Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Postpone deprecation of unauthenticated access to Badge API #4500

Closed
2 tasks done
SaberStrat opened this issue Dec 28, 2024 · 1 comment · Fixed by #4502
Closed
2 tasks done

Postpone deprecation of unauthenticated access to Badge API #4500

SaberStrat opened this issue Dec 28, 2024 · 1 comment · Fixed by #4502
Labels
enhancement New feature or request
Milestone

Comments

@SaberStrat
Copy link

SaberStrat commented Dec 28, 2024

Current Behavior

The current implementation of the authenticated Badge API uses API keys as URL parameters for authn and authz. This was done as a natural way to limit access to Dependency-Track badges to specific projects/project-versions, while still allowing a broad and simple use of the badges, e.g. in Readme Markdowns in GitHub.

#4227 brought to attention some dangers that come with that implementation:

  • human error: a developer could accidentally commit and push the wrong API key in the DT badge URL in their Readme, thus creating a security incident
  • sets a bad example: contradicts common compliance rules to never publish secrets like API keys, raising the complexity of a technological environment.

So alternative solutions to API keys in URLs should be explored. Until then, API keys should not be enforced for badges and thus the unauthenticated access to badges should remain an alternative.

Proposed Behavior

To allow the use of badges without having to an publish an API key, keep the option to enable unauthenticated access to badges beyond Dependency-Track 4.12.

For this, we could either remove just the removal notice for 4.13, or remove the deprecation altogether. The latter feels more appropriate though:
a functionality should become deprecated when there's a newer one that is planned to replace the current one. But since the new functionality (authenticated Badge API access) has been argued to be flawed, and should thus be reconsidered in favor of a better implementation, why continue calling it deprecated when the replacement likely isn't the final form and a better one isn't known yet?

So the proposal is:

  • remove the text about the deprecation of unauthenticated access from the docs and frontend, and removal of unauthenticated access in Dependency-Track 4.13 from the docs
  • bring the various security implications of either approaches to badges (unauthenticated and authenticated but with API keys) to the users' attention in the docs.

Checklist

@SaberStrat SaberStrat added the enhancement New feature or request label Dec 28, 2024
@SaberStrat
Copy link
Author

I'll gladly contribute this myself.

@SaberStrat SaberStrat changed the title Delay removal of unauthenticated access to Badge API Do not deprecate unauthenticated access to Badge API Dec 28, 2024
@SaberStrat SaberStrat changed the title Do not deprecate unauthenticated access to Badge API Postpone deprecation of unauthenticated access to Badge API Dec 29, 2024
@nscuro nscuro added this to the 4.13 milestone Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants