DependencyTrack
Support limiting to tags for scheduled summary notifications
Current Behavior
Hello,
We are using Dependency-Track v4.13.2. We have many projects and we would like to be alerted in slack chnanel based on the tag selection.
If we don't Limit to the Scheduled notification alert we get error in the application log based on your message
The alert must be limited to one or more projects in order for summaries to work. When selecting projects to limit the alert to, consider that choosing too many projects can cause summaries to grow too large for certain destinations, leading to them being rejected.
That is why we splitted into several tags , but if we don't add all the projects here , the tag filter doesn't work
when we add the projects under Limit to projects we get notification , but the purpose of chosing tags is to avoid the overwork adding new projects all the time. Can you please investigate Do you have more detailed templates for slack because what we get is not clear which project , what vulnerability , which tag, which version teh default format is
DependencyTrackNotifier APP 3:54 PM NEW_VULNERABILITIES_SUMMARY INFORMATIONAL | PORTFOLIO New Vulnerabilities Summary No new vulnerabilities identified since 2025-06-05T13:28:09Z. 3:54 NEW_POLICY_VIOLATIONS_SUMMARY INFORMATIONAL | PORTFOLIO New Policy Violations Summary No new policy violations identified since 2025-06-05T13:28:09Z.
Steps to Reproduce
- Creat many projects with 2,3 tags
- Creat Scheduled Notification with publisher slack
- Limit to one of the tags
- Notification is not sent
Expected Behavior
Notificationalert should be sent
we expect to limit the dependency trck project only using the specified tag we would like to have better and more clear alert notification in slack thread
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
16.8
Browser
Google Chrome
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this defect was already reported
Converted to an enhancement request. You are totally right, it should be possible to use tags to select projects, rather than having to select projects manually.
Also we tried to create email scheduled notification the projects having one tag, in our case alpha are exactly 5 , and we get in teh dependency track log 2025-06-10 13:22:39,670 WARN [ScheduledNotificationDispatchTask] Failed to dispatch notification for group NEW_POLICY_VIOLATIONS_SUMMARY [notificationRuleUuid=.., notificationRuleName=email-notification-tag-stable] java.lang.IllegalStateException: Scheduled notifications for group NEW_POLICY_VIOLATIONS_SUMMARY must be limited to at least one project at org.dependencytrack.tasks.ScheduledNotificationDispatchTask.createNewPolicyViolationsNotification(ScheduledNotificationDispatchTask.java:247) at org.dependencytrack.tasks.ScheduledNotificationDispatchTask.processRule(ScheduledNotificationDispatchTask.java:119) at org.dependencytrack.tasks.ScheduledNotificationDispatchTask.inform(ScheduledNotificationDispatchTask.java:99) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)
this should not happen, expected behavior is the tag limit to option to apply on the projects having this tag
Yeah, this is a general limitation and independent of which destination you configure.
@nscuro , is it planned to be imlemented ? In our setup is difficult to maintain the projects in the alert configuration.
is it planned to be implemented?
Yes, as evident by the p2 and size/S labels.
We’ve marked this as an enhancement, but I think it’s actually a bug. Let’s say I have 10 applications and I regularly release new versions. I have to keep going and add the latest versions of the apps to the notification list each time. That is a lot of manual work. If there were a “latest” tag created by us and only the most recent versions were marked with this tag, I would receive notifications only for the “latest” tagged versions.