Vulnerability webhook notification has incorrect notification level

[AbdelHajou]

Current Behavior:

When configuring a webhook notification publisher for the NEW_VULNERABILITY group with Notification Level WARNING, notifications are published with INFORMATIONAL level.

Steps to Reproduce:

Expected Behavior:

Notifications should be published with correct level (WARNING)

Environment:

• Dependency-Track Version: 4.6.0-SNAPSHOT
• Distribution: Docker
• Database Server: MSSQL
• Browser: Firefox

Additional Details:

[officerNordberg]

does this possibly relate to #1429 and #1742

[tmehnert]

Current Behavior The Notification level is implemented as a filter and since #1742 this filter works in a sensable way. This means @AbdelHajou when you retry with the latest Snapshot version your notification will not be sent at all, because you set the Notification level to "WARNING" which means that "INFORMATIONAL" notifications filtered out.

Conclusion I think we have two conflicting expectations of what this feature should do.

1. The level of a NotificationRule should filter the notifications.
2. The level of a NotificationRule should alter the notification level, when publish the notification.

@AbdelHajou , @officerNordberg can one of you confirm my analysis?

[nscuro]

The current logic indeed sees notification levels exclusively as a filter.

The level of notifications being sent is hardcoded and does not seem to be intended to be modified by users. To be fair, I also learned this just recently because I never paid attention to this detail. I think this is mainly a documentation and UI issue, in that the UI should make it more clear what the configurable level is used for.