Policy violation notifications based on the violation state

[otbe]

Current Behavior

Lets assume we define 2 policies.

Policy 1:
violation state: fail
conditions: severity is CRITICAL

Policy 2:
violation state: warn
conditions: severity is HIGH

If we now setup a notification for policy violations we will receive notifications for both types of violations. My current use case would be something like: if polciy2 is violated just display the violation in the UI , if policy1 is violated send a notification. Currently we recieve notifications either for both policies or for none.

Proposed Behavior

It would be nice to be able to configure a violation state for an alert or if notifications are enabled for one policy at all.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

I think this would be (is?) addressed by #2673. IMO the need to keep state across policies can largely be addressed by giving more flexibility in each condition.

A simpler stop-gap solution could be to allow numerical operators for the severity condition, such that you can have severity = CRITICAL for Policy 1, and severity <= HIGH for Policy 2.

[otbe]

Im not quite sure if I get your answer, sorry 😅

The way we define the policies right now is sufficient for us, however we want to distinguish by violation state if a notification is sent or not. So in the example above only notifications for policy1 shall be sent but not for policy2.

What did I miss?

[nscuro]

Oh sorry I misunderstood what you were asking for.

We could allow filtering on violation state similar to how we do it for notification levels: https://docs.dependencytrack.org/integrations/notifications/#levels

Would that be sufficient?

[otbe]

Yes I think this would be awesome :)