Notification not triggered for existing vulnerabilities
visagansanthanam-unisys opened this issue · comments
Current Behavior
We have a Dtrack project and there are few vulnerabilities identified already
Now I have configured the JIRA notification for creating new JIRA issues whenever a new vulnerability is identified.
On re-analyzing the components or re-uploading SBOM again, I don't get any notifications. Howevere when I create a policy with and select "Policy_violation" in alerts, I get the alerts but that alert message does not include the vulnerability details.
I even tried "Project_Audit_Change", but no luck. When does the 'New_Vulnerability' or 'New_Vulnerable_Dependency' alerts get triggered?
Steps to Reproduce
- Open a Project which has vulnerabilities identified
- Create new alert under Notifications, using org.dependencytrack.notification.publisher.JiraPublisher
- Select New_Vulnerability, New_Vulnerable_Dependency, Project_Audit_Change options in "Group"
- Click "Submit" to save the alerts
- Open the Audit Vulnerabilities page on the project which has vulnerabilities
- Click on Re-analyze
Expected Behavior
JIRA alerts should have been triggered for the vulnerabilities found.
Dependency-Track Version
4.10.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported
NEW_VULNERABILITY notifications are only triggered when a new vulnerability is identified. NEW_VULNERABLE_DEPENDENCY is triggered when a component is newly added to a project, and was found to be vulnerable. If a vulnerability was already found before, no new notification will be sent. That is entirely intentional, as otherwise consumers of those notifications would be flooded.