Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash Policy Limit Per Component #4346

Open
2 tasks done
francislance opened this issue Nov 1, 2024 · 2 comments
Open
2 tasks done

Hash Policy Limit Per Component #4346

francislance opened this issue Nov 1, 2024 · 2 comments
Labels
defect Something isn't working in triage

Comments

@francislance
Copy link
Contributor

Current Behavior

In further improvement related to #4230

I believe it is a must to set a scope limit of policies per "component" not only limit by Project.

Example in the case of creating policy for Hash values:

  • if you create a Hash value comparison the chances that all the rest of hashes of components in that project will fail.
  • Hash values for sure differs per component so comparing a value is applicable only in 1 to 1 basis.

Steps to Reproduce

  1. Create a Hash Policy
  2. Set Limit To - the available option only is to limit per project (or project's tag) and not able to limit by component (or component tag)

Expected Behavior

  • Hash value policy must be set to a scope of per component not project as it will render a lot of violations if there are many components in a project.
  • Would be good to have a component tagging and that tag can be associated to a policy so that it only checks that specific component.
  • Another suggestion is we can have a policy that compares the SBOM's component hash against the component hash in a Maven artifact repository (or other repositories used). This suggestion achieves a sort of integrity monitoring of your SBOM if it is complying or not with what's in the artifact repository. In short, SBOM's Component Hash vs Artifact Repository's Component Hash is not equal means policy violation.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist
@francislance francislance added defect Something isn't working in triage labels Nov 1, 2024
@nscuro
Copy link
Member

nscuro commented Nov 1, 2024

The way to handle this is to set the policy operator to ALL and add qualifying conditions that narrow down on the components you want to assert the hash for. For example using the Coordinates or Package URL subjects.

With policy operator ALL, all conditions must be met in order for a violation to be raised.

@francislance
Copy link
Contributor Author

@nscuro i'll give this a try and revert back if all good. Thank you for your quick response on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nscuro @francislance