Add opt-in template-based vulnerability ID generation#6639
Open
heyiamwahab236 wants to merge 4 commits into
Open
Add opt-in template-based vulnerability ID generation#6639heyiamwahab236 wants to merge 4 commits into
heyiamwahab236 wants to merge 4 commits into
Conversation
Introduces a reusable, self-contained utility for generating custom
identifiers for internally created vulnerabilities from a configurable
template, as an alternative to the default random INT-xxxx format.
VulnerabilityIdTemplateParser expands placeholders ({ORG_CODE},
{PROJECT_NAME}/{PROJECT_CODE}, {YYYY}, {MM}, {DD}, {SEQUENCE}) with
zero-padded sequence formatting and project-name sanitization (non
[A-Za-z0-9_-] characters removed, case preserved, duplicate separators
collapsed). VulnerabilityIdGenerator provides convenience entry points
with sensible defaults.
The utility has no persistence or framework dependencies and is fully
covered by unit tests (generator + template parser).
Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
…y IDs Adds the backend pieces that back the template-based generator: - VulnerabilitySequence JDO model + persistence.xml registration (per org-code/project-key sequence counter, VULNERABILITY_SEQUENCE_V2) - vulnerability-id config properties in ConfigPropertyConstants (use-custom toggle, org code, project code, template, reset policy, padding) - generation logic in VulnerabilityQueryManager (template expansion, sequence reservation, reset-policy handling, duplicate-ID guard) + QueryManager delegates Utility unit tests remain green. API endpoints, create-vulnerability integration, and database migration are the remaining pieces. Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
…ility IDs Completes the backend for opt-in template-based vulnerability IDs: - New /api/v1/customization/vulnerability-id endpoint (GET readable by authenticated users so forms can render; PUT requires SYSTEM_CONFIGURATION) for reading and updating the template, org code, default project code, reset policy, sequence padding, and the use-custom toggle. - GET /api/v1/vulnerability/vulnId now generates from the configured template when the custom generator is enabled, falling back to the existing random INT- format when disabled (default). Accepts an optional projectName query parameter to scope the identifier. - New GET /api/v1/vulnerability/vulnId/preview returns the next identifier candidate without reserving the sequence. - PUT /api/v1/vulnerability (create) accepts an optional projectName query parameter and auto-generates the identifier inside the create transaction when vulnId is omitted; a client-provided vulnId behaves as before. No database migration is required: the VULNERABILITY_SEQUENCE_V2 table is auto-created by DataNucleus schema generation from the registered JDO model, and the vulnerability-id config properties are seeded at startup by DefaultObjectGenerator. Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
Covers GET/PUT /api/v1/customization/vulnerability-id: defaults, stored-value retrieval, round-trip persistence, all reset policies, input validation (missing or empty org code, missing template, missing or invalid reset policy, padding bounds), blank-project-code pass-through, and authorization (403 without SYSTEM_CONFIGURATION). The GET endpoint now requires VIEW_PORTFOLIO, in line with the permission model used across the REST API. Signed-off-by: Abdul wahab Shah <abdulwahab.shah236@gmail.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Up to standards ✅🟢 Issues
|
| Category | Results |
|---|---|
| Performance | 6 medium |
🟢 Metrics 228 complexity
Metric Results Complexity 228
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds opt-in, template-based ID generation for internal vulnerabilities. When enabled by
an administrator, internally-created vulnerabilities receive identifiers built from a
configurable template (default
{ORG_CODE}-{YYYY}-{SEQUENCE}, e.g.ACME-2026-00001,mirroring the familiar CVE-YEAR-SEQUENCE convention) instead of the random
INT-xxxxformat. Supported placeholders:
{ORG_CODE},{PROJECT_NAME},{YYYY},{MM},{DD},{SEQUENCE}, with a configurable sequence reset policy (never/yearly/monthly/daily) andzero-padding width. The feature is off by default; when disabled, the existing random
INT-behavior is completely unchanged.Addressed Issue
fixes #6638
Additional Details
GET/PUT /api/v1/customization/vulnerability-id(GET requiresVIEW_PORTFOLIOso forms can render; PUT requires
SYSTEM_CONFIGURATION), plusGET /api/v1/vulnerability/vulnId(template-aware, falls back to the random formatwhen the feature is disabled) and
GET /api/v1/vulnerability/vulnId/preview(returnsthe next candidate without reserving the sequence). The create endpoint allocates the
identifier inside the create transaction when
vulnIdis omitted; a client-providedvulnIdbehaves exactly as before.VulnerabilitySequence(per org-code/project-key counter,unique-constrained, with a defensive duplicate-insert retry). No migration or
migration-changelog entry is included because the table is auto-created from the model
via DataNucleus schema generation and the config properties are seeded at startup by
DefaultObjectGenerator— happy to add an explicit migration instead if preferred.and authorization) and verified manually end-to-end in the UI together with the
frontend companion PR (linked below).
Frontend companion: DependencyTrack/frontend#1660
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces new or alters existing behavior, and I have updated the documentation accordinglyThis PR is a substantial change (per the ADR criteria), and I have added an ADR underdocs/adr/