DependencyTrack · valentijnscholten · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/assets/img/composer-logo.png b/src/assets/img/composer-logo.png
diff --git a/src/assets/scss/_custom.scss b/src/assets/scss/_custom.scss
@@ -137,6 +137,14 @@ html {
   background-color: #EBE5A8;
   border: 1px solid #DCD167;
 }
+.label-source-drupal {
+  background-color: hsl(120, 75%, 39%);
+  border: 1px solid #06785a;
+}
+.label-source-composer {
+  background-color: hsl(305, 43%, 51%);
+  border: 1px solid #7b3566;
+}
 .label-source-unknown {
   background-color: $severity-unassigned;
   border: 1px solid $grey-900;

diff --git a/src/containers/DefaultContainer.vue b/src/containers/DefaultContainer.vue
@@ -47,9 +47,9 @@
    ProfileEditModal,
    SnapshotModal,
    AppSidebar,
    AppAside,
    Breadcrumb,
    DefaultHeaderProfileDropdown,
    SidebarForm,
    SidebarFooter,
    SidebarHeader,
@@ -214,7 +214,8 @@
   },
   mounted() {
     if (this.$dtrack && this.$dtrack.version.includes('SNAPSHOT')) {
-      this.$root.$emit('bv::show::modal', 'snapshotModal');
+      //TODO VS reinstate
+      //      this.$root.$emit('bv::show::modal', 'snapshotModal');
     }
 
     this.isSidebarMinimized =

diff --git a/src/i18n/locales/de.json b/src/i18n/locales/de.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Anfällige Software",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositorys",
+    "repository_advisory_alias_sync_enabled": "Aktivieren Sie die Synchronisierung des Sicherheitshinweis-Alias",
     "repository_authentication": "Authentifizierung erforderlich",
     "repository_created": "Repository erstellt",
     "repository_deleted": "Repository gelöscht",

diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
@@ -52,6 +52,8 @@
     "change_password_next_login": "User must change password at next login",
     "clone_template": "Clone Template",
     "composer": "Composer",
+    "composer_advisories": "Composer Security Advisories",
+    "composer_repositories": "Composer Repositories",
     "configuration": "Configuration",
     "configuration_saved": "Configuration saved",
     "configuration_test": "Configuration Test",
@@ -79,10 +81,12 @@
     "delete_team": "Delete Team",
     "delete_template": "Delete Template",
     "delete_user": "Delete User",
+    "description": "Description",
     "destination": "Destination",
     "disabled": "Disabled",
     "disabled_for_tags": "Disabled for tags",
     "distinguished_name": "Distinguished name",
+    "documentation": "Documentation",
     "edit_api_key_comment": "Edit API Key Comment",
     "email": "Email",
     "email_address": "Email address",
@@ -208,6 +212,10 @@
     "reindex_vulnerable_software": "Vulnerable software",
     "remove_api_key": "Remove API Key",
     "repositories": "Repositories",
+    "repository_advisory_alias_sync_enabled": "Alias Sync",
+    "repository_advisory_alias_sync_toggle": "Enable Security Advisory alias synchronization",
+    "repository_advisory_mirroring_enabled": "Advisory Sync",
+    "repository_advisory_mirroring_toggle": "Enable mirroring of Security Advisories (Beta)",
     "repository_authentication": "Authentication required",
     "repository_created": "Repository created",
     "repository_deleted": "Repository deleted",
@@ -269,6 +277,8 @@
     "vulndb": "VulnDB",
     "vulnsource_alias_sync_enable": "Enable vulnerability alias synchronization",
     "vulnsource_alias_sync_enable_tooltip": "Alias data can help in identifying identical vulnerabilities across multiple databases. If the source provides this data, synchronize it with Dependency-Track's database.",
+    "vulnsource_composer_advisories_desc": "The Composer ecosystem provides security advisories via its Composer repositories. Examples are https://packagist.org and https://packages.drupal.org/8. These security advisories are used by Composer to provide the composer audit command.",
+    "vulnsource_composer_to_enable": "Composer advisory mirroring can be enabled for a repository via it configuration:",
     "vulnsource_github_advisories_desc": "GitHub Advisories (GHSA) is a database of CVEs and GitHub-originated security advisories affecting the open source world. Dependency-Track integrates with GHSA by mirroring advisories via GitHub's public GraphQL API. The mirror is refreshed daily, or upon restart of the Dependency-Track instance. A personal access token (PAT) is required in order to authenticate with GitHub, but no scopes need to be assigned to it.",
     "vulnsource_github_advisories_enable": "Enable GitHub Advisory mirroring",
     "vulnsource_nvd_desc": "The National Vulnerability Database (NVD) is the largest publicly available source of vulnerability intelligence. It is maintained by a group within the National Institute of Standards and Technology (NIST) and builds upon the work of MITRE and others. Vulnerabilities in the NVD are called Common Vulnerabilities and Exposures (CVE). There are over 100,000 CVEs documented in the NVD spanning from the 1990’s to the present.",

diff --git a/src/i18n/locales/es.json b/src/i18n/locales/es.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "software vulnerable",
     "remove_api_key": "Eliminar Clave API",
     "repositories": "Repositorios",
+    "repository_advisory_alias_sync_enabled": "Habilitar la sincronización de alias de aviso de seguridad",
     "repository_authentication": "Autenticacion requerida",
     "repository_created": "Repositorio creado",
     "repository_deleted": "Repositorio eliminado",

diff --git a/src/i18n/locales/fr.json b/src/i18n/locales/fr.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Logiciels vulnérables",
     "remove_api_key": "Retirer la clé d'API",
     "repositories": "Dépôts",
+    "repository_advisory_alias_sync_enabled": "Activer la synchronisation des alias des avis de sécurité",
     "repository_authentication": "Authentification requise",
     "repository_created": "Dépôt créé",
     "repository_deleted": "Dépôt supprimé",

diff --git a/src/i18n/locales/hi.json b/src/i18n/locales/hi.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "कमजोर सॉफ्टवेयर",
     "remove_api_key": "remove_api_key",
     "repositories": "डेटा संग्रह स्थान",
+    "repository_advisory_alias_sync_enabled": "सुरक्षा सलाहकार उपनाम सिंक्रनाइज़ेशन सक्षम करें",
     "repository_authentication": "प्रमाणित करना",
     "repository_created": "रिपोजिटरी बनाई गई",
     "repository_deleted": "रिपॉजिटरी हटा दी गई",

diff --git a/src/i18n/locales/it.json b/src/i18n/locales/it.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Software vulnerabile",
     "remove_api_key": "remove_api_key",
     "repositories": "Repository",
+    "repository_advisory_alias_sync_enabled": "Abilita la sincronizzazione degli alias degli avvisi di sicurezza",
     "repository_authentication": "Autenticazione richiesta",
     "repository_created": "Archivio creato",
     "repository_deleted": "Archivio eliminato",

diff --git a/src/i18n/locales/ja.json b/src/i18n/locales/ja.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "脆弱なソフトウェア",
     "remove_api_key": "remove_api_key",
     "repositories": "リポジトリ",
+    "repository_advisory_alias_sync_enabled": "セキュリティ アドバイザリのエイリアス同期を有効にする",
     "repository_authentication": "認証が必要",
     "repository_created": "リポジトリが作成されました",
     "repository_deleted": "リポジトリが削除されました",

diff --git a/src/i18n/locales/pl.json b/src/i18n/locales/pl.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Wrażliwe oprogramowanie",
     "remove_api_key": "remove_api_key",
     "repositories": "Repozytoria",
+    "repository_advisory_alias_sync_enabled": "Włącz synchronizację aliasów Security Advisory",
     "repository_authentication": "Wymagane uwierzytelnienie",
     "repository_created": "Repozytorium zostało utworzone",
     "repository_deleted": "Repozytorium usunięte",

diff --git a/src/i18n/locales/pt-BR.json b/src/i18n/locales/pt-BR.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Software vulnerável",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositórios",
+    "repository_advisory_alias_sync_enabled": "Habilitar sincronização de alias do Comunicado de Segurança",
     "repository_authentication": "Autentificação requerida",
     "repository_created": "Repositório criado",
     "repository_deleted": "Repositório excluído",

diff --git a/src/i18n/locales/pt.json b/src/i18n/locales/pt.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Software vulnerável",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositórios",
+    "repository_advisory_alias_sync_enabled": "Habilitar sincronização de alias do Comunicado de Segurança",
     "repository_authentication": "Autentificação requerida",
     "repository_created": "Repositório criado",
     "repository_deleted": "Repositório excluído",

diff --git a/src/i18n/locales/ru.json b/src/i18n/locales/ru.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Уязвимое ПО",
     "remove_api_key": "Удалить API-ключ",
     "repositories": "Репозитории",
+    "repository_advisory_alias_sync_enabled": "Включить синхронизацию псевдонимов рекомендаций по безопасности",
     "repository_authentication": "Требуется аутентификация",
     "repository_created": "Репозиторий создан",
     "repository_deleted": "Репозиторий удален",

diff --git a/src/i18n/locales/uk-UA.json b/src/i18n/locales/uk-UA.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "Вразливе програмне забезпечення",
     "remove_api_key": "Видалити ключ API",
     "repositories": "Репозиторії",
+    "repository_advisory_alias_sync_enabled": "Увімкнути синхронізацію псевдонімів Security Advisory",
     "repository_authentication": "Потрібна автентифікація",
     "repository_created": "Репозиторій створено",
     "repository_deleted": "Репозиторій видалено",

diff --git a/src/i18n/locales/zh.json b/src/i18n/locales/zh.json
@@ -208,6 +208,7 @@
     "reindex_vulnerable_software": "重新生成软件索引",
     "remove_api_key": "删除 API Key",
     "repositories": "存储库",
+    "repository_advisory_alias_sync_enabled": "启用安全建议别名同步",
     "repository_authentication": "存储库身份验证",
     "repository_created": "已创建存储库",
     "repository_deleted": "存储库已删除",

diff --git a/src/router/index.js b/src/router/index.js
@@ -58,6 +58,8 @@
   import('@/views/administration/vuln-sources/VulnSourceGitHubAdvisories');
 const VulnSourceOSVAdvisories = () =>
   import('@/views/administration/vuln-sources/VulnSourceOSVAdvisories');
+const VulnSourceComposerAdvisories = () =>
+  import('@/views/administration/vuln-sources/VulnSourceComposerAdvisories');
 
 const Cargo = () => import('@/views/administration/repositories/Cargo');
 const Composer = () => import('@/views/administration/repositories/Composer');
@@ -552,6 +554,17 @@
                 permission: 'SYSTEM_CONFIGURATION',
               },
             },
+            {
+              path: 'vulnerabilitySources/composer',
+              component: VulnSourceComposerAdvisories,
+              meta: {
+                title: i18n.t('message.administration'),
+                i18n: 'message.administration',
+                sectionPath: '/admin',
+                sectionName: 'Admin',
+                permission: 'SYSTEM_CONFIGURATION',
+              },
+            },
             {
               path: 'repositories/cargo',
               alias: ['repositories'],
@@ -856,7 +869,7 @@
          path: 'project',
          props: (route) => ({ uuid: route.query.uuid }),
          redirect: (to) => {
            let { hash, params, query } = to;
            if (query.uuid) {
              let uuid = query.uuid;
              return { path: '/projects/' + uuid, query: null };
@@ -869,7 +882,7 @@
          path: 'component',
          props: (route) => ({ uuid: route.query.uuid }),
          redirect: (to) => {
            let { hash, params, query } = to;
            if (query.uuid) {
              let uuid = query.uuid;
              return { path: '/components/' + uuid, query: null };

diff --git a/src/shared/common.js b/src/shared/common.js
@@ -225,6 +225,10 @@ $common.resolveSourceVulnInfo = function resolveSourceVulnInfo(
       sourceInfo.name = 'Global Security Database';
       sourceInfo.url = 'https://github.com/cloudsecurityalliance/gsd-database';
       break;
+    case 'COMPOSER':
+      sourceInfo.name = 'Composer';
+      sourceInfo.url = 'https://packagist.org/apidoc';
+      break;
     case 'VULNDB':
       sourceInfo.name = 'VulnDB';
       sourceInfo.url =
@@ -278,6 +282,16 @@ $common.resolveVulnAliases = function resolveVulnAliases(vulnSource, aliases) {
         $common.resolveSourceVulnInfo('VULNDB', alias.vulnDbId),
       );
     }
+    if (vulnSource !== 'DRUPAL' && alias.drupalId) {
+      _resolvedAliases.push(
+        $common.resolveSourceVulnInfo('DRUPAL', alias.drupalId),
+      );
+    }
+    if (vulnSource !== 'COMPOSER' && alias.composerId) {
+      _resolvedAliases.push(
+        $common.resolveSourceVulnInfo('COMPOSER', alias.composerId),
+      );
+    }
     return _resolvedAliases;
   });
 

diff --git a/src/shared/utils.js b/src/shared/utils.js
@@ -128,6 +128,34 @@ export function loadUserPreferencesForBootstrapTable(_this, id, columns) {
   });
 }
 
+/**
+ * Parses advisoryMirroringEnabled from repository.config.
+ * Needed in multiple places, so extracted to a common function.
+ */
+export function parseAdvisoryMirroringEnabled(repo) {
+  if (repo.config) {
+    let value = JSON.parse(repo.config);
+    if (value) {
+      return value.advisoryMirroringEnabled;
+    }
+    return false;
+  }
+}
+
+/**
+ * Parses parseAdvisoryAliasSyncEnabled from repository.config.
+ * Needed in multiple places, so extracted to a common function.
+ */
+export function parseAdvisoryAliasSyncEnabled(repo) {
+  if (repo.config) {
+    let value = JSON.parse(repo.config);
+    if (value) {
+      return value.advisoryAliasSyncEnabled;
+    }
+    return false;
+  }
+}
+
 export function compareVersions(v1, v2) {
   if (!v1) {
     return 1;

diff --git a/src/views/administration/AdminMenu.vue b/src/views/administration/AdminMenu.vue
@@ -176,6 +176,11 @@ export default {
               name: this.$t('admin.osv_advisories'),
               route: 'vulnerabilitySources/osv',
             },
+            {
+              component: 'VulnSourceComposerAdvisories',
+              name: this.$t('admin.composer_advisories'),
+              route: 'vulnerabilitySources/composer',
+            },
           ],
         },
         {

diff --git a/src/views/administration/Administration.vue b/src/views/administration/Administration.vue
@@ -38,6 +38,8 @@ import VulnDbAnalyzer from './analyzers/VulnDbAnalyzer';
 import VulnSourceGitHubAdvisories from './vuln-sources/VulnSourceGitHubAdvisories';
 import VulnSourceNvd from './vuln-sources/VulnSourceNvd';
 import VulnSourceOSVAdvisories from './vuln-sources/VulnSourceOSVAdvisories';
+import VulnSourceComposerAdvisories from './vuln-sources/VulnSourceComposerAdvisories';
+
 // Repositories
 import Cargo from './repositories/Cargo';
 import Composer from './repositories/Composer';
@@ -89,6 +91,7 @@ export default {
     VulnSourceNvd,
     VulnSourceGitHubAdvisories,
     VulnSourceOSVAdvisories,
+    VulnSourceComposerAdvisories,
     Cargo,
     Composer,
     Gem,

diff --git a/src/views/administration/notifications/Alerts.vue b/src/views/administration/notifications/Alerts.vue
@@ -285,10 +285,6 @@ export default {
             },
             created() {
               this.initializeTags();
-              this.parseDestination(this.alert);
-              this.parseToken(this.alert);
-              this.parseTokenHeader(this.alert);
-              this.parseJiraTicketType(this.alert);
             },
             watch: {
               alert() {