feat(policy): support wildcard and regex matching for Vulnerability ID policy conditions#6629
Open
schennamaneni-godaddy wants to merge 2 commits into
Open
feat(policy): support wildcard and regex matching for Vulnerability ID policy conditions#6629schennamaneni-godaddy wants to merge 2 commits into
schennamaneni-godaddy wants to merge 2 commits into
Conversation
…nditions Add MATCHES and NO_MATCH operator support to the vulnerability-id policy condition. The value is normalized into a regular expression (mirroring the v4 Matcher semantics: "*" wildcard plus substring anchoring) and evaluated via CEL's matches() function. IS / IS_NOT retain exact-match behavior. This enables policies such as "Vulnerability ID matches MAL-*" to flag all malware advisories, with an accompanying NO_MATCH condition to allowlist specific identifiers.
…olicy feat(policy): regex/wildcard matching for vulnerability ID conditions
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 7 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
VULNERABILITY_IDpolicy condition currently supports only theISandIS_NOToperators, which perform exact string equality against a vulnerability identifier. This change adds support for theMATCHESandNO_MATCHoperators to the same condition, allowing a single condition to match a family of vulnerability IDs.The condition value is normalized into a regular expression that mirrors the semantics already used by other regex-capable conditions (a bare
*is treated as a wildcard, and the pattern is anchored with.*so it behaves as a substring match), then evaluated via CEL'smatches()function.IS/IS_NOTare unchanged and retain exact-match behavior.This enables policies such as "Vulnerability ID matches
MAL-*" to flag every malware advisory, optionally paired with aNO_MATCHcondition to allowlist specific identifiers.The corresponding frontend change (operator options + syntax tooltip) is submitted separately against DependencyTrack/frontend.
Addressed Issue
N/A
Additional Details
The change is isolated to
VulnerabilityIdCelPolicyScriptSourceBuilder. The glob-to-regex normalization is intentionally kept identical to the historicMatcherbehavior so operators that relied on it in prior versions produce the same results. No database model, enum, or API surface changes are required —MATCHES/NO_MATCHalready exist inPolicyCondition.Operator.Note: This was originally implemented by Ankit for internal use
Checklist
[ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective[ ] This PR introduces changes to the database model, and I have updated the [migration changelog] accordingly[ ] This PR is a substantial change (per the [ADR criteria]), and I have added an [ADR] underdocs/adr/