DependencyTrack
Fix: make Policy.IncludeChildren and Policy.Global tri-state (*bool) so explicit false is serialized
Summary
This PR changes two Policy fields in the Go client.
Rationale: with omitempty on non-pointer booleans, an explicit false is dropped from JSON, which prevents API callers from intentionally setting false. Moving to *bool enables proper tri-state behavior:
- nil → field omitted (server default applies)
- true → "field": true sent
- false → "field": false sent
This unblocks providers/clients (e.g., Terraform providers) from sending deterministic values and avoids “inconsistent result after apply” diffs caused by server defaults overriding omitted fields.
Problem
When a caller sets:
p := dtrack.Policy{
Name: "Example",
Global: false, // intended
IncludeChildren: false, // intended
}
The JSON encoder omits both fields due to omitempty + zero value:
{
"name": "Example"
}
Servers may default these flags (e.g., global=true), so a subsequent read returns:
{
"name": "Example",
"global": true,
"includeChildren": false
}
Infra tooling (Terraform) then reports:
Provider produced inconsistent result after apply:
.global: was cty.False, but now cty.True
This makes it impossible to reliably set false.
Solution
Change Policy.IncludeChildren and Policy.Global to pointers:
- Callers who want server defaults: leave as
nil. - Callers who want explicit values: pass address of a local bool.
:white_check_mark: Snyk checks have passed. No issues have been found so far.
| Status | Scanner |  Critical |
 High |
 Medium |
 Low |
Total (0) |
|---|---|---|---|---|---|---|
| :white_check_mark: | Open Source Security | 0 | 0 | 0 | 0 | 0 issues |
:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.
