-
-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for summarized and scheduled notifications #3925
base: feature-322-scheduled-notifications
Are you sure you want to change the base?
Support for summarized and scheduled notifications #3925
Conversation
@nscuro After i finally found some time this week to restart the PR process, i cherry-picked all necessary commits from my previous branch, corrected all sign-offs and so on. From the coding side it seems to be fine for now, although additional testing from different perspectives should be done. Please note in particular the missing javax.validation reference in "Additional details", that seems to be ignored in the current master and seems to be a personal problem of my workspace or an unseen error until now from the transition to jakarta. There may be some more topics to discuss, but the main implementation should be completed by now. The branch for the PR is based on the same commit my other branches started, but merged with a master newer than this feature branch was created on. Because of this and the recent cherry-picks, the commit history is a bit mixed up with other commits, but that may be gone when the feature branch gets updated with the missing commits from the current master branch. Please provide me with additional information for the errors of the Static Code Analysis as i cannot see any useful information in the details link. If there is anything else i need to do or you need/want to know, please get in touch with me. I will assist to the best of my abilities. |
This looks very interesting. But so does the commit history ;-) Could you rebase it onto current master to make the code changes in the PR "reviewable"? |
@valentijnscholten Yeah, i know :D In my git graph, all looked fine, after the PR i had this 😅 I'll try to rebase it and see, if it's possible without making it worse. After the first PR-attempt went terribly wrong, i'm a bit scared tbh 😆 But i will give it a try and see where i land. Maybe it helps already in the mean time to update the feature branch with the commits it is behind to resolve some "false-included" commits in this PR? |
Let me push the latest changes from
Unfortunately Codacy requires us to manually enable each "base" branch for analysis. Unless that is done, analysis will fail immediately. I have now enabled the feature branch, so the check should work for the next push. |
Updated the branches for |
@valentijnscholten Should be "fixed" by now, thanks to @nscuro :) The update did thankfully what i hoped for. The current CI test exceptions in |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences🚀 Don’t miss a bit, follow what’s new on Codacy. Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more |
You got lucky and ran into a flaky test 😅 Re-ran the workflow and it completed successfully this time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @MM-msr! Some initial feedback, I figured it would be easier to give it before merging the PR. I can still merge it now if you'd like to get feedback from users sooner.
Please have a look at my comments and let me know how you'd like to proceed.
@PersistenceCapable | ||
@JsonInclude(JsonInclude.Include.NON_NULL) | ||
@JsonIgnoreProperties(ignoreUnknown = true) | ||
public class ScheduledNotificationRule implements Rule, Serializable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we achieve the desired functionality without introducing a new table? Looking at this class, most of the fields and behaviors between it and NotificationRule
are the same. notificationLevel
is there but not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, that was my first approach. I changed it to an extra table, because i don't know ORMs very well and it didn't work as i was expecting it with adding/editing the ORM-related attributes. Especially when loading all items depending on their class-type (such as fetching all ScheduledNotificationRule items from the database), i had too many problems to invest more time to get it to work.
I may investigate it again, maybe we can do sth. like filters to fetch differently when requesting NotificationRule vs ScheduledNotificationRule (like "isScheduled == true"). But if you can give me an advice how to maybe do it automatically with ORM-magic, i appreciate it. Depending on how much it affects the existing lines of code for NotificationRule, we can definitely merge it.
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilityOverview.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilitySummaryInfo.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/notification/ScheduledNotificationTaskInitializer.java
Show resolved
Hide resolved
src/main/java/org/dependencytrack/tasks/SendScheduledNotificationTask.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilityDetails.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationDetails.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationOverview.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationSummary.java
Outdated
Show resolved
Hide resolved
...in/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationSummaryInfo.java
Outdated
Show resolved
Hide resolved
Thanks a lot @nscuro for the initial feedback! I'm currently in the process of writing additional test cases to meet the Code Coverage Quota. I may consider to add some of your suggested changes after that as well or reply to them later this week to discuss them. I think by the end of the week, we know if it's a good time to merge it :) I'll try to get the most things done until then. |
Short update from my side: i added some tests and applied your suggested changes for records. Therefore, i created a factory to create these notification subjects with the logic which was previously located in the specific classes. |
@nscuro Hey there :) Could you trigger a test execution? As i can't really test most of the net-related test cases i want to know if i have to fix sth prior to releasing the PRs from draft state. Thanks in advance! |
Is this by any chance another flaky test? :D |
Looks like a hiccup in fetching dependencies. I re-started the workflow. |
I will release the PR for now from the draft state to allow a broader review. I fixed some minor test errors. Sadly, i can't really get a grip on the other major errors:
I can look into it with assistance, but if a developer with more experience in java testing and especially this project might take a look, i would really appreciate it. Maybe it's a hiccup from the test env, as e.g. the invalid cron test (ScheduledNotificationRuleResourceTest.java, L. 182ff.) returns the expected string in my browser, but as it seems not in the github tests. |
@nscuro can you give feedback if you need further changes and/or by when you will have time to look at this? |
@rkg-mm I'll try to complete a review this week. |
d8e4779
to
0e62f59
Compare
@nscuro could you please update the feature branch to the latest master? our branch is updated to the master branch which results in a lot of changes now :D |
@rkg-mm Done. The GitHub diff of both PRs won't update though until you push a new commit. |
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
…fault cron interval Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
…ification time) Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
…uled message Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Max Schiller <[email protected]> Signed-off-by: Marlon Gäthje <[email protected]>
21fbda9
to
e3d25a7
Compare
Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Marlon Gäthje <[email protected]>
…otificationRuleDisabledRuleTest() Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Marlon Gäthje <[email protected]>
Signed-off-by: Richard Bickert <[email protected]>
Signed-off-by: Richard Bickert <[email protected]>
The previously failing unit tests for this PR should now all be fixed. |
Fixes the assertion of the timestamp in `testPublishWithScheduledNewVulnerabilitiesNotification` by setting the timestamp to a static value. Fixes the assertion of the timestamp in `testPublishWithScheduledNewPolicyViolationsNotification` by only asserting relevant and deterministic output in the HTML content. Signed-off-by: Richard Bickert <[email protected]>
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesCodacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more |
Description
Currently, Dependency-Track Alerts send a single notification for every single event happening that an alert is subscribed to (e.g. NEW_VULNERABILITY). This can lead to a lot of emails for users and creates the risk of overlooking important notifications.
To improve the user experience of the Alerts, scheduled notifications are implemented in Dependency-Track to send summarized notifications of new events between the last and current scheduled notification. The schedule is defined as cron expression.
Scheduled notification management is available via API and Frontend under Administration -> Notifications -> Scheduled Alerts, which is introduced in the Frontend Pull Request [reference will be added after creation].
The PR includes default templates for console and email publishing. The needed UI-Changes are available in the Frontend-PR at DependencyTrack/frontend#903.
Addressed Issue
#322
Additional Details
toJson
-Process for PolicyViolation, where the policy is not fully included in the PolicyCondition and thus thePolicy.getUUID().toString()
call fails with NullRefException. Often it worked for me just fine, sometimes not. Sometimes fixed with creating a new policy, sometimes with reboot of the application. With some additional random exceptions with the H2 database on ORM-Queries, i don't know for sure, if my code is the reason for this behavior or the instability of H2 with the ORM-mapper in my development environment.Getting violations for scheduled mail:
JSONify the data:
Please test the expected behavior in a more robust environment (docker, other infrastructures, etc.) to validate
Screenshots
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have added corresponding [update logic](https://github.com/DependencyTrack/dependency-track/tree/master/src/main/java/org/dependencytrack/upgrade)