OSS Index: Allow exclusion of components to scan

Issue Type:

• defect report
• enhancement request

Current Behavior:

When using the OSS Index scanner, Dependency-Track will send the packageURLs of all components to OSS Index. This of course includes those of internal components. The namespace of a packageURL may contain the company’s name, making it fairly easy to find out who’s making the requests and what their application landscape may look like.

Someone with access to OSS Index’s request logs may be able to find out how often a given project is built, how many vulnerable components it has and how quickly vulnerable components get patched. The main issue here is that we simply cannot know what Sonatype does with the data being sent to it.

Although I’m explicitly mentioning Sonatype’s OSS Index here, I’m sure this also affects other scanners that work similarly.

Expected Behavior:

It should be possible to exclude information about specific components from being sent to external services like OSS Index.

It should be considered that new projects (so potentially new namespaces) will be added dynamically (e.g. through the Jenkins plugin), which is why I’m certain that a Regex or “namespace contains” type of exclusion list would be optimal. E.g.:

Exclude namespaces:

• ^com\.acme.*
• .*mycompanyname.*

Environment:

• Dependency-Track Version: 3.4.0