search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.72k stars 580 forks source link

Snyk Config does not inform user of default SCANNER_SNYK_API_VERSION #2285

Open msymons opened 1 year ago

msymons commented 1 year ago

Current Behavior

The API used for Snyk Integration in DT v4.7.0 is versioned and fast-evolving. The SCANNER_SNYK_API_VERSION has updated twice even during the development of 4.7.0.

The config screen warns that "Changing the default version may break the integration!"

Snyk integration only uses SCANNER_SNYK_API_VERSION to set things up for a new DT install. Thus, an existing install will start to drift from default (which is what is recommended because it has been tested).

This will impact real-world users once they upgrade to 4.7.0 when it is released (which would currently give them 2022-11-14) and then v4.8,0 uses something like 2023-01-01 (or whaetever)

Steps to Reproduce

  1. Download a version of DT v4.7.0 SNAPSHOT from 1st December 2022 and install fresh.
  2. Observe API version.. it will be 2022-10-06 or earlier
  3. Update to latest snapshot
  4. Observe API version. It will still be 2022-10-06.
  5. Check the code. SCANNER_SNYK_API_VERSION (defined in ConfigPropertyConstants.java) will be 2022-11-14 or later

Expected Behavior

It should be obvious when a mismatch exists. Implementing upgrade intelligence might be a pain. I would suggest simply changing the warning on the config screen to display the value of the default.

Dependency-Track Version

4.7.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

nscuro commented 1 year ago

ℹ️ Note, this will require a new /v1/configProperty endpoint that exposes the default value of a given property.