Vulnerability policies should have a priority #956
Labels
component/api-server
domain/vuln-policy
enhancement
New feature or request
p2
Non-critical bugs, and features that help organizations to identify and reduce risk
size/M
Medium effort
It is totally possible that multiple vulnerability policies match for any given finding.
For each finding, there can only be a single applicable analysis. Even though multiple policies matched, only one of them can take effect.
Dependency-Track has no way of knowing which of them to pick. We thus need a way to prioritize policies, such that Dependency-Track can make a sensible decision in such cases.
I propose to:
priority
field0
is highest)VulnerabilityPolicyProvider
such that applicable policies are returned in order of priority (descending)An open question is how we deal with situations where multiple matched rules have the same priority.
Possible solutions:
createdAt
timestamp, ...)createdAt
is optional in the schemaOther / better solutions to be discussed...
The text was updated successfully, but these errors were encountered: