DependencyTrack
NEW_VULNERABLE_DEPENDENCY notification not working
While working on adding policy violation support to notifications, I realized that the NEW_VULNERABLE_DEPENDENCY notification doesn't work at all and is not hooked up to anything. This is likely a result from the data model migration from 3.x to 4.x, but it's interesting that it hasn't been reported.
I noticed this when testing Dependency-Track for the first time but I thought I had something misconfigured. Any pointers on where this issue could be fixed?
I also thought it was a misconfiguration. Could you add a notification graph to the dashboard? So that we can check if a notification was sent.
Does the notification even make sense anymore?
-
NEW_VULNERABILITYalready fires whenNEW_VULNERABLE_DEPENDENCYwould be fired -
NEW_VULNERABLE_DEPENDENCYincludes a list of projects where the dependency was introduced, which, based on the new component model, doesn't make sense anymore, since component identity is now bound to individual projects
The default notification template only includes the affected PROJECT(s) on the event NEW_VULNERABLE_DEPENDENCY.
Is it possible to show the affected Project(s) also on NEW_VULNERABILITY?
@Kretikus yes you can list the affected project(s) when getting a NEW_VULNERABILITY. check this: https://docs.dependencytrack.org/integrations/notifications/
@pimschrama i agree, since there is nothing that indecates if a notification was sent or not, you can't be sure if you configured it right. in my case i thought maybe it was me who didn't understand when the notification is triggered.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}