Ability to trigger the Policy Evaluation engine

[kmoens]

Current Behavior

Currently the API does not offer - as far as I can see - a way to trigger a reevaluation of the policy of a certain project or component.

In our situation we have a side project which is sitting next to Dependency Track which integrates with the REST API. It will perform automatic scanning of the vulnerabilities in the components and based on some ruleset we have defined in a Git repository perform automatic suppressions and auditing of missing license information in certain dependencies.

The data gets properly in dependency track, and after executing a metrics update the numbers look OK again taking into account the suppressions we did, however the policy violations don't get updated.

Also documented as a bug in issue #3923.

Proposed Behavior

Being able to trigger the Policy Analysis for a project / component by means of the REST API would resolve a lot of the frustration of the issue reported by #3923 already.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Note, implementation should be similar to /api/v1/finding/project/{uuid}/analyze:

https://github.com/DependencyTrack/dependency-track/blob/bb7020f50f55e674cec4ac0d772e2a54dc56ce34/src/main/java/org/dependencytrack/resources/v1/FindingResource.java#L207-L233

BTW, policy evaluation is also triggered when clicking Reanalyze in the Audit Vulnerabilities tab, as shown above.

[suvaidkhan]

Hi @nscuro I'd like to pick this up. A question - In which API's flow am I supposed to add policy evaluation to?

[valentijnscholten]

If we make it more clear that the ReAnalyze button already also triggers policy evaluation, we might not need to an extra button just for Policy Evaluation?