dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Policy violations not showing up even though policy criteria are met

Open EvgeniaPatsoni opened this issue 1 year ago • 5 comments

Current Behavior

Greetings,

I am posting this as a defect report because the same question has already been asked in Discussions without getting any answers, so I believe it might be a bug.

I have created a Policy to detect license conflicts in my projects. At first I used the pre-defined License Groups in Dependency Track to create a Policy that would fail if a project used both Copyleft and Permissive components at the same time. This did not work even though I had such projects in my Dependency Track instance.

I then tried to do the same with specific Licenses instead of License Groups, as such: image

However the policy still does not show up as violated. I re-uploaded the bom several times to trigger an analysis in the specific project that uses both of the licenses in the screenshot (GPL-2.0-with-classpath-exception and Apache-2.0), but with no luck. Also, the policy is globally applied, I have not limited it only to specific projects.

Is this behavior normal?

Steps to Reproduce

  1. Create a policy that should be violated if two or more "conflicting" licenses are used from a project at the same time.
  2. Analyze a project that has two or more components with "conflicting" licenses.
  3. No policy violation shows up in the project

Expected Behavior

The policy should show up as violated.

Dependency-Track Version

4.11.7

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

EvgeniaPatsoni avatar Sep 27 '24 13:09 EvgeniaPatsoni

Can you try changing the policy operator from All to Any?

With All, all conditions need to be met in order for a violation to be raised. Given you have two conditions that can't be true at the same time, All would never match.

nscuro avatar Sep 27 '24 13:09 nscuro

Hello @nscuro Thank you for your immediate response.

The violation must be raised when both conditions are met, i.e.: If we have a project that uses a component under the Apache 2.0 license, but also uses a second component which is under the GPL-2.0-with-classpath-exception license, then both conditions are met, thus the policy is violated.

Isn't All the correct operator for this use case instead of Any, since the policy is not violated if only one of the two licenses is used on each own?

EvgeniaPatsoni avatar Sep 27 '24 13:09 EvgeniaPatsoni

Policies are currently only within the scope of individual components. So both conditions must be true for the same component in order for the policy to raise a violation. Project policies are requested here: https://github.com/DependencyTrack/dependency-track/issues/2130, and being worked on as part of https://github.com/DependencyTrack/dependency-track/issues/2146#issuecomment-2373453665.

nscuro avatar Sep 27 '24 14:09 nscuro

The fact that the project uses both of the Licenses in my Policy, doesn't make both conditions met?

EvgeniaPatsoni avatar Sep 27 '24 14:09 EvgeniaPatsoni

No, the policies are currently not evaluated with the project. Instead the policies are evaluated with all the project's components, individually for each component. Thus, for ALL operator the policy is only violated if both conditions are true for single component. There maybe multiple components that violate the policy, so the project may show multiple violations for the same policy.

fupgang avatar Oct 07 '24 06:10 fupgang