hyades icon indicating copy to clipboard operation
hyades copied to clipboard
verified publisher icon DependencyTrack

Vulnerability policies should have multiple modes of operation

Open nscuro opened this issue 2 years ago • 1 comments

At the moment, vulnerability policies are "enforced" as soon as they are created in the system.

There may be situations however, in which policies are supposed to be deployed, but not enforced. Further, this mode of operation can be split in two (or more?) levels:

  • Disabled: Don't do anything with it, don't even consider it for evaluation
  • Warn/Inform/Log: Evaluate policy, but don't take action, and log the outcome instead

The latter allows for policies to execute in "dry run" mode, such that effects can be observed safely, without risking erroneous applications. Initially, we will simply issue a log entry each time a policy would have been applied. Long-term, we need UI metaphors for this (see #959).

It also makes it safer to edit policies via UI, as currently there is a chance that incomplete policies are being enforced while the author is still working on them.

Not quite sure about the wording here, but I'd envision at least three modes:

  • Disabled
  • Log
  • Apply

nscuro avatar Dec 10 '23 19:12 nscuro

I afraid that Disabled mode can overload policy bundle. It will allow users to store redundant policies instead of deletion

skhokhlov avatar Dec 15 '23 15:12 skhokhlov