Merged
Conversation
Up to standards ✅🟢 Issues
|
| Category | Results |
|---|---|
| BestPractice | 3 medium |
| CodeStyle | 4 minor |
| Complexity | 4 medium |
🟢 Metrics 232 complexity
Metric Results Complexity 232
🟢 Coverage 79.44% diff coverage · -0.19% coverage variation
Metric Results Coverage variation ✅ -0.19% coverage variation (-1.00%) Diff coverage ✅ 79.44% diff coverage (70.00%) Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (efeb037) 42579 35958 84.45% Head commit (8ab53c3) 42863 (+284) 36115 (+157) 84.26% (-0.19%) Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#1975) 754 599 79.44% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%
TIP This summary will be updated as you push new changes. Give us feedback
Contributor
There was a problem hiding this comment.
Pull request overview
Implements user-managed vulnerability policies and migrates vulnerability policy bundle synchronization to a Dex workflow, exposing new/updated v2 REST endpoints and updating persistence/migrations accordingly.
Changes:
- Add v2 REST API surface for vulnerability policies and bundles (CRUD for user-managed policies; bundle sync trigger + status).
- Introduce priority and UUID-based identification for policies/bundles, plus DB migrations to support bundle/user-managed separation.
- Replace the legacy “fetch task + blob storage handlers (nginx/s3)” sync implementation with a Dex workflow/activity; update e2e + unit tests.
Reviewed changes
Copilot reviewed 66 out of 66 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| proto/src/main/proto/org/dependencytrack/internal/workflow/v1/argument_vuln_policy.proto | Adds workflow argument proto for vuln policy bundle sync. |
| migration/src/main/resources/migration/changelog-v5.7.0.xml | Adds UUIDs, priority, and bundle FK for vuln policies/bundles. |
| e2e/src/test/java/org/dependencytrack/e2e/VulnerabilityPolicyE2ET.java | Updates e2e test to sync bundles via HTTP server + v2 endpoints. |
| e2e/src/test/java/org/dependencytrack/e2e/BomUploadProcessingE2ET.java | Adjusts notification rule update requests for updated request model. |
| e2e/src/test/java/org/dependencytrack/e2e/BomProcessedNotificationDelayedE2ET.java | Adjusts notification rule update requests for updated request model. |
| e2e/src/main/java/org/dependencytrack/e2e/api/model/VulnPolicyBundleSyncStatus.java | Adds e2e model for bundle sync status API response. |
| e2e/src/main/java/org/dependencytrack/e2e/api/model/UpdateNotificationRuleRequest.java | Adds scope to update-notification request model. |
| e2e/src/main/java/org/dependencytrack/e2e/api/model/Page.java | Adds minimal paged response wrapper used by e2e client. |
| e2e/src/main/java/org/dependencytrack/e2e/api/ApiClient.java | Switches vuln policy API calls to v2 endpoints + sync status API. |
| e2e/pom.xml | Removes S3/minio/s3mock-related test dependencies. |
| common/config/src/test/java/org/dependencytrack/common/config/LegacyPropertyFallbackCustomizerTest.java | Updates legacy property fallback test to new vuln policy config key. |
| apiserver/src/test/java/org/dependencytrack/util/VulnerabilityPolicyUtilTest.java | Removes tests for deleted legacy VulnerabilityPolicyUtil. |
| apiserver/src/test/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/S3StorageHandlerTest.java | Removes tests for removed S3 bundle handling. |
| apiserver/src/test/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/NginxStorageHandlerTest.java | Removes tests for removed nginx storage handler implementation. |
| apiserver/src/test/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/BlobStorageHandlerFactoryTest.java | Removes tests for removed blob storage factory. |
| apiserver/src/test/java/org/dependencytrack/tasks/vulnerabilitypolicy/VulnerabilityPolicyTestUtil.java | Removes legacy test bundle helper (replaced by new activity tests). |
| apiserver/src/test/java/org/dependencytrack/tasks/vulnerabilitypolicy/VulnerabilityPolicyFetchTaskTest.java | Removes tests for removed fetch task. |
| apiserver/src/test/java/org/dependencytrack/resources/v2/VulnPoliciesResourceTest.java | Adds comprehensive v2 vuln policy/bundle resource tests. |
| apiserver/src/test/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResourceTest.java | Removes v1 vulnerability policy resource tests (endpoint migration). |
| apiserver/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java | Adapts cloning test to updated vuln policy DAO return types. |
| apiserver/src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java | Adapts analysis test to updated vuln policy DAO return types. |
| apiserver/src/test/java/org/dependencytrack/policy/vulnerability/SyncVulnPolicyBundleActivityTest.java | Adds unit tests for Dex activity bundle download/parse/reconcile behavior. |
| apiserver/src/test/java/org/dependencytrack/policy/cel/CelVulnerabilityPolicyEvaluatorTest.java | Adjusts helper to return identity row from DAO create. |
| apiserver/src/test/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDaoTest.java | Updates DAO tests for new UUID/bundle/priority semantics and API. |
| apiserver/src/main/resources/schema/vulnerability-policy-v1.schema.json | Adds priority to vuln policy YAML schema. |
| apiserver/src/main/resources/application.properties | Removes legacy vuln policy task props; adds new bundle-sync cron key; removes S3 settings. |
| apiserver/src/main/java/org/dependencytrack/util/VulnerabilityPolicyUtil.java | Removes legacy YAML parsing/sync utility. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/VulnerabilityPolicyBundleFile.java | Removes legacy bundle file abstraction. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/S3StorageHandler.java | Removes legacy S3 storage handler. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/NginxStorageHandler.java | Removes legacy nginx storage handler. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/blobstorage/BlobStorageAccessFactory.java | Removes legacy handler factory. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/VulnerabilityPolicyFetchTask.java | Removes legacy scheduled fetch task subscriber. |
| apiserver/src/main/java/org/dependencytrack/tasks/vulnerabilitypolicy/S3Client.java | Removes legacy S3 client wrapper. |
| apiserver/src/main/java/org/dependencytrack/tasks/TaskSchedulerInitializer.java | Schedules Dex workflow run for bundle sync (default bundle) when configured. |
| apiserver/src/main/java/org/dependencytrack/resources/v2/WorkflowsResource.java | Registers vuln policy workflow argument descriptors in v2 workflows resource. |
| apiserver/src/main/java/org/dependencytrack/resources/v2/VulnPoliciesResource.java | Implements v2 CRUD for user-managed vuln policies + bundle listing/deletion + sync trigger/status. |
| apiserver/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java | Removes v1 vuln policy resource (endpoint migration). |
| apiserver/src/main/java/org/dependencytrack/policy/vulnerability/VulnerabilityPolicy.java | Adds UUID + priority fields to policy domain object. |
| apiserver/src/main/java/org/dependencytrack/policy/vulnerability/SyncVulnPolicyBundleWorkflow.java | Adds Dex workflow spec for bundle synchronization. |
| apiserver/src/main/java/org/dependencytrack/policy/vulnerability/SyncVulnPolicyBundleActivity.java | Adds Dex activity that downloads bundle, validates policies, and reconciles DB state. |
| apiserver/src/main/java/org/dependencytrack/persistence/jdbi/TagDao.java | Adds ensureExist bulk insert helper for tags. |
| apiserver/src/main/java/org/dependencytrack/model/VulnerabilityPolicyBundle.java | Adds DEFAULT_UUID constant + UUID field mapping to model. |
| apiserver/src/main/java/org/dependencytrack/event/EventSubsystemInitializer.java | Unsubscribes/removes legacy vuln policy fetch task wiring. |
| apiserver/src/main/java/org/dependencytrack/dex/DexEngineInitializer.java | Registers new workflow + activity with Dex engine. |
| apiserver/src/main/java/org/dependencytrack/common/ConfigKey.java | Removes legacy vuln policy config keys tied to deleted fetch task/S3 integration. |
| api/src/main/openapi/paths/vuln-policy-bundles__uuid__sync.yaml | Adds OpenAPI for bundle sync trigger + status endpoints. |
| api/src/main/openapi/paths/vuln-policy-bundles__uuid_.yaml | Adds OpenAPI for bundle deletion endpoint. |
| api/src/main/openapi/paths/vuln-policy-bundles.yaml | Adds OpenAPI for bundle listing endpoint. |
| api/src/main/openapi/paths/vuln-policies__uuid_.yaml | Adds OpenAPI for get/update/delete vuln policy endpoint. |
| api/src/main/openapi/paths/vuln-policies.yaml | Adds OpenAPI for list/create vuln policy endpoint. |
| api/src/main/openapi/openapi.yaml | Registers new “Vulnerability Policies” tag + paths. |
| api/src/main/openapi/components/schemas/vuln-policy-condition-error.yaml | Defines schema for per-condition CEL compilation errors. |
| api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-source.yaml | Defines enum schema for policy source (USER/BUNDLE). |
| api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-rating.yaml | Defines rating schema for v2 vuln policies. |
| api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-operation-mode.yaml | Defines operation mode enum schema for v2 vuln policies. |
| api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-bundle-sync-status.yaml | Defines sync status response schema. |
| api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-analysis.yaml | Defines analysis schema for v2 vuln policies. |
| api/src/main/openapi/components/schemas/vuln-policies/update-vuln-policy-request.yaml | Defines update request schema for v2 vuln policies. |
| api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policy-bundles-response.yaml | Defines list response schema for bundles. |
| api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policy-bundles-response-item.yaml | Defines bundle list item schema. |
| api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policies-response.yaml | Defines paginated list response schema for vuln policies. |
| api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policies-response-item.yaml | Defines vuln policy list item schema. |
| api/src/main/openapi/components/schemas/vuln-policies/get-vuln-policy-response.yaml | Defines get policy response schema. |
| api/src/main/openapi/components/schemas/vuln-policies/create-vuln-policy-request.yaml | Defines create request schema for v2 vuln policies. |
| api/src/main/openapi/components/schemas/invalid-vuln-policy-condition-problem-details.yaml | Defines problem-details schema for invalid CEL conditions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
nscuro
force-pushed
the
user-managed-vuln-policy
branch
from
142be8e to
067ab3c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 66 out of 66 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
e2e/pom.xml:83
- The
<dependency>tag at this location is no longer indented consistently with the rest of the POM, which makes the XML harder to read/maintain. Consider reformatting this block to match the surrounding indentation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
nscuro
force-pushed
the
user-managed-vuln-policy
branch
4 times, most recently
from
c942516 to
ec343a5
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 73 out of 73 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
nscuro
force-pushed
the
user-managed-vuln-policy
branch
4 times, most recently
from
f3e661b to
2f1448f
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 97 out of 98 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
e2e/src/main/java/org/dependencytrack/e2e/api/model/Page.java:24
Pageonly declaresitems, but the/v2/vuln-policiesresponse includes additional top-level fields (e.g.,total,nextPageToken). With Feign's defaultJacksonDecoder(FAIL_ON_UNKNOWN_PROPERTIES enabled), deserialization will fail on those unknown fields. Either add@JsonIgnoreProperties(ignoreUnknown = true)here, or model the full response shape (items + total + nextPageToken).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
nscuro
force-pushed
the
user-managed-vuln-policy
branch
2 times, most recently
from
bc05180 to
02b65b4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 97 out of 98 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
nscuro
force-pushed
the
user-managed-vuln-policy
branch
from
02b65b4 to
749a22c
Compare
2 tasks
* Allows users to manage vulnerability policies via REST API (and consequently REST API). Previously, vuln policies could only be used with bundles, which required an external file server. * Paves the way for support of multiple bundles. Introduces a default bundle to bridge the gap with the previous behaviour. * Adds the concept of priorities to enable deterministic evaluation order. * Simplifies vuln policy management by switching from multiple conditions to only a single condition per policy. Having multiple conditions is largely useless given CEL is more expressive for combining multiple conditions. * Removes S3 support for bundle retrieval. We have no actual requirement for this yet. * Migrates all endpoints related to vuln policies to API v2. * Refactors the sync task to a dex workflow. Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
force-pushed
the
user-managed-vuln-policy
branch
from
749a22c to
8ab53c3
Compare
This was referenced Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implements user-managed vuln policies:
Addressed Issue
Closes DependencyTrack/hyades#930
Additional Details
ADR: https://dependencytrack.github.io/hyades/snapshot/architecture/decisions/016-user-managed-vuln-policies/
Frontend PR: DependencyTrack/hyades-frontend#480
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effective