Skip to content

feat(policy): support wildcard and regex matching for Vulnerability ID policy conditions#6629

Open
schennamaneni-godaddy wants to merge 2 commits into
DependencyTrack:mainfrom
schennamaneni-godaddy:main
Open

feat(policy): support wildcard and regex matching for Vulnerability ID policy conditions#6629
schennamaneni-godaddy wants to merge 2 commits into
DependencyTrack:mainfrom
schennamaneni-godaddy:main

Conversation

@schennamaneni-godaddy

@schennamaneni-godaddy schennamaneni-godaddy commented Jul 8, 2026

Copy link
Copy Markdown

Description

The VULNERABILITY_ID policy condition currently supports only the IS and IS_NOT operators, which perform exact string equality against a vulnerability identifier. This change adds support for the MATCHES and NO_MATCH operators to the same condition, allowing a single condition to match a family of vulnerability IDs.

The condition value is normalized into a regular expression that mirrors the semantics already used by other regex-capable conditions (a bare * is treated as a wildcard, and the pattern is anchored with .* so it behaves as a substring match), then evaluated via CEL's matches() function. IS / IS_NOT are unchanged and retain exact-match behavior.

This enables policies such as "Vulnerability ID matches MAL-*" to flag every malware advisory, optionally paired with a NO_MATCH condition to allowlist specific identifiers.

The corresponding frontend change (operator options + syntax tooltip) is submitted separately against DependencyTrack/frontend.

image

Addressed Issue

N/A

Additional Details

The change is isolated to VulnerabilityIdCelPolicyScriptSourceBuilder. The glob-to-regex normalization is intentionally kept identical to the historic Matcher behavior so operators that relied on it in prior versions produce the same results. No database model, enum, or API surface changes are required — MATCHES / NO_MATCH already exist in PolicyCondition.Operator.

Note: This was originally implemented by Ankit for internal use

Checklist

  • I have read and understand the [contributing guidelines]
  • [ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • [ ] This PR introduces changes to the database model, and I have updated the [migration changelog] accordingly
  • This PR introduces new or alters existing behavior, and I have updated the [documentation] accordingly
  • [ ] This PR is a substantial change (per the [ADR criteria]), and I have added an [ADR] under docs/adr/

…nditions

Add MATCHES and NO_MATCH operator support to the vulnerability-id policy
condition. The value is normalized into a regular expression (mirroring the
v4 Matcher semantics: "*" wildcard plus substring anchoring) and evaluated
via CEL's matches() function. IS / IS_NOT retain exact-match behavior.

This enables policies such as "Vulnerability ID matches MAL-*" to flag all
malware advisories, with an accompanying NO_MATCH condition to allowlist
specific identifiers.
…olicy

feat(policy): regex/wildcard matching for vulnerability ID conditions
@owasp-dt-bot

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 7 complexity

Metric Results
Complexity 7

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants