dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Make use of "Last BOM Import" as input for Policy engine

Open msymons opened this issue 3 years ago • 2 comments

Current Behavior:

As of Dependency-Track v4.6.0, the policy engine does not yet support checking for anything relating to age.

Proposed Behavior:

Use "Last BOM Import" date an input for the Policy engine. This way, one would be able to define freshness rules and alert on them if need be. This is totally separate from checking for components being out of date (or just old)... this is checking for possible pipeline problems...

  • BOM not updated because the project has been archived and no one updated Dependency-Track
  • BOM update because of changes in build process. ie, the BOM is supposed to be uploaded - but something has broken.

This suggestion is not mine... it comes from @syalioune in https://github.com/DependencyTrack/frontend/issues/147

msymons avatar Oct 16 '22 13:10 msymons

We discussed this in Slack already for a bit, just adding this here for completeness:

Before we implement this, we will need a way to apply policies on the project level, not for components. Otherwise every component within a project will get a policy violation when the "Last BOM Import" policy is triggered, which would be too much noise.

nscuro avatar Oct 19 '22 17:10 nscuro

project-level policies are targetted for 5.x. Therefore, this enhancement can also be targetted for 5.x (as it cannot be done in 4.x)

msymons avatar Apr 24 '24 20:04 msymons