DependencyTrack
[Notifications] Empty Affected project(s) in JIRA when limit to parent project and Group NEW_VULNERABILITY
Current Behavior
The Child project is not listed in created JIRA ticket in the Affected project(s) section when Alert is limited to the Parent Project.
Technically it seems that the template field subject.affectedProjects is empty, however, it is filled correctly when
Limit to projects is removed from JIRA alert configuration.
Steps to Reproduce
- Create a
Parentproject - Create Jira Alert with:
Publisherset toJiraScopeset toPORTFOLIOGroupset toNEW_VULNERABILITYlimit to->Limit to projectsset toParentprojectNotification Levelset toINFORMATIONAL- Configure
DestinationandJira ticket type
- Create a
Childproject which is a child ofParentproject - Upload sbom(With vulnerability) to
Childproject - Observe that created ticket in JIRA has an empty section
Affected project(s)in the description
Expected Behavior
Created Ticket in JIRA should contain the Child project in the Affected project(s) section in the description.
Dependency-Track Version
4.8.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
11.13.0
Browser
Other
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
Can confirm we are seeing the same behavior. Leaving the comment to bump the issue so the fix hopefully gets prioritized.
This issue still appears in version 4.10.1. It would be great if child projects would be included in the listing. Our use case is to group different versions under a parent project so that notification for the parent can be sent to one corresponding Jira project. Hence, it is relevant to know which version / which child project is the one affected by the vulnerability.
Is there perhaps a workaround to access child projects in the template syntax?
