Add notification concept and reference docs (#18)

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

docs/concepts/.pages

@@ -1,6 +1,7 @@
 title: Concepts
 nav:
   - index.md
-  - access-control.md
-  - vulnerability-policies.md
+  - About access control: access-control.md
+  - About notifications: notifications.md
+  - About vulnerability policies: vulnerability-policies.md
   - ...

docs/concepts/access-control.md

@@ -1,4 +1,4 @@
-# Access control
+# About access control
 
 Dependency-Track uses a role-based access control model built around **permissions**,
 **teams**, and **users**. Teams hold permissions, and users inherit the

docs/concepts/architecture/design/notifications.md

@@ -111,7 +111,7 @@ and defaults to 100.
 ### Routing
 
 The router evaluates each notification against all enabled
-[alerts](../../../reference/notifications/publishers.md).
+[alerts](../../notifications.md#alerts).
 A rule matches if:
 
 * Its scope matches the notification's scope

docs/concepts/notifications.md

@@ -0,0 +1,86 @@
+# About notifications
+
+## Introduction
+
+Dependency-Track includes a robust and configurable notification framework,
+capable of alerting users or systems about the occurrences of various events
+in the platform.
+
+## Alerts
+
+Alerts, a.k.a. *notification rules*, are configurations that specify which notifications
+are sent to which destinations. An alert defines the scope, groups, and level of notifications
+it is interested in, and optionally restricts matching to specific projects or tags.
+
+Alerts can further be refined with a *filter expression*, written in [CEL], that evaluates
+against the content of each notification. This allows filtering by properties such as
+vulnerability severity, CVSS score, or component name, without requiring dedicated UI controls
+for each filter criterion. Refer to [Filter expressions](../reference/notifications/filter-expressions.md)
+for details.
+
+## Publishers
+
+Publishers are software components that send notifications emitted by the platform
+to a destination system. Dependency-Track supports multiple publishers, ranging from
+email to Webhook. Refer to [Publishers](../reference/notifications/publishers.md) for details.
+
+## Templates
+
+Templates define how the platform-internal representation of notifications
+(see [Notification schema](../reference/schemas/notification.md)) is transformed
+to match the expectation of notification recipients.
+
+While each [publisher](#publishers) ships with a default template, administrators
+can also configure custom templates.
+
+## Levels
+
+Notifications can have one of three possible levels:
+
+* Informational
+* Warning
+* Error
+
+These levels behave similar to logging levels, in that they allow [alerts](#alerts)
+to define the verbosity of notifications being sent:
+
+* Configuring an alert for level *Informational* will match notifications of level *Informational*, *Warning*, and *Error*.
+* Configuring an alert for level *Warning* will match notifications of level *Warning* and *Error*.
+* Configuring an alert for level *Error* will only match notifications of level *Error*.
+
+## Scopes
+
+Notifications are emitted for different *scopes*. A scope broadly categorises the *subject*
+of a notification.
+
+* **SYSTEM**: Informs about system-level events, such as users being created, or integrations failing.
+* **PORTFOLIO**: Informs about portfolio-level events, such as BOM uploads, or newly identified vulnerabilities.
+
+## Groups
+
+A group is a granular classification of notification subjects within a [scope](#scopes).
+For example, the `NEW_VULNERABILITY` group within the `PORTFOLIO` scope identifies notifications
+emitted whenever a new vulnerability is found.
+
+Refer to [Notification groups](../reference/notifications/groups.md) for the full list
+of groups, their scopes, levels, and triggers.
+
+## Triggers
+
+Notifications are produced via one of two triggers:
+
+| Trigger  | Description                                                 |
+|:---------|:------------------------------------------------------------|
+| Event    | An event is emitted by the system under certain conditions. |
+| Schedule | The notification is sent based on a planned schedule.       |
+
+* Notifications triggered by events are ideal for near real-time automation,
+  and integrations into chat platforms.
+* Notifications triggered on a schedule are typically used to communicate high-level summaries,
+  and are thus a better fit for reporting purposes.
+
+Each [group](#groups) supports exactly one trigger type. Most groups are event-triggered;
+the summary groups (`NEW_VULNERABILITIES_SUMMARY`, `NEW_POLICY_VIOLATIONS_SUMMARY`)
+are schedule-triggered.
+
+[CEL]: https://cel.dev/

docs/concepts/vulnerability-policies.md

@@ -1,4 +1,4 @@
-# Vulnerability policies
+# About vulnerability policies
 
 Vulnerability policies let organisations encode how specific vulnerabilities should be triaged across
 the portfolio. Where a [standard policy](../reference/vulnerability-policies.md) raises violations, a vulnerability policy acts

docs/reference/notifications/.pages

@@ -1,3 +1,4 @@
 nav:
+  - Groups: groups.md
   - Publishers: publishers.md
   - Filter expressions: filter-expressions.md

docs/reference/notifications/filter-expressions.md

@@ -10,6 +10,8 @@ Without a filter expression, an alert matches all notifications that satisfy its
 level, and project or tag restrictions. A filter expression adds a further condition: the
 notification is only dispatched when the expression evaluates to `true`.
 
+See [Notification groups](groups.md) for the full list of groups that can be matched.
+
 ![Filter expression field in the alert editor](./images/filter-expression-editor.png)
 
 ## Syntax

docs/reference/notifications/groups.md

@@ -0,0 +1,182 @@
+# Notification groups
+
+A *group* is a granular classification of a notification's subject. Every group
+belongs to one of two scopes: `SYSTEM` (platform-level events) or `PORTFOLIO`
+(events about projects, components, or findings). Every group also has a single
+trigger type: `Event` for ad-hoc notifications emitted in response to a system
+event, or `Schedule` for notifications produced periodically by a cron schedule.
+
+Subject schemas for each group are documented in the
+[notification schema reference](../schemas/notification.md).
+
+## SYSTEM scope
+
+### `ANALYZER`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated as a result of interacting with an external source of vulnerability
+intelligence.
+
+### `CONFIGURATION`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated as a result of platform configuration changes or configuration errors.
+
+### `DATASOURCE_MIRRORING`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated when performing mirroring of one of the supported datasources, such as
+the NVD.
+
+### `FILE_SYSTEM`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated as a result of a file system operation. These are typically only
+generated on error conditions.
+
+### `INTEGRATION`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated as a result of interacting with an external integration.
+
+### `REPOSITORY`
+
+- **Trigger:** Event
+- **Level:** Any
+
+Generated as a result of interacting with one of the supported repositories,
+such as Maven Central, RubyGems, or npm.
+
+### `USER_CREATED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated as a result of a user creation.
+
+### `USER_DELETED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated as a result of a user deletion.
+
+## PORTFOLIO scope
+
+### `BOM_CONSUMED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a supported BOM is ingested and identified.
+
+### `BOM_PROCESSED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated after a supported BOM is ingested, identified, and successfully
+processed.
+
+### `BOM_PROCESSING_FAILED`
+
+- **Trigger:** Event
+- **Level:** Error
+
+Generated whenever a BOM upload process fails.
+
+### `BOM_VALIDATION_FAILED`
+
+- **Trigger:** Event
+- **Level:** Error
+
+Generated whenever an invalid BOM is uploaded.
+
+### `NEW_VULNERABILITY`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a new vulnerability is identified.
+
+### `NEW_VULNERABLE_DEPENDENCY`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated as a result of a vulnerable component becoming a dependency of a
+project.
+
+### `POLICY_VIOLATION`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a policy violation is identified.
+
+### `PROJECT_AUDIT_CHANGE`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever an analysis or suppression state has changed on a finding
+from a project.
+
+### `PROJECT_CREATED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a new project is created.
+
+### `PROJECT_VULN_ANALYSIS_COMPLETE`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated when vulnerability analysis for a project completes.
+
+### `VEX_CONSUMED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a VEX document is ingested.
+
+### `VEX_PROCESSED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated after a VEX document is ingested and successfully processed.
+
+### `VULNERABILITY_RETRACTED`
+
+- **Trigger:** Event
+- **Level:** Informational
+
+Generated whenever a previously reported vulnerability is retracted.
+
+### `NEW_VULNERABILITIES_SUMMARY`
+
+- **Trigger:** Schedule
+- **Level:** Informational
+
+Summaries of new vulnerabilities identified in a set of projects.
+
+### `NEW_POLICY_VIOLATIONS_SUMMARY`
+
+- **Trigger:** Schedule
+- **Level:** Informational
+
+Summary of new policy violations identified in a set of projects.