Current Behavior

As of Dependency-Track v4.10.1, Badges can only be activated globally for all projects and versions and the GETs do not require authorization.

Proposed Behavior

I'm proposing basically what @stevespringett suggested here as a future enhancement of the current badges implementation: #252 (comment):
implement a new permission to control access to the badge API. Together with Portfolio Access Control, this would allow for a convenient way to control access on a project basis.

While convenient as a feature, and allowing any downstream stakeholder to display the state of vulnerabilities and violations about a tracked project, activating badges in the current implementation opens up a hole in the security for any attacker to use with knowledge of project names or versions. They can fetch quite a lot of data about a project from that API that way that would otherwise require authorization.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

I could have a look at this myself--unless this is already in the works as part of some other change?