search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.66k stars 567 forks source link

Alert Rules not working for all projects because of NULL values in PROJECT.ACTIVE #3296

Closed rkg-mm closed 10 months ago

rkg-mm commented 10 months ago

Current Behavior

I have at least 1 project team not getting emails for their projects, despite an alert rule being configured. I added myself as "Destination" additionally to the recipient team to test it and can confirm it. However, the behaviour is strange: I have a parent-child project relationship like this:

Project X
| - Projext X - dev
- | - Project X - dev - Microservice A
- | - Project X - dev - Microservice B

The alert rule is configured on the top level "Project X", with " Include active children of projects " enabled. The SBOMs are uploaded to the Microservice Projects on 3rd level.

This was seen in 4.9.1, but still the same in 4.10. The new logging feature confirms the behavior.

Steps to Reproduce

Steps might not be exact because there is a strange difference between older projects and a new project I created to test it. However, this is what I see:

  1. Configure as described above
  2. Enable Logging for the notification rule
  3. Create vulnerable component in one of the 3rd level projects
  4. Vulnerabilities show up in Dtrack, but no Notification is sent (as seen via missing email and missing log entry)
  5. Create a new project in the 3rd level, paralell to the Microservices projects. In theory there should be no difference to these.
  6. Create same vulnerable component in this new project
  7. Vulnerabilities how up in Dtrack, Email notification is received and log entry shows up for the notification rule

There is no visible difference between the "old" projects and the "new" project, and I am unsure when the old ones were created.

Expected Behavior

There should be no difference between the old and new microservice projects. However, only notifications for the new project are sent, even though they are covered by the same notification rule.

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Google Chrome

Checklist

rkg-mm commented 10 months ago

Additional information: If I add the old 3rd level projects directly to the notification rule, notifications are sent out correctly. Somehow it must have to do with the include child projects and a difference in older and newer projects. I'm working on getting a copy of the production DB to figure out the difference.

rkg-mm commented 10 months ago

After reviewing the code I wonder if this might be related to https://github.com/DependencyTrack/dependency-track/pull/3244 as this would be the only condition I could see as a reason for different handling of same projects. Will check once I have DB access

edit: Yes this seems to be the issue. Those projects have a NULL value in active field in DB: image

@nscuro might be a good idea to set all NULL values in "active" to "TRUE" in next version via db upgrade? Would it be safe to run a Query against production DB to fix this? Would I need to restart Dtrack server? I have a few hundred projects with NULL value in DB, likely all not getting notifications right now :/

nscuro commented 10 months ago

@rkg-mm Doing this change directly in the DB should work, and a restart should not be required.

might be a good idea to set all NULL values in "active" to "TRUE" in next version via db upgrade?

Yes, but also the notification router code should be able to correctly handle active being null.

github-actions[bot] commented 9 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.