DependencyTrack · valentijnscholten · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025 · Jan 4, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/assets/img/composer-logo.png b/src/assets/img/composer-logo.png
diff --git a/src/assets/scss/_custom.scss b/src/assets/scss/_custom.scss
@@ -137,6 +137,14 @@ html {
   background-color: #EBE5A8;
   border: 1px solid #DCD167;
 }
+.label-source-drupal {
+  background-color: hsl(120, 75%, 39%);
+  border: 1px solid #06785a;
+}
+.label-source-composer {
+  background-color: hsl(305, 43%, 51%);
+  border: 1px solid #7b3566;
+}
 .label-source-unknown {
   background-color: $severity-unassigned;
   border: 1px solid $grey-900;

diff --git a/src/containers/DefaultContainer.vue b/src/containers/DefaultContainer.vue
@@ -47,9 +47,9 @@
    ProfileEditModal,
    SnapshotModal,
    AppSidebar,
    AppAside,
    Breadcrumb,
    DefaultHeaderProfileDropdown,
    SidebarForm,
    SidebarFooter,
    SidebarHeader,
@@ -214,7 +214,8 @@
   },
   mounted() {
     if (this.$dtrack && this.$dtrack.version.includes('SNAPSHOT')) {
-      this.$root.$emit('bv::show::modal', 'snapshotModal');
+      //TODO VS reinstate
+      //      this.$root.$emit('bv::show::modal', 'snapshotModal');
     }
 
     this.isSidebarMinimized =

diff --git a/src/i18n/locales/de.json b/src/i18n/locales/de.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Anfällige Software",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositorys",
+    "repository_advisory_alias_sync_enabled": "Aktivieren Sie die Synchronisierung des Sicherheitshinweis-Alias",
+    "repository_advisory_mirroring_enabled": "Aktivieren Sie die Spiegelung von Sicherheitshinweisen",
     "repository_authentication": "Authentifizierung erforderlich",
     "repository_created": "Repository erstellt",
     "repository_deleted": "Repository gelöscht",

diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
@@ -52,6 +52,8 @@
     "change_password_next_login": "User must change password at next login",
     "clone_template": "Clone Template",
     "composer": "Composer",
+    "composer_advisories": "Composer Security Advisories",
+    "composer_repositories": "Composer Repositories",
     "configuration": "Configuration",
     "configuration_saved": "Configuration saved",
     "configuration_test": "Configuration Test",
@@ -83,6 +85,7 @@
     "disabled": "Disabled",
     "disabled_for_tags": "Disabled for tags",
     "distinguished_name": "Distinguished name",
+    "documentation": "Documentation",
     "edit_api_key_comment": "Edit API Key Comment",
     "email": "Email",
     "email_address": "Email address",
@@ -208,6 +211,8 @@
     "reindex_vulnerable_software": "Vulnerable software",
     "remove_api_key": "Remove API Key",
     "repositories": "Repositories",
+    "repository_advisory_alias_sync_enabled": "Enable Security Advisory alias synchronization",
+    "repository_advisory_mirroring_enabled": "Enable mirroring of Security Advisories",
     "repository_authentication": "Authentication required",
     "repository_created": "Repository created",
     "repository_deleted": "Repository deleted",
@@ -269,6 +274,8 @@
     "vulndb": "VulnDB",
     "vulnsource_alias_sync_enable": "Enable vulnerability alias synchronization",
     "vulnsource_alias_sync_enable_tooltip": "Alias data can help in identifying identical vulnerabilities across multiple databases. If the source provides this data, synchronize it with Dependency-Track's database.",
+    "vulnsource_composer_advisories_desc": "The Composer ecosystem provides security advisories via its Composer repositories. Examples are https://packagist.org and https://packages.drupal.org/8. These security advisories are used by Composer to provide the composer audit command.",
+    "vulnsource_composer_to_enable": "Composer advisory mirroring can be enabled for a repository via it configuration:",
     "vulnsource_github_advisories_desc": "GitHub Advisories (GHSA) is a database of CVEs and GitHub-originated security advisories affecting the open source world. Dependency-Track integrates with GHSA by mirroring advisories via GitHub's public GraphQL API. The mirror is refreshed daily, or upon restart of the Dependency-Track instance. A personal access token (PAT) is required in order to authenticate with GitHub, but no scopes need to be assigned to it.",
     "vulnsource_github_advisories_enable": "Enable GitHub Advisory mirroring",
     "vulnsource_nvd_desc": "The National Vulnerability Database (NVD) is the largest publicly available source of vulnerability intelligence. It is maintained by a group within the National Institute of Standards and Technology (NIST) and builds upon the work of MITRE and others. Vulnerabilities in the NVD are called Common Vulnerabilities and Exposures (CVE). There are over 100,000 CVEs documented in the NVD spanning from the 1990’s to the present.",

diff --git a/src/i18n/locales/es.json b/src/i18n/locales/es.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "software vulnerable",
     "remove_api_key": "Eliminar Clave API",
     "repositories": "Repositorios",
+    "repository_advisory_alias_sync_enabled": "Habilitar la sincronización de alias de aviso de seguridad",
+    "repository_advisory_mirroring_enabled": "Habilitar la duplicación de avisos de seguridad",
     "repository_authentication": "Autenticacion requerida",
     "repository_created": "Repositorio creado",
     "repository_deleted": "Repositorio eliminado",

diff --git a/src/i18n/locales/fr.json b/src/i18n/locales/fr.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Logiciels vulnérables",
     "remove_api_key": "Retirer la clé d'API",
     "repositories": "Dépôts",
+    "repository_advisory_alias_sync_enabled": "Activer la synchronisation des alias des avis de sécurité",
+    "repository_advisory_mirroring_enabled": "Activer la mise en miroir des avis de sécurité",
     "repository_authentication": "Authentification requise",
     "repository_created": "Dépôt créé",
     "repository_deleted": "Dépôt supprimé",

diff --git a/src/i18n/locales/hi.json b/src/i18n/locales/hi.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "कमजोर सॉफ्टवेयर",
     "remove_api_key": "remove_api_key",
     "repositories": "डेटा संग्रह स्थान",
+    "repository_advisory_alias_sync_enabled": "सुरक्षा सलाहकार उपनाम सिंक्रनाइज़ेशन सक्षम करें",
+    "repository_advisory_mirroring_enabled": "सुरक्षा सलाह को मिरर करना सक्षम करें",
     "repository_authentication": "प्रमाणित करना",
     "repository_created": "रिपोजिटरी बनाई गई",
     "repository_deleted": "रिपॉजिटरी हटा दी गई",

diff --git a/src/i18n/locales/it.json b/src/i18n/locales/it.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Software vulnerabile",
     "remove_api_key": "remove_api_key",
     "repositories": "Repository",
+    "repository_advisory_alias_sync_enabled": "Abilita la sincronizzazione degli alias degli avvisi di sicurezza",
+    "repository_advisory_mirroring_enabled": "Abilita il mirroring degli avvisi di sicurezza",
     "repository_authentication": "Autenticazione richiesta",
     "repository_created": "Archivio creato",
     "repository_deleted": "Archivio eliminato",

diff --git a/src/i18n/locales/ja.json b/src/i18n/locales/ja.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "脆弱なソフトウェア",
     "remove_api_key": "remove_api_key",
     "repositories": "リポジトリ",
+    "repository_advisory_alias_sync_enabled": "セキュリティ アドバイザリのエイリアス同期を有効にする",
+    "repository_advisory_mirroring_enabled": "セキュリティ アドバイザリのミラーリングを有効にする",
     "repository_authentication": "認証が必要",
     "repository_created": "リポジトリが作成されました",
     "repository_deleted": "リポジトリが削除されました",

diff --git a/src/i18n/locales/pl.json b/src/i18n/locales/pl.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Wrażliwe oprogramowanie",
     "remove_api_key": "remove_api_key",
     "repositories": "Repozytoria",
+    "repository_advisory_alias_sync_enabled": "Włącz synchronizację aliasów Security Advisory",
+    "repository_advisory_mirroring_enabled": "Włącz dublowanie porad dotyczących bezpieczeństwa",
     "repository_authentication": "Wymagane uwierzytelnienie",
     "repository_created": "Repozytorium zostało utworzone",
     "repository_deleted": "Repozytorium usunięte",

diff --git a/src/i18n/locales/pt-BR.json b/src/i18n/locales/pt-BR.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Software vulnerável",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositórios",
+    "repository_advisory_alias_sync_enabled": "Habilitar sincronização de alias do Comunicado de Segurança",
+    "repository_advisory_mirroring_enabled": "Habilitar espelhamento de avisos de segurança",
     "repository_authentication": "Autentificação requerida",
     "repository_created": "Repositório criado",
     "repository_deleted": "Repositório excluído",

diff --git a/src/i18n/locales/pt.json b/src/i18n/locales/pt.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Software vulnerável",
     "remove_api_key": "remove_api_key",
     "repositories": "Repositórios",
+    "repository_advisory_alias_sync_enabled": "Habilitar sincronização de alias do Comunicado de Segurança",
+    "repository_advisory_mirroring_enabled": "Habilitar espelhamento de avisos de segurança",
     "repository_authentication": "Autentificação requerida",
     "repository_created": "Repositório criado",
     "repository_deleted": "Repositório excluído",

diff --git a/src/i18n/locales/ru.json b/src/i18n/locales/ru.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Уязвимое ПО",
     "remove_api_key": "Удалить API-ключ",
     "repositories": "Репозитории",
+    "repository_advisory_alias_sync_enabled": "Включить синхронизацию псевдонимов рекомендаций по безопасности",
+    "repository_advisory_mirroring_enabled": "Включить зеркалирование рекомендаций по безопасности",
     "repository_authentication": "Требуется аутентификация",
     "repository_created": "Репозиторий создан",
     "repository_deleted": "Репозиторий удален",

diff --git a/src/i18n/locales/uk-UA.json b/src/i18n/locales/uk-UA.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "Вразливе програмне забезпечення",
     "remove_api_key": "Видалити ключ API",
     "repositories": "Репозиторії",
+    "repository_advisory_alias_sync_enabled": "Увімкнути синхронізацію псевдонімів Security Advisory",
+    "repository_advisory_mirroring_enabled": "Увімкнути дзеркальне відображення повідомлень безпеки",
     "repository_authentication": "Потрібна автентифікація",
     "repository_created": "Репозиторій створено",
     "repository_deleted": "Репозиторій видалено",

diff --git a/src/i18n/locales/zh.json b/src/i18n/locales/zh.json
@@ -208,6 +208,8 @@
     "reindex_vulnerable_software": "重新生成软件索引",
     "remove_api_key": "删除 API Key",
     "repositories": "存储库",
+    "repository_advisory_alias_sync_enabled": "启用安全建议别名同步",
+    "repository_advisory_mirroring_enabled": "启用安全公告的镜像",
     "repository_authentication": "存储库身份验证",
     "repository_created": "已创建存储库",
     "repository_deleted": "存储库已删除",

diff --git a/src/router/index.js b/src/router/index.js
@@ -58,6 +58,8 @@
   import('@/views/administration/vuln-sources/VulnSourceGitHubAdvisories');
 const VulnSourceOSVAdvisories = () =>
   import('@/views/administration/vuln-sources/VulnSourceOSVAdvisories');
+const VulnSourceComposerAdvisories = () =>
+  import('@/views/administration/vuln-sources/VulnSourceComposerAdvisories');
 
 const Cargo = () => import('@/views/administration/repositories/Cargo');
 const Composer = () => import('@/views/administration/repositories/Composer');
@@ -552,6 +554,17 @@
                 permission: 'SYSTEM_CONFIGURATION',
               },
             },
+            {
+              path: 'vulnerabilitySources/composer',
+              component: VulnSourceComposerAdvisories,
+              meta: {
+                title: i18n.t('message.administration'),
+                i18n: 'message.administration',
+                sectionPath: '/admin',
+                sectionName: 'Admin',
+                permission: 'SYSTEM_CONFIGURATION',
+              },
+            },
             {
               path: 'repositories/cargo',
               alias: ['repositories'],
@@ -856,7 +869,7 @@
          path: 'project',
          props: (route) => ({ uuid: route.query.uuid }),
          redirect: (to) => {
            let { hash, params, query } = to;
            if (query.uuid) {
              let uuid = query.uuid;
              return { path: '/projects/' + uuid, query: null };
@@ -869,7 +882,7 @@
          path: 'component',
          props: (route) => ({ uuid: route.query.uuid }),
          redirect: (to) => {
            let { hash, params, query } = to;
            if (query.uuid) {
              let uuid = query.uuid;
              return { path: '/components/' + uuid, query: null };

diff --git a/src/shared/common.js b/src/shared/common.js
@@ -225,6 +225,10 @@ $common.resolveSourceVulnInfo = function resolveSourceVulnInfo(
       sourceInfo.name = 'Global Security Database';
       sourceInfo.url = 'https://github.com/cloudsecurityalliance/gsd-database';
       break;
+    case 'COMPOSER':
+      sourceInfo.name = 'Composer';
+      sourceInfo.url = 'https://packagist.org/apidoc';
+      break;
     case 'VULNDB':
       sourceInfo.name = 'VulnDB';
       sourceInfo.url =
@@ -278,6 +282,16 @@ $common.resolveVulnAliases = function resolveVulnAliases(vulnSource, aliases) {
         $common.resolveSourceVulnInfo('VULNDB', alias.vulnDbId),
       );
     }
+    if (vulnSource !== 'DRUPAL' && alias.drupalId) {
+      _resolvedAliases.push(
+        $common.resolveSourceVulnInfo('DRUPAL', alias.drupalId),
+      );
+    }
+    if (vulnSource !== 'COMPOSER' && alias.composerId) {
+      _resolvedAliases.push(
+        $common.resolveSourceVulnInfo('COMPOSER', alias.composerId),
+      );
+    }
     return _resolvedAliases;
   });
 

diff --git a/src/views/administration/AdminMenu.vue b/src/views/administration/AdminMenu.vue
@@ -176,6 +176,11 @@ export default {
               name: this.$t('admin.osv_advisories'),
               route: 'vulnerabilitySources/osv',
             },
+            {
+              component: 'VulnSourceComposerAdvisories',
+              name: this.$t('admin.composer_advisories'),
+              route: 'vulnerabilitySources/composer',
+            },
           ],
         },
         {

diff --git a/src/views/administration/Administration.vue b/src/views/administration/Administration.vue
@@ -38,6 +38,8 @@ import VulnDbAnalyzer from './analyzers/VulnDbAnalyzer';
 import VulnSourceGitHubAdvisories from './vuln-sources/VulnSourceGitHubAdvisories';
 import VulnSourceNvd from './vuln-sources/VulnSourceNvd';
 import VulnSourceOSVAdvisories from './vuln-sources/VulnSourceOSVAdvisories';
+import VulnSourceComposerAdvisories from './vuln-sources/VulnSourceComposerAdvisories';
+
 // Repositories
 import Cargo from './repositories/Cargo';
 import Composer from './repositories/Composer';
@@ -89,6 +91,7 @@ export default {
     VulnSourceNvd,
     VulnSourceGitHubAdvisories,
     VulnSourceOSVAdvisories,
+    VulnSourceComposerAdvisories,
     Cargo,
     Composer,
     Gem,

diff --git a/src/views/administration/notifications/Alerts.vue b/src/views/administration/notifications/Alerts.vue
@@ -285,10 +285,6 @@ export default {
             },
             created() {
               this.initializeTags();
-              this.parseDestination(this.alert);
-              this.parseToken(this.alert);
-              this.parseTokenHeader(this.alert);
-              this.parseJiraTicketType(this.alert);
             },
             watch: {
               alert() {

diff --git a/src/views/administration/repositories/Repositories.vue b/src/views/administration/repositories/Repositories.vue
@@ -149,12 +149,21 @@ export default {
                   <b-col sm="6">
 
                     <div>
-                      <c-switch color="primary" v-model="internal" label v-bind="labelIcon" />{{$t('admin.internal')}}
+                      <c-switch color="primary" v-model="enabled" label v-bind="labelIcon" />{{$t('admin.enabled')}}
                     </div>
                     <div>
-                     <c-switch color="primary" v-model="authenticationRequired" label v-bind="labelIcon" />{{$t('admin.repository_authentication')}}
+                      <c-switch color="primary" v-model="internal" label v-bind="labelIcon" />{{$t('admin.internal')}}
+                    </div>
+                    <div v-if="this.type === 'COMPOSER'">
+                      <c-switch color="primary" v-model="advisoryMirroringEnabled" label v-bind="labelIcon" />{{$t('admin.repository_advisory_mirroring_enabled')}}
+                    </div>
+                    <div v-show="advisoryMirroringEnabled" v-if="this.type === 'COMPOSER'">
+                      <c-switch color="primary" v-model="advisoryAliasSyncEnabled" label v-bind="labelIcon" />{{$t('admin.repository_advisory_alias_sync_enabled')}}
                     </div>
 
+                    <div>
+                      <c-switch color="primary" v-model="authenticationRequired" label v-bind="labelIcon" />{{$t('admin.repository_authentication')}}
+                    </div>
                     <div>
                       <b-validated-input-group-form-input
                         id="username" :label="$t('admin.username')"
@@ -176,10 +185,6 @@ export default {
                         v-debounce:750ms="updateRepository" :debounce-events="'keyup'"/>
                     </div>
 
-                    <div>
-                      <c-switch color="primary" v-model="enabled" label v-bind="labelIcon" />{{$t('admin.enabled')}}
-                    </div>
-
                     <div style="text-align:right">
                        <b-button variant="outline-danger" @click="deleteRepository">{{ $t('admin.delete_repository') }}</b-button>
                     </div>
@@ -193,20 +198,30 @@ export default {
             data() {
               return {
                 repository: row,
+                type: row.type,
                 identifier: row.identifier,
                 url: row.url,
                 internal: row.internal,
                 authenticationRequired: row.authenticationRequired,
                 username: row.username,
                 password: row.password || 'HiddenDecryptedPropertyPlaceholder',
                 enabled: row.enabled,
+                advisoryMirroringEnabled:
+                  this.parseAdvisoryMirroringEnabled(row),
+                advisoryAliasSyncEnabled:
+                  this.parseAdvisoryAliasSyncEnabled(row),
                 uuid: row.uuid,
                 labelIcon: {
                   dataOn: '\u2713',
                   dataOff: '\u2715',
                 },
               };
             },
+            // TODO remove this dead code
+            // created() {
+            //   this.parseAdvisoryMirroringEnabled(this.repository);
+            //   this.parseAdvisoryAliasSyncEnabled(this.repository);
+            // },
             watch: {
               internal() {
                 this.updateRepository();
@@ -217,8 +232,32 @@ export default {
               authenticationRequired() {
                 this.updateRepository();
               },
+              advisoryMirroringEnabled() {
+                this.updateRepository();
+              },
+              advisoryAliasSyncEnabled() {
+                this.updateRepository();
+              },
             },
             methods: {
+              parseAdvisoryMirroringEnabled: function (repo) {
+                if (repo.config) {
+                  let value = JSON.parse(repo.config);
+                  if (value) {
+                    return value.advisoryMirroringEnabled;
+                  }
+                  return null;
+                }
+              },
+              parseAdvisoryAliasSyncEnabled: function (repo) {
+                if (repo.config) {
+                  let value = JSON.parse(repo.config);
+                  if (value) {
+                    return value.advisoryAliasSyncEnabled;
+                  }
+                  return null;
+                }
+              },
               deleteRepository: function () {
                 let url = `${this.$api.BASE_URL}/${this.$api.URL_REPOSITORY}/${this.uuid}`;
                 this.axios
@@ -239,6 +278,10 @@ export default {
                     url: this.url,
                     internal: this.internal,
                     authenticationRequired: this.authenticationRequired,
+                    config: JSON.stringify({
+                      advisoryMirroringEnabled: this.advisoryMirroringEnabled,
+                      advisoryAliasSyncEnabled: this.advisoryAliasSyncEnabled,
+                    }),
                     username: this.username,
                     password:
                       this.password || 'HiddenDecryptedPropertyPlaceholder',