Dependency Track Vulerability Processor

Python 36.5%
TypeScript 35.9%
Vue 25.9%
Shell 0.7%
JavaScript 0.5%
Other 0.5%

Find a file

Philipp A. Baer 1eb335f487 All checks were successful Build and Publish Docker Images / test-backend (push) Successful in 27s Details Build and Publish Docker Images / test-frontend (push) Successful in 3m14s Details Build and Publish Docker Images / delete-pr-images (push) Has been skipped Details Build and Publish Docker Images / check-version (push) Has been skipped Details Build and Publish Docker Images / build-push-images (push) Successful in 1m53s Details Merge pull request 'Create images again' (#64 ) from fix-image-creation into main Reviewed-on: #64		2026-03-04 05:31:14 +00:00
.forgejo/workflows	Create images again	2026-03-04 06:19:08 +01:00
.vscode	Add a launch file for vs code	2026-01-09 21:28:13 +01:00
data	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
frontend	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
test_setup	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
tests	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
.env.dist	Add a version number	2026-01-09 06:10:45 +01:00
.env.test	Improving backend performance	2026-01-08 06:15:23 +01:00
.gitignore	List all existing projects in the dashboard	2026-02-19 04:15:23 +00:00
auth.py	Improve UI tests	2026-02-15 20:41:37 +01:00
compose.yml.dist	Improve readme	2026-02-18 20:43:26 +01:00
Dockerfile	Fix version handling	2026-02-16 06:17:22 +01:00
dt_client.py	Improve vuln reloading	2026-02-13 11:56:00 +01:00
ecosystem.config.js	Improve UI tests	2026-02-15 20:41:37 +01:00
LICENSE	Add MIT license	2026-02-16 16:15:37 +00:00
logic.py	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
main.py	Team assessment first prototype	2026-02-17 20:16:23 +00:00
pyproject.toml	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
README.md	Improve readme	2026-02-18 20:43:26 +01:00
renovate.json	Initial commit: almost completely generated by Antigravity	2026-01-07 10:20:14 +01:00
start.sh	Fix redirect issue with /me	2026-01-07 15:41:19 +01:00
uv.lock	Improve team labels: support multiple labels per team. Fixes phbaer/dtvp#57	2026-03-03 21:39:50 +01:00
version.py	Add a version number	2026-01-09 06:10:45 +01:00

README.md

Dependency Track Vulnerability Processor (DTVP)

DTVP is an opinionated tool for processing Dependency Track vulnerabilities. It reads all project versions of a specific project from Dependency Track, grouping vulnerabilities by Common Vulnerability ID (CVE). Users can then assess these vulnerabilities across all versions of the project and update their analysis state in bulk.

Key Features

Vulnerability Grouping: Automatically groups identical vulnerabilities (CVEs) across all project versions.
Bulk Assessment: Assess a vulnerability once and apply the analysis to all affected versions simultaneously.
Team-Specific Assessments: Support for multiple teams (e.g., AppSec, DevOps) to provide their own assessment of a vulnerability.
Mock Service: Includes a mock Dependency-Track service for easy development and testing without a live instance.

Tech Stack

This project is built using:

Backend: Python 3.13+, FastAPI, Uvicorn, httpx.
Frontend: Vue 3, Vite, TailwindCSS.
Package Management: uv (Python), npm (Node.js).
Containerization: Docker, Docker Compose.

Prerequisites

Ensure you have the following installed:

Python v3.13+
Node.js v22.0.0+
Docker & Docker Compose (or Podman)
uv (for Python package management)
pm2 (for running the mock service)

Getting Started

Clone the repository:

git clone https://github.com/phbaer/dtvp.git
cd dtvp

Install Backend Dependencies:
```
uv sync --dev
```
Install Frontend Dependencies:
```
cd frontend
npm ci
cd ..
```
Configure Environment: Copy the example environment file:
```
cp .env.dist .env
```
Edit .env with your specific configuration. See the Environment Variables section below for details.

Running the Application

Development Mode (Manual)

To run the application manually for development:

Start the Mock Service (Optional): If you don't have a live Dependency-Track instance, start the mock service:
```
pm2 start ecosystem.config.js --only mock-dt
```
This serves a mock Dependency-Track instance at http://localhost:8081.

Start the Backend:

uv run uvicorn main:app --reload --port 8000

Start the Frontend: Open a new terminal:
```
cd frontend
npm run dev
```
Access the frontend at http://localhost:5173.
Stop the Mock Service: When finished:
```
pm2 delete mock-dt
```

Production Mode (Docker)

To run the application using Docker Compose:

Configure Docker Compose:

cp compose.yml.dist compose.yml
# Edit .env and compose.yml with your specific configuration

Start Services:
```
docker compose up -d
```

Testing

Backend Tests

Run unit tests using pytest:

uv run pytest

Frontend Tests

Run unit tests using vitest:

cd frontend
npm run test:unit

End-to-End (UI) Tests

The E2E tests use Playwright and require the full stack (backend + frontend + mock services) to be running or orchestrated.

# Start all services
pm2 start ecosystem.config.js

# Run E2E tests
cd frontend
npm run test:ui

# Clean up
cd ..
pm2 stop ecosystem.config.js

Environment Variables

Variable	Description	Default
`DTVP_API_KEY`	Dependency Track API key	Required
`DTVP_API_URL`	Dependency Track Base URL	Required
`DTVP_OIDC_AUTHORITY`	OIDC Authority URL	Required
`DTVP_OIDC_CLIENT_ID`	OIDC Client ID	Required
`DTVP_OIDC_CLIENT_SECRET`	OIDC Client Secret	Required
`DTVP_SESSION_SECRET_KEY`	Secret key for session encryption	Required
`DTVP_CONTEXT_PATH`	Application context path	`/`
`DTVP_FRONTEND_URL`	Frontend URL	`http://localhost:8000`
`DTVP_OIDC_REDIRECT_URI`	OIDC Redirect URI	`http://localhost:8000/auth/callback`

License

This project is licensed under the MIT License - see the LICENSE file for details.