Add mail notification severity options

Signed-off-by: Erik Myhrberg <[email protected]>

Author: emyhrberg

docs/_docs/integrations/notifications.md

@@ -73,6 +73,22 @@ multiple levels, while others can only ever have a single level.
 | PORTFOLIO | POLICY_VIOLATION              | Event    | INFORMATIONAL | Notifications generated whenever a policy violation is identified                                                                 |
 | PORTFOLIO | NEW_POLICY_VIOLATIONS_SUMMARY | Schedule | INFORMATIONAL | Summary of new policy violations identified in a set of projects                                                                  |
 
+## Configuring Severities
+
+A **severity** is a Dependency-Track concept defining the seriousness of an event and controlling which notifications are sent based on the user’s selected levels.
+Only events matching one of the checked severities will trigger a notification.  
+Only events which trigger `NEW_VULNERABILITY_IDENTIFIED` and **Mail** notifications will be triggered.
+Select the severity levels to be notified about. **The default is to notify about every severity levels**.
+
+| Severity   | Level | Description                              |
+|------------|:-----:|------------------------------------------|
+| CRITICAL   |   5   | Issues that require immediate attention  |
+| HIGH       |   4   | High-severity issues                     |
+| MEDIUM     |   3   | Moderate-severity issues                 |
+| LOW        |   2   | Low-severity issues                      |
+| INFO       |   1   | Informational messages                   |
+| UNASSIGNED |   0   | No severity assigned (treated as lowest) |
+
 ## Configuring Publishers
 
 A notification publisher is a Dependency-Track concept allowing users to describe the structure of a notification (i.e. MIME type, template) and how to send a notification (i.e. publisher class).

src/main/java/org/dependencytrack/model/NotificationRule.java

@@ -138,6 +138,10 @@ public class NotificationRule implements Serializable {
     @Column(name = "NOTIFY_ON", length = 1024)
     private String notifyOn;
 
+    @Persistent
+    @Column(name = "NOTIFY_SEVERITIES", length = 1024)
+    private String notifySeverities;
+
     @Persistent
     @Column(name = "MESSAGE", length = 1024)
     @Size(max = 1024)
@@ -325,6 +329,37 @@ public void setNotifyOn(Set<NotificationGroup> groups) {
         this.notifyOn = sb.toString();
     }
 
+    public List<Severity> getNotifySeverities() {
+        List<Severity> result = new ArrayList<>();
+        if (notifySeverities != null) {
+            String[] severities = notifySeverities.split(",");
+            for (String s: severities) {
+                result.add(Severity.valueOf(s.trim()));
+            }
+        } else {
+            // No severities set; return all severities (default behaviour)
+            Collections.addAll(result, Severity.values());
+        }
+        return result;
+    }
+
+    public void setNotifySeverities(List<Severity> notifySeverities){
+        if (notifySeverities.isEmpty()){
+            this.notifySeverities = null;
+            return;
+        }
+
+        // Sort the severities to ensure consistent ordering
+        StringBuilder sb = new StringBuilder();
+        for (int i=0; i < notifySeverities.size(); i++) {
+            sb.append(notifySeverities.get(i));
+            if (i+1 < notifySeverities.size()) {
+                sb.append(",");
+            }
+        }
+        this.notifySeverities = sb.toString();
+    }
+
     public NotificationPublisher getPublisher() {
         return publisher;
     }

src/main/java/org/dependencytrack/notification/NotificationRouter.java

@@ -29,6 +29,7 @@
 import org.dependencytrack.model.Tag;
 import org.dependencytrack.notification.publisher.PublishContext;
 import org.dependencytrack.notification.publisher.Publisher;
+import org.dependencytrack.notification.publisher.SendMailPublisher;
 import org.dependencytrack.notification.vo.AnalysisDecisionChange;
 import org.dependencytrack.notification.vo.BomConsumedOrProcessed;
 import org.dependencytrack.notification.vo.BomProcessingFailed;
@@ -90,7 +91,22 @@ public void inform(final Notification notification) {
                             .add(CONFIG_TEMPLATE_KEY, notificationPublisher.getTemplate())
                             .addAll(Json.createObjectBuilder(config))
                             .build();
-                    publisher.inform(ruleCtx, restrictNotificationToRuleProjects(notification, rule), notificationPublisherConfig);
+
+                    if (publisherClass == SendMailPublisher.class
+                            && rule.getTeams() != null
+                            && !rule.getTeams().isEmpty()) {
+
+                        ((SendMailPublisher) publisher).inform(
+                                ruleCtx,
+                                restrictNotificationToRuleProjects(notification, rule),
+                                notificationPublisherConfig,
+                                rule.getNotifySeverities());
+                    } else {
+                        publisher.inform(
+                                ruleCtx,
+                                restrictNotificationToRuleProjects(notification, rule),
+                                notificationPublisherConfig);
+                    }
                 } else {
                     LOGGER.error("The defined notification publisher is not assignable from " + Publisher.class.getCanonicalName() + " (%s)".formatted(ruleCtx));
                 }

src/main/java/org/dependencytrack/notification/publisher/SendMailPublisher.java

@@ -26,6 +26,8 @@
 import io.pebbletemplates.pebble.extension.core.DisallowExtensionCustomizerBuilder;
 import io.pebbletemplates.pebble.template.PebbleTemplate;
 import org.apache.commons.text.StringEscapeUtils;
+import org.dependencytrack.model.Severity;
+import org.dependencytrack.notification.vo.NewVulnerabilityIdentified;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.DebugDataEncryption;
 
@@ -59,6 +61,10 @@ public class SendMailPublisher implements Publisher {
             .newLineTrimming(false)
             .build();
 
+    private static final List<Severity> DEFAULT_NOTIFY_SEVERITIES =
+            Arrays.asList(Severity.LOW, Severity.MEDIUM, Severity.HIGH,
+                    Severity.UNASSIGNED, Severity.CRITICAL);
+
     @Override
     public void inform(final PublishContext ctx, final Notification notification, final JsonObject config) {
         if (config == null) {
@@ -69,6 +75,35 @@ public void inform(final PublishContext ctx, final Notification notification, fi
         sendNotification(ctx, notification, config, destinations);
     }
 
+    /**
+     * Overload used when a rule has explicit teams/severity filtering.
+     */
+    public void inform(final PublishContext ctx, final Notification notification, final JsonObject config, final List<Severity> notifySeverities) {
+
+        if (config == null) {
+            LOGGER.warn("No configuration found; Skipping notification (%s)".formatted(ctx));
+            return;
+        }
+
+        // Severity filtering
+        if (notification.getSubject() instanceof final NewVulnerabilityIdentified subject) {
+            final List<Severity> effective = (notifySeverities == null || notifySeverities.isEmpty())
+                    ? DEFAULT_NOTIFY_SEVERITIES
+                    : notifySeverities;
+
+            if (!effective.contains(subject.getVulnerability().getSeverity())) {
+                LOGGER.debug("Severity %s filtered by rule – skipping (%s)"
+                        .formatted(subject.getVulnerability().getSeverity(), ctx));
+                return;
+            }
+        }
+
+        // Team filtering
+        final String[] destinations = getDestinations(config, ctx.ruleId());
+
+        sendNotification(ctx, notification, config, destinations);
+    }
+
     private void sendNotification(final PublishContext ctx, Notification notification, JsonObject config, String[] destinations) {
         if (config == null) {
             LOGGER.warn("No publisher configuration found; Skipping notification (%s)".formatted(ctx));

src/main/java/org/dependencytrack/persistence/NotificationQueryManager.java

@@ -159,6 +159,7 @@ public NotificationRule updateNotificationRule(NotificationRule transientRule) {
             rule.setNotificationLevel(transientRule.getNotificationLevel());
             rule.setPublisherConfig(transientRule.getPublisherConfig());
             rule.setNotifyOn(transientRule.getNotifyOn());
+            rule.setNotifySeverities(transientRule.getNotifySeverities());
             bind(rule, resolveTags(transientRule.getTags()));
             return rule;
         });

src/test/java/org/dependencytrack/model/NotificationRuleTest.java

@@ -99,6 +99,16 @@ public void testNotifyOn() {
         Assert.assertEquals(2, rule.getNotifyOn().size());
     }
 
+    @Test
+    public void testNotifySeverities() {
+        List<Severity> severities = new ArrayList<>();
+        severities.add(Severity.LOW);
+        severities.add(Severity.CRITICAL);
+        NotificationRule rule = new NotificationRule();
+        rule.setNotifySeverities(severities);
+        Assert.assertEquals(2, rule.getNotifySeverities().size());
+    }
+
     @Test
     public void testPublisher() {
         NotificationPublisher publisher = new NotificationPublisher();

src/test/java/org/dependencytrack/resources/v1/NotificationRuleResourceTest.java

@@ -173,6 +173,7 @@ public void createScheduledNotificationRuleTest() {
                   "tags": [],
                   "teams": [],
                   "notifyOn": [],
+                  "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                   "publisher": {
                     "name": "Slack",
                     "description": "${json-unit.any-string}",
@@ -300,6 +301,7 @@ public void updateNotificationRuleWithTagsTest() {
                           ],
                           "teams": [],
                           "notifyOn": [],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "publisher": {
                             "name": "${json-unit.any-string}",
                             "description": "${json-unit.any-string}",
@@ -348,6 +350,7 @@ public void updateNotificationRuleWithTagsTest() {
                           ],
                           "teams": [],
                           "notifyOn": [],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "publisher": {
                             "name": "${json-unit.any-string}",
                             "description": "${json-unit.any-string}",
@@ -404,7 +407,8 @@ public void updateNotificationRuleWithGroupUnsupportedForScheduleTest() {
                           "name": "Rule 1",
                           "scope": "PORTFOLIO",
                           "notificationLevel": "INFORMATIONAL",
-                          "notifyOn": ["BOM_PROCESSED", "NEW_VULNERABILITIES_SUMMARY"]
+                          "notifyOn": ["BOM_PROCESSED", "NEW_VULNERABILITIES_SUMMARY"],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"]
                         }
                         """.formatted(rule.getUuid())));
         assertThat(response.getStatus()).isEqualTo(400);
@@ -433,6 +437,7 @@ public void updateNotificationRuleWithNewCronExpressionTest() {
                           "scope": "PORTFOLIO",
                           "notificationLevel": "INFORMATIONAL",
                           "notifyOn": ["NEW_VULNERABILITIES_SUMMARY"],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "triggerType": "SCHEDULE",
                           "scheduleCron": "6 6 6 6 6"
                         }
@@ -454,6 +459,7 @@ public void updateNotificationRuleWithNewCronExpressionTest() {
                           "tags": [],
                           "teams": [],
                           "notifyOn": ["NEW_VULNERABILITIES_SUMMARY"],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "triggerType": "SCHEDULE",
                           "scheduleLastTriggeredAt": "${json-unit.matches:unmodifiedScheduleLastTriggeredAt}",
                           "scheduleNextTriggerAt": "${json-unit.matches:modifiedScheduleNextTriggerAt}",
@@ -479,6 +485,7 @@ public void updateNotificationRuleWithInvalidCronExpressionTest() {
                           "scope": "PORTFOLIO",
                           "notificationLevel": "INFORMATIONAL",
                           "notifyOn": ["NEW_VULNERABILITIES_SUMMARY"],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "triggerType": "SCHEDULE",
                           "scheduleCron": "not valid at all"
                         }
@@ -755,6 +762,7 @@ public void addTeamToRuleWithCustomEmailPublisherTest() {
                             }
                           ],
                           "notifyOn": [],
+                          "notifySeverities": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO", "UNASSIGNED"],
                           "publisher": {
                             "name": "foo",
                             "description": "description",