Option to create one Jira Ticket using JiraPublisher

[niklaskeerl]

Current Behavior

Currently, Dependency-Track creates one Jira Ticket for each notification in the group (e.g. "NEW_VULNERABILITY"). In the case of "NEW_VULNERABILITY", this usually means many tickets each with one CVE. This is really inefficient from a worker and management perspective as usually one person can take the task to take care of this on a daily schedule.

Proposed Behavior

Have an option to create only one Jira Ticket with all CVEs that are found after a SBOM upload. This would help and make it much more usable in daily life. Thank you for the already great features of Dependency-Track!

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[Mvld3r]

The behavior you describe is not specific to Jira notifications. IMO you're asking to create a new notification group called NEW_VULNERABILITIES_ON_PROJECT or similar, where those notifications would be sent after the bom is processed and would contain all new vulnerabilities found on the given project.

Since analyses are performed regularly (by default at least once a day), I feel it should be quite rare to get many 'new vulnerabilities' since the last check, unless it is a new project or unless you have added a lot of vulnerable components since the last check.

Regarding the issue of having many ungrouped notifications, what I do however encounter often is that many projects are impacted by a given new vulnerability (due to having many small projects, in a micro-service architecture), so I would really like a way to group all those notifications. But this is a separate ER.

Regarding your specific usecase (Jira), also note that it is possible to automate things in Jira (through plugins or externally via API) so that you would group your notifications / tickets.