DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.71k stars 579 forks source link

Support CEL based Expression for Detecting Internal Components #3910

Open VinodAnandan opened 4 months ago

VinodAnandan commented 4 months ago

Current Behavior

Currently, Dependency-Track lacks only support for detecting internal components using component name, group based regex.

Proposed Behavior

Integrate CEL-based expression support into Dependency-Track to allow users to define and use expressions for detecting internal components within their projects. These expressions could also access other component properties like purl, cpe, swid, etc., as well as project properties and tags. To maintain backward compatibility, existing regex can be migrated into CEL-based expressions.

Checklist

nscuro commented 4 months ago

as well as project properties and tags

Any use cases that come to mind for this? Can / should a component's "internal" status really depend on project-level information?

VinodAnandan commented 4 months ago

Any use cases that come to mind for this? Can / should a component's "internal" status really depend on project-level information?

I was considering improving the accuracy of the detection, especially in cases where there are known projects with forked components or projects that contain components that don't comply with the regex patterns.