DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.72k stars 580 forks source link

Inconsistent behavior with project properties in notifications #4360

Open lme-atolcd opened 3 weeks ago

lme-atolcd commented 3 weeks ago

Current Behavior

We are trying to use project properties with webhook notifications.

For some notifications (like POLICY_VIOLATION), subject.project.properties is populated as expected. But for other notifications (like NEW_VULNERABLE_DEPENDENCY), subject.project.properties is empty (no null). Same thing when using subject.component.project.properties instead of subject.project.properties.

Is this the expected behavior? Or maybe there is a better or more consistent way to get project properties in notification templates?

Steps to Reproduce

1.Add a new webhook notification with this template:

{
  "notification": {
    "level": "{{ notification.level | escape(strategy="json") }}",
    "scope": "{{ notification.scope | escape(strategy="json") }}",
    "group": "{{ notification.group | escape(strategy="json") }}",
    "timestamp": "{{ notification.timestamp }}",
    "title": "{{ notification.title | escape(strategy="json") }}",
    "content": "{{ notification.content | escape(strategy="json") }}"
  },

  "subject.component.project.properties.toString" : "{{ subject.component.project.properties.toString | escape(strategy="json") }}",
  "subject.component.project.properties": [
    {% for p in subject.component.project.properties %}
      {
        "groupName": "{{ p.groupName.toString | escape(strategy="json") }}",
        "propertyName": "{{ p.propertyName.toString | escape(strategy="json") }}",
        "propertyValue": "{{ p.propertyValue.toString | escape(strategy="json") }}"
      }
    {% endfor %}
  ],

  "subject.project.properties.toString" : "{{ subject.project.properties.toString | escape(strategy="json") }}",
  "subject.project.properties": [
    {% for p in subject.project.properties %}
      {
        "groupName": "{{ p.groupName.toString | escape(strategy="json") }}",
        "propertyName": "{{ p.propertyName.toString | escape(strategy="json") }}",
        "propertyValue": "{{ p.propertyValue.toString | escape(strategy="json") }}"
      }
    {% endfor %}
  ]
}
  1. trigger POLICY_VIOLATION and NEW_VULNERABLE_DEPENDENCY notifications using this template
  2. inspect the result JSON sent to the webhook URL

Results for a POLICY_VIOLATION notification:

{
  "notification": {
    "level": "INFORMATIONAL",
    "scope": "PORTFOLIO",
    "group": "POLICY_VIOLATION",
    "timestamp": "2024-11-07T14:42:22.965782190",
    "title": "Policy Violation on Project: [test lme : 1.0]",
    "content": "A security policy violation occurred"
  },
  "subject.component.project.properties.toString": "[org.dependencytrack.model.ProjectProperty@7872efd6]",
  "subject.component.project.properties": [
    {
      "groupName": "my_group",
      "propertyName": "my_property",
      "propertyValue": "my_value"
    }
  ],
  "subject.project.properties.toString": "[org.dependencytrack.model.ProjectProperty@7872efd6]",
  "subject.project.properties": [
    {
      "groupName": "my_group",
      "propertyName": "my_property",
      "propertyValue": "my_value"
    }
  ]
}

Results for a NEW_VULNERABLE_DEPENDENCY notification (no properties in the result):

{
  "notification": {
    "level": "INFORMATIONAL",
    "scope": "PORTFOLIO",
    "group": "NEW_VULNERABLE_DEPENDENCY",
    "timestamp": "2024-11-07T14:42:22.961691586",
    "title": "Vulnerable Dependency Introduced on Project: [test lme : 1.0]",
    "content": "A dependency was introduced that contains 11 known vulnerabilities"
  },
  "subject.component.project.properties.toString": "",
  "subject.component.project.properties": [

  ],
  "subject.project.properties.toString": "",
  "subject.project.properties": [

  ]
}

Expected Behavior

The ability to have access to project properties consistently for all notification types.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

12

Browser

Google Chrome

Checklist