Limit PORTFOLIO alert to project does not work for audit changes

[dfn-certling]

Current Behavior:

This is similar to #616. Limiting PORTFOLIO alerts to projects does not work for PROJECT_AUDIT_CHANGE notifications like suppressing findings and setting their analysis state. Changing a finding status for a project sends the notification via all alerts that include PROJECT_AUDIT_CHANGE not depending on the configured project limits.

Steps to Reproduce:

Define two projects and respective PORTFOLIO alerts limited to the projects with PROJECT_AUDIT_CHANGE selected. Changing a finding status for one of the projects results in a notification sent for both projects.

Expected Behavior:

The notification should not be sent to alerts that limit their scope to other projects.

Environment:

• Dependency-Track Version: 4.1.0
• Distribution: Executable WAR
• Database Server: PostgreSQL
• Browser: Firefox

Additional Details:

Seems like the same handling that was changed in 286e2f2 should be applied to PROJECT_AUDIT_CHANGE notifications.

[ElisaDgbrt]

Hello @stevespringett @nscuro
We are facing the same issue (Dependency-Track v4.5.0).
I work in a big company and this problem affects many users and creates a security breach (sensitive information is therefore sent to people outside the projects).
Would it be possible to have a status on this issue ?

[ridaeh]

We have the same issue , we are spammed by other projects alerts

[nscuro]

Did not have this on the radar, thanks for bringing it up.

Just raised a PR that should address it. @stevespringett I don't think this justifies a bugfix release, so I'd schedule this for 4.7. Or would you prefer this to be released sooner?

[stevespringett]

Thanks all. @nscuro lets target 4.7

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.