Take processed policy violations into account when adding new project version

[software-testing-professional]

trafficstars

Discussed in https://github.com/DependencyTrack/dependency-track/discussions/1597

^{Originally posted by software-testing-professional May 10, 2022} We use Dependency-Track for open source license clearing. A configured license whitelist contains a bunch of open source licenses, which are ok in our use case. And a policy (license group IS NOT whitelist) raises a policy violation issue, whenever other licenses are detected. Once all license issues are processed, a project is "cleared".

When a new version of a project is created (manually via clone or automatically via uploadBOM), the "whitelist" policy is applied again. And all policy violations show up again - although they have been processed in a previous version of the project. This results in huge manual effort.

It would be nice to take processed violations into account when a new project version is created. So that a policy violation, that was suppressed in v1.0.0 of my project remains suppressed in v1.0.1). Basically the audit trail and the most recent state of the policy violation should be copied.

The only approach I currently see is to script this behavior via REST API.

Best regards, Michael

[software-testing-professional]

In addition, the described feature would also be valuable for parent-child-project relationships.

So if a policy violation would have been closed in a child project, this decision could be reflected to the parent project as well.

[njakubiak]

I also would like clone of a project to copy the policy violation suppressions.

[nscuro]

We're tracking this in https://github.com/DependencyTrack/dependency-track/issues/2875.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.