API that way that would otherwise require authorization.
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this enhancement was already requested
I could have a look at this myself--unless this is already in the works as part of some other change?