-
-
Notifications
You must be signed in to change notification settings - Fork 537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for summarized and scheduled notifications #3925
base: feature-322-scheduled-notifications
Are you sure you want to change the base?
Support for summarized and scheduled notifications #3925
Conversation
Signed-off-by: Max Schiller <msr@mm-software.com>
…fault cron interval Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…orkaround for unknown possibility of JDO Inheritance setting Signed-off-by: Max Schiller <msr@mm-software.com>
…ationRule Signed-off-by: Max Schiller <msr@mm-software.com>
…ies for scheduled notifications Signed-off-by: Max Schiller <msr@mm-software.com>
…ly of previous work from MGE, may be changed in future) Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
… as NotificationRule Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…ager and Scheduled Task Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…shContext Signed-off-by: Max Schiller <msr@mm-software.com>
…lishing per notification group Signed-off-by: Max Schiller <msr@mm-software.com>
…cution Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…mitation is missing Signed-off-by: Max Schiller <msr@mm-software.com>
…efault publishers with same publisher class Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…uled message Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
…d-notifications Signed-off-by: Max Schiller <msr@mm-software.com>
@nscuro After i finally found some time this week to restart the PR process, i cherry-picked all necessary commits from my previous branch, corrected all sign-offs and so on. From the coding side it seems to be fine for now, although additional testing from different perspectives should be done. Please note in particular the missing javax.validation reference in "Additional details", that seems to be ignored in the current master and seems to be a personal problem of my workspace or an unseen error until now from the transition to jakarta. There may be some more topics to discuss, but the main implementation should be completed by now. The branch for the PR is based on the same commit my other branches started, but merged with a master newer than this feature branch was created on. Because of this and the recent cherry-picks, the commit history is a bit mixed up with other commits, but that may be gone when the feature branch gets updated with the missing commits from the current master branch. Please provide me with additional information for the errors of the Static Code Analysis as i cannot see any useful information in the details link. If there is anything else i need to do or you need/want to know, please get in touch with me. I will assist to the best of my abilities. |
This looks very interesting. But so does the commit history ;-) Could you rebase it onto current master to make the code changes in the PR "reviewable"? |
@valentijnscholten Yeah, i know :D In my git graph, all looked fine, after the PR i had this 😅 I'll try to rebase it and see, if it's possible without making it worse. After the first PR-attempt went terribly wrong, i'm a bit scared tbh 😆 But i will give it a try and see where i land. Maybe it helps already in the mean time to update the feature branch with the commits it is behind to resolve some "false-included" commits in this PR? |
Let me push the latest changes from
Unfortunately Codacy requires us to manually enable each "base" branch for analysis. Unless that is done, analysis will fail immediately. I have now enabled the feature branch, so the check should work for the next push. |
Updated the branches for |
Signed-off-by: Max Schiller <msr@mm-software.com>
@valentijnscholten Should be "fixed" by now, thanks to @nscuro :) The update did thankfully what i hoped for. The current CI test exceptions in |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences🚀 Don’t miss a bit, follow what’s new on Codacy. Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more |
You got lucky and ran into a flaky test 😅 Re-ran the workflow and it completed successfully this time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @MM-msr! Some initial feedback, I figured it would be easier to give it before merging the PR. I can still merge it now if you'd like to get feedback from users sooner.
Please have a look at my comments and let me know how you'd like to proceed.
@PersistenceCapable | ||
@JsonInclude(JsonInclude.Include.NON_NULL) | ||
@JsonIgnoreProperties(ignoreUnknown = true) | ||
public class ScheduledNotificationRule implements Rule, Serializable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we achieve the desired functionality without introducing a new table? Looking at this class, most of the fields and behaviors between it and NotificationRule
are the same. notificationLevel
is there but not used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, that was my first approach. I changed it to an extra table, because i don't know ORMs very well and it didn't work as i was expecting it with adding/editing the ORM-related attributes. Especially when loading all items depending on their class-type (such as fetching all ScheduledNotificationRule items from the database), i had too many problems to invest more time to get it to work.
I may investigate it again, maybe we can do sth. like filters to fetch differently when requesting NotificationRule vs ScheduledNotificationRule (like "isScheduled == true"). But if you can give me an advice how to maybe do it automatically with ORM-magic, i appreciate it. Depending on how much it affects the existing lines of code for NotificationRule, we can definitely merge it.
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilityOverview.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilitySummaryInfo.java
Outdated
Show resolved
Hide resolved
* Initializes the scheduled notification task service. | ||
* It schedules the task executions for each enabled scheduled notification rule on startup, based on their cron configuration. | ||
*/ | ||
public class ScheduledNotificationTaskInitializer implements ServletContextListener { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this works, requiring a restart to for changing cron expressions is a bit harsh I think.
Something you could investigate:
- Create a single, global
ScheduledExecutorService
. Have it execute every X seconds. - Upon every execution of the scheduler, fetch all scheduled
NotificationRule
s - Parse the rules's cron expression
- Check if the rule is due for triggering based on the cron
This way, changing the schedule should not require a restart. Also, the solution would scale a bit better, since you won't need a timer for each rule, but only one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The TaskInitializer class is only existing to register the existing cron expressions (CE) of enabled rules at startup. Every change of a CE will be handled by the TaskManager class, such as cancelling the current cron countdown and initiate the new one. So if you change a CE in the ui, the manager will cancel the old notification task and reschedule a new one. If a notification was performed, it calculates the new time until the next execution and schedules the next notification. And so on. So there is no need to restart to get new expressions to work.
If you mean sth different here that i don't get, please tell me, else mark it as resolved.
// if rule does not limit to specific projects, get all projects and their children, if configured | ||
affectedProjects = qm.detach(qm.getAllProjects()) | ||
.stream() | ||
.filter(p -> rule.isNotifyChildren() ? true : p.getParent() == null) | ||
.collect(Collectors.toList()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any way we can avoid loading all projects in one go? Also, do we need all fields of the project, or only a small subset?
Loading them all will perform very badly for large portfolios, potentially even causing OutOfMemoryException
s.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What we really need in the end is the project id
, uuid
and the basic information for toJson(Project)
for the template. In the basic mail template, we need the project name
and version
(if i didn't forget anything). The last thing we need to have, is the proper children-connection to find all projects with their children, if the setting in the scheduled notification rule is active.
A different approach here might be the following: instead of getting new findings since date x for each of the affected projects, we could fetch all findings since date x and then filter them similar to NotificationRouter.resolveRules(...)
:
if(rule has projects)
-> get only findings, which have a project id of the rule projects
else
-> use all findings to get the affected project ids, load them and use this project list for the scheduled notification.
This way, we only load what is needed. But what is important nonetheless: we need a proper children-connection in rule.getProjects()
. If that's working fine, this approach should work well.
What do you think about that?
src/main/java/org/dependencytrack/model/scheduled/vulnerabilities/VulnerabilityDetails.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationDetails.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationOverview.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationSummary.java
Outdated
Show resolved
Hide resolved
...in/java/org/dependencytrack/model/scheduled/policyviolations/PolicyViolationSummaryInfo.java
Outdated
Show resolved
Hide resolved
Thanks a lot @nscuro for the initial feedback! I'm currently in the process of writing additional test cases to meet the Code Coverage Quota. I may consider to add some of your suggested changes after that as well or reply to them later this week to discuss them. I think by the end of the week, we know if it's a good time to merge it :) I'll try to get the most things done until then. |
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
Short update from my side: i added some tests and applied your suggested changes for records. Therefore, i created a factory to create these notification subjects with the logic which was previously located in the specific classes. |
Signed-off-by: Max Schiller <msr@mm-software.com>
Signed-off-by: Max Schiller <msr@mm-software.com>
@nscuro Hey there :) Could you trigger a test execution? As i can't really test most of the net-related test cases i want to know if i have to fix sth prior to releasing the PRs from draft state. Thanks in advance! |
Description
Currently, Dependency-Track Alerts send a single notification for every single event happening that an alert is subscribed to (e.g. NEW_VULNERABILITY). This can lead to a lot of emails for users and creates the risk of overlooking important notifications.
To improve the user experience of the Alerts, scheduled notifications are implemented in Dependency-Track to send summarized notifications of new events between the last and current scheduled notification. The schedule is defined as cron expression.
Scheduled notification management is available via API and Frontend under Administration -> Notifications -> Scheduled Alerts, which is introduced in the Frontend Pull Request [reference will be added after creation].
The PR includes default templates for console and email publishing. The needed UI-Changes are available in the Frontend-PR at DependencyTrack/frontend#903.
Addressed Issue
#322
Additional Details
toJson
-Process for PolicyViolation, where the policy is not fully included in the PolicyCondition and thus thePolicy.getUUID().toString()
call fails with NullRefException. Often it worked for me just fine, sometimes not. Sometimes fixed with creating a new policy, sometimes with reboot of the application. With some additional random exceptions with the H2 database on ORM-Queries, i don't know for sure, if my code is the reason for this behavior or the instability of H2 with the ORM-mapper in my development environment.Getting violations for scheduled mail:
JSONify the data:
Please test the expected behavior in a more robust environment (docker, other infrastructures, etc.) to validate
Screenshots
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have added corresponding [update logic](https://github.com/DependencyTrack/dependency-track/tree/master/src/main/java/org/dependencytrack/upgrade)