"Community Integrations" page links to low quality projects

[jakub-bochenski]

Current Behavior

E.g. https://github.com/MO-Movia/Dependency-Track-Report-Tool

26 commits, no useful documentation, no automated tests, last commit 5 years ago.

There are multiple projects like this linked from official documentation.

Endorsing such projects make Dependency Track look not serious.

Steps to Reproduce

go to https://docs.dependencytrack.org/integrations/community-integrations/

Expected Behavior

Only high quality projects are endorsed by the official documentation

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[jakub-bochenski]

More examples: https://github.com/marketplace/actions/owasp-dependency-track-check code uses curl --insecure

[jakub-bochenski]

https://github.com/ozontech/dtrack-audit seems abandoned, there is no documentation on usage only "features" and "sample output"

[jakub-bochenski]

https://codedx.com/ just redirects to blackduck main page, it's unclear why is it even included

[stohrendorf]

Regarding the open source projects, please provide evidence they're really of low quality. For example, personally, I have a project that only had 1-2 commits within the past 6 years or so, because it's small, and it just works. These commits weren't even exactly necessary, since they were caused by a vulnerability alert from a third party component, and I was too lazy to investigate the possible impact. So you need to provide proof that these projects either don't work anymore because of breaking API changes, or because they don't do their advertised job well enough.

[jakub-bochenski]

@stohrendorf

no useful documentation, no automated tests,

isn't this enough to qualify as low quality? one has to guess what this project even does

[stohrendorf]

Not exactly IMHO. For example, it took me 5 minutes to figure out what the first tool Dependency-Track-Report-Tool you linked does, and how to configure it. The same applies to the dtrack-audit project you linked.

Yes, the action you provided uses the SSL check bypassing --insecure flag, but if you don't have a proper PKI, this is still fine (although you should be aware of it).

I think you should consider projects poor only if the issues can't be fixed within, I don't know, 15 minutes or so, or if they have long-standing open issues.

Regarding the "poorness", I only agree with the "Code Dx" mention, since this now links to a page that has nothing to do with the source title.

Please note that open source projects are not perfect - they usually don't have perfect documentation or follow standards. They're usually things that work if you tinker.

[jakub-bochenski]

https://github.com/MO-Movia/Dependency-Track-Report-Tool and https://github.com/ozontech/dtrack-audit have open issues that are many years old without any response. This is a sign of an abandoned project.

[valentijnscholten]

I think these links are just provided as helpful pointers to potentially interesting projects. I am not aware of any statements where OWASP or the Dependency Track maintainers endorse these projects.