search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.71k stars 580 forks source link

Creating or updating a component should trigger a policy evaluation but does not #4373

Closed fupgang closed 1 week ago

fupgang commented 1 week ago

Current Behavior

The implementation of ComponentResource shows that a policy evaluation should be triggered when creating or updating a component. In createComponent and updateComponent it's implemented like this:

https://github.com/DependencyTrack/dependency-track/blob/3c265ed6e8880fde6c51302f8c54a04273276269/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java#L368-L374

This does actually not happen. The project field is not set in the PolicyEvaluationEvent, therefore the PolicyEvaluationTask does nothing.

https://github.com/DependencyTrack/dependency-track/blob/3c265ed6e8880fde6c51302f8c54a04273276269/src/main/java/org/dependencytrack/tasks/PolicyEvaluationTask.java#L50-L52

Steps to Reproduce

  1. Create or update a component
  2. There are no logs by the PolicyEngine since it's not triggered

Expected Behavior

Creating or updating a component should trigger the policy evaluation for this single component. The simplest fix is to set the missing project:

.onSuccess(new PolicyEvaluationEvent(component).project(component.getProject()))

I provide an PR for this.

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist