Skip to content

Add opt-in template-based vulnerability ID generation#6639

Open
heyiamwahab236 wants to merge 4 commits into
DependencyTrack:4.14.xfrom
tecan:feature/custom-vuln-id
Open

Add opt-in template-based vulnerability ID generation#6639
heyiamwahab236 wants to merge 4 commits into
DependencyTrack:4.14.xfrom
tecan:feature/custom-vuln-id

Conversation

@heyiamwahab236

@heyiamwahab236 heyiamwahab236 commented Jul 9, 2026

Copy link
Copy Markdown

Description

Adds opt-in, template-based ID generation for internal vulnerabilities. When enabled by
an administrator, internally-created vulnerabilities receive identifiers built from a
configurable template (default {ORG_CODE}-{YYYY}-{SEQUENCE}, e.g. ACME-2026-00001,
mirroring the familiar CVE-YEAR-SEQUENCE convention) instead of the random INT-xxxx
format. Supported placeholders: {ORG_CODE}, {PROJECT_NAME}, {YYYY}, {MM}, {DD},
{SEQUENCE}, with a configurable sequence reset policy (never/yearly/monthly/daily) and
zero-padding width. The feature is off by default; when disabled, the existing random
INT- behavior is completely unchanged.

Addressed Issue

fixes #6638

Additional Details

  • Adds GET/PUT /api/v1/customization/vulnerability-id (GET requires VIEW_PORTFOLIO
    so forms can render; PUT requires SYSTEM_CONFIGURATION), plus
    GET /api/v1/vulnerability/vulnId (template-aware, falls back to the random format
    when the feature is disabled) and GET /api/v1/vulnerability/vulnId/preview (returns
    the next candidate without reserving the sequence). The create endpoint allocates the
    identifier inside the create transaction when vulnId is omitted; a client-provided
    vulnId behaves exactly as before.
  • Introduces a new JDO model VulnerabilitySequence (per org-code/project-key counter,
    unique-constrained, with a defensive duplicate-insert retry). No migration or
    migration-changelog entry is included because the table is auto-created from the model
    via DataNucleus schema generation and the config properties are seeded at startup by
    DefaultObjectGenerator — happy to add an explicit migration instead if preferred.
  • Covered by 74 unit tests (template parser, generator, REST endpoints incl. validation
    and authorization) and verified manually end-to-end in the UI together with the
    frontend companion PR (linked below).

Frontend companion: DependencyTrack/frontend#1660

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have updated the migration changelog accordingly
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
  • This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

Introduces a reusable, self-contained utility for generating custom
identifiers for internally created vulnerabilities from a configurable
template, as an alternative to the default random INT-xxxx format.

VulnerabilityIdTemplateParser expands placeholders ({ORG_CODE},
{PROJECT_NAME}/{PROJECT_CODE}, {YYYY}, {MM}, {DD}, {SEQUENCE}) with
zero-padded sequence formatting and project-name sanitization (non
[A-Za-z0-9_-] characters removed, case preserved, duplicate separators
collapsed). VulnerabilityIdGenerator provides convenience entry points
with sensible defaults.

The utility has no persistence or framework dependencies and is fully
covered by unit tests (generator + template parser).

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
…y IDs

Adds the backend pieces that back the template-based generator:
- VulnerabilitySequence JDO model + persistence.xml registration
  (per org-code/project-key sequence counter, VULNERABILITY_SEQUENCE_V2)
- vulnerability-id config properties in ConfigPropertyConstants
  (use-custom toggle, org code, project code, template, reset policy, padding)
- generation logic in VulnerabilityQueryManager (template expansion, sequence
  reservation, reset-policy handling, duplicate-ID guard) + QueryManager delegates

Utility unit tests remain green. API endpoints, create-vulnerability integration,
and database migration are the remaining pieces.

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
…ility IDs

Completes the backend for opt-in template-based vulnerability IDs:

- New /api/v1/customization/vulnerability-id endpoint (GET readable by
  authenticated users so forms can render; PUT requires SYSTEM_CONFIGURATION)
  for reading and updating the template, org code, default project code,
  reset policy, sequence padding, and the use-custom toggle.
- GET /api/v1/vulnerability/vulnId now generates from the configured
  template when the custom generator is enabled, falling back to the
  existing random INT- format when disabled (default). Accepts an optional
  projectName query parameter to scope the identifier.
- New GET /api/v1/vulnerability/vulnId/preview returns the next identifier
  candidate without reserving the sequence.
- PUT /api/v1/vulnerability (create) accepts an optional projectName query
  parameter and auto-generates the identifier inside the create transaction
  when vulnId is omitted; a client-provided vulnId behaves as before.

No database migration is required: the VULNERABILITY_SEQUENCE_V2 table is
auto-created by DataNucleus schema generation from the registered JDO model,
and the vulnerability-id config properties are seeded at startup by
DefaultObjectGenerator.

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
Covers GET/PUT /api/v1/customization/vulnerability-id: defaults, stored-value
retrieval, round-trip persistence, all reset policies, input validation (missing
or empty org code, missing template, missing or invalid reset policy, padding
bounds), blank-project-code pass-through, and authorization (403 without
SYSTEM_CONFIGURATION).

The GET endpoint now requires VIEW_PORTFOLIO, in line with the permission model
used across the REST API.

Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
@owasp-dt-bot

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 6 medium

Results:
6 new issues

Category Results
Performance 6 medium

View in Codacy

🟢 Metrics 228 complexity

Metric Results
Complexity 228

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants