Display NVD API Attribution Notice #3294
Comments
|
Oops... by bad. it is displayed exactly as required in the NVD configuration page |
|
I did have checked this repo for the line... but it is defined in another repo, the frontend one |
|
@jgraglia, I am re-opening this issue as we do need to do a better job here. The Terms of Use specify that the notice must be displayed prominently... and showing it on a configuration page that can only be seen by administrators is not what anyone would think of as being "prominent". Within the application, the "About" dialog is probably the best place to display the notice. If need be, perhaps the dialog could be tabbed so that screen real-estate is not a problem. The Documentation website should also be updated. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior
Since Dependency Track use NVD Rest API (with the APIKEY provided by the deployer) the product Dependency Track should have to respect the Terms of Use of the NVD API and display somewhere the required notice
This product uses the NVD API but is not endorsed or certified by the NVD.OWASP Dependency Check had the same issue : jeremylong/DependencyCheck#6105
Steps to Reproduce
Browse the available documentation on the website: no notice
google search prompt :
site:https://docs.dependencytrack.org/ "This product uses the NVD API but is not"No notice on the about dialog in v 4.10.0 the NVD appears in the DATASOURCE PROVIDERS but without the notice.
Expected Behavior
The NVD terms of use should be respected.
Dependency-Track Version
4.7.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: