Ability to create a policy condition based on "Attributed on" value.

[margusanvelt]

Current Behavior

Currently the conditions that can be used in creating a policy are limited.

Proposed Behavior

Would be great to have the ability to create policy to flag project where there are vulnerabilities that have not been triaged in a specified timeframe. This could be done based on the "Attributed on" value from the vulnerabilities.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[arjavdongaonkar]

PRs for Attribution Date-based Policy

I've created the following PRs to implement the requested feature for policy conditions based on vulnerability attribution dates:

Backend Implementation:

• PR #4998:
  • Adds AttributedOnPolicyEvaluator
  • Supports ISO-8601 period formats (e.g., "P30D", "P1M") for age-based conditions

Frontend Implementation:

• PR: https://github.com/DependencyTrack/frontend/pull/1259
  • Updates policy creation UI to support "Attributed On" condition type
  • Adds appropriate user guidance

This enhancement enables users to create policies that flag projects containing untriaged vulnerabilities within a specified timeframe, addressing the limitation mentioned in the issue.

As this is my first contribution to Dependency-Track, I would greatly appreciate a review from @msymons / @nscuro and the maintainer team.

Please let me know where I can help or if you have suggestions on these PRs.