Skip to content

Feature/policy driven annotation#6313

Open
mehab wants to merge 13 commits into
DependencyTrack:mainfrom
mehab:feature/policyDrivenAnnotation
Open

Feature/policy driven annotation#6313
mehab wants to merge 13 commits into
DependencyTrack:mainfrom
mehab:feature/policyDrivenAnnotation

Conversation

@mehab

@mehab mehab commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Description

Vulnerability policies can attach annotations to matching findings. Multiple policies may match a single finding; annotations are merged and persisted on ANALYSIS.POLICY_ANNOTATIONS. Triage (state, suppress, ratings, etc.) is owned by the first non–annotation-only policy in bundle order.

Addressed Issue

#6205

Additional Details

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have updated the migration changelog accordingly
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
  • This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

mehab added 2 commits June 4, 2026 14:27
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
@owasp-dt-bot

owasp-dt-bot commented Jun 8, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production

codacy-production Bot commented Jun 8, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 88 complexity · 5 duplication

Metric Results
Complexity 88
Duplication 5

View in Codacy

🟢 Coverage 70.07% diff coverage · -0.17% coverage variation

Metric Results
Coverage variation -0.17% coverage variation (-1.00%)
Diff coverage 70.07% diff coverage (70.00%)

View coverage diff in Codacy

Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (a7bd2c0) 42724 37066 86.76%
Head commit (eb029aa) 43066 (+342) 37288 (+222) 86.58% (-0.17%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#6313) 441 309 70.07%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

mehab added 2 commits June 9, 2026 10:33
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>

private transient List<VulnerabilityAlias> aliases;

private transient AnalysisInfo analysis;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need analysis inside vulnerability model? Any analysis should be at project/component level IMO.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

separated this out from the Vulnerability class

LEFT JOIN "ANALYSIS"
ON "V"."ID" = "ANALYSIS"."VULNERABILITY_ID"
AND "COMPONENT"."PROJECT_ID" = "ANALYSIS"."PROJECT_ID"
AND "COMPONENT"."ID" = "ANALYSIS"."COMPONENT_ID"

@sahibamittal sahibamittal Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the logic of analysis matching. This would result in suppression at each component level instead of current project level.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change is only for view of vulnerabilities/ suppressions and policy annotations on per component basis.
The reconcilliation logic continues to be project level reconcilliation so suppression will continue to happen at project level.
This change will only fetch the project level suppression/ annotation for the specific component where the id match happens.

mehab added 5 commits June 15, 2026 14:22
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
@mehab mehab requested a review from sahibamittal June 15, 2026 14:18
mehab and others added 4 commits June 30, 2026 16:08
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@mehab mehab force-pushed the feature/policyDrivenAnnotation branch from 1d398ac to eb029aa Compare July 3, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants