DependencyTrack
Split direct dependency check from Version Distance Evaluator
Current Behavior
Currently the Version Distance Policy Evaluator is able to check for version distance, but will only fire if the package it is assessing is a direct dependency of the object the policy is applying to.
Proposed Behavior
The test for a package being a direct dependency should probably be in it's own evaluator.
It's useful to know if, in an aggregated bom or in a project there's packages anywhere in the dependency tree that do not meet the policy thresholds (regardless of if they are direct).
An example of this is building a policy where you want the distance to be equal to 0.0.0.0, but the age at some amount of time (i.e. the latest package version is not updated in a few years).
The existing behaviour could still be used by using an ALL condition with the two policies.
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this enhancement was already requested
This is the code I'm referencing: https://github.com/DependencyTrack/dependency-track/blob/026b504d27c692674eeca0bad32fcb22428b8b02/src/main/java/org/dependencytrack/policy/VersionDistancePolicyEvaluator.java#L102-L106