dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Re-implement support for `NEW_VULNERABLE_DEPENDENCY` notification

Open nscuro opened this issue 3 years ago • 5 comments

Fixes #1611

Signed-off-by: nscuro [email protected]

Notable change in behavior compared to 3.8.0:

analyzeNotificationCriteria was invoked in 3.8.0 when a new dependency was created:

https://github.com/DependencyTrack/dependency-track/blob/f37279c862a6302a2c56a19dc13d5e9a71d65790/src/main/java/org/dependencytrack/persistence/QueryManager.java#L1259

That worked because components were global and could potentially already have vulnerabilities assigned to them.

With the new component model in >= 4.0.0, new components can't have vulnerabilities assigned to them already, so we have to wait until vulnerability analysis completes before calling analyzeNotificationCriteria.

The name of the new event I introduced is a little unfortunate, I'm very much open to naming suggestions 😅

nscuro avatar Aug 06 '22 18:08 nscuro

Hello @nscuro

That's great 👍

Is there any way to make NEW_VULNERABLE_DEPENDENCY and NEW_VULNERABILITY mutually exclusive (i.e : knowing that the component was newly added in NotificationUtil.analyzeNotificationCriteria ) ? Otherwise, it seems the two notifications would fire off on SBOM upload for any new vulnerable component.

syalioune avatar Aug 07 '22 09:08 syalioune

This works for me @nscuro. I think the suggestion @syalioune has would be new behavior. Entirely up to you if you want to implement that now, or in a future release. On the surface it sounds simple, but I think it may be a bit more difficult.

stevespringett avatar Aug 07 '22 20:08 stevespringett

@syalioune @stevespringett Let's address that in another enhancement.

We'll need a more sturdy way to track whether a component is new. Dragging a detached collection of Components through the system is not very optimal. Maybe some sort of firstSeen / lastSeen field combination which would generally be very useful for other reasons. If firstSeen == lastSeen, then the component could be considered new.

nscuro avatar Aug 09 '22 14:08 nscuro

@nscuro , you mean... something like the enhancement #1137 that I logged last year? =)

msymons avatar Aug 09 '22 15:08 msymons

@msymons Yes! Just for components instead of vulnerabilities. And by reading the comments, the concerns also hold true in that case (what does "first seen" even mean?).

nscuro avatar Aug 09 '22 16:08 nscuro