DependencyTrack
Option to trigger notifications based on severity of the CVE
Current Behavior
I can configure an alert notification for newly detected vulnerabilities.
Proposed Behavior
Currently, it is possible to configure a notification when a new vulnerability is detected. I would like to be able to trigger an alert notification only when the severity level is critical or high.
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this enhancement was already requested
This feature would be incredibly helpful in reducing the number of notifications sent to our security champions. Currently, some teams in our organization manage numerous microservices, and they receive notifications about new vulnerabilities for every severity level. This results in a flood of emails, which can lead to important messages being ignored due to the sheer volume.
By filtering notifications based on severity, we could limit the emails to only high and critical vulnerabilities. This would significantly reduce the number of emails, ensuring that only the most important notifications are sent, making it easier for our security champions to stay focused on critical issues.
We also need this feature. Actually our usecase would be to separate only Critical vulnerabilities and give them e.g. Warning level.
If you have a vision, how it should be configured - I could take this task.
Right now I see it as new setup page (Notifications -> Severity Mapping) which will have such a grid:
| Severity | Notification level |
|---|---|
| Critical | ERROR |
| High | WARNING |
| Medium | INFORMATIONAL |
| Low | INFORMATIONAL |
| Unassigned | INFORMATIONAL |
I'm not sure if it's OK to tag @nscuro , sorry if it's not. But I'm ready to help with this one.
Thanks!
Im currently facing the same issue, and i was wondering if there is still someone working on getting this released?
