POLICY_VIOLATION and pipeline/dependencyTrackPublisher

[HagarJNode]

I'm looking for a way to make a build fail in Jenkins when a policy violation happens with a state set to fail.

I guess it should be handled by the dependencyTrackPublisher when the synchronous = true, like for vulnerabilities, but giving the api key provided VIEW_POLICY_VIOLATION has no impact. The documentation doesn't mention it either, so I guess it's not implemented but I might be wrong.

Using Dependency-Track 4.5.0 btw.

[msymons]

The dependency-track-plugin will Support policy violations in upcoming v5.1.0.

From the (already-merged) PR description:

The VIEW_POLICY_VIOLATION permission is required to use this function.

Unlike the vulnerabilities, there are no thresholds here. The only choice you have is to follow the defined rules and let a build become unstable on violations of the “WARN” status or let the build fail on violations of the “FAIL” status.

The PR also mentions that the behavior of the plugin will likely change in the future when Dependency-Track introduces support for project policies.

Project policies are still to be developed but are planned for Dependency-Track v5.x. Policies in DT v5.x will be very powerful indeed, as they will be able to use Common Expression Language (link to Youtube demonstration).

@HagarJNode, yes, I did see that you went to the trouble of creating a PR for adding policy support to the dependency-track-plugin shortly after you posted the above question. It never got merged... but at least you are finally about to be able to get what you need

[HagarJNode]

Yes, I noticed that sephiroth-j did make a merge of his own version of this and we will use it when 5.1 is released. Could have been nice with some feedback of any kind from the developer team on my PR instead of just ignoring my efforts.