cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mruscetta
Level 3

Setting request policy based on version range (v6, workflow)

Are there any plans to support ability to specify range of versions in request policies?

The ability to set a request policy  based on a range of versions.e.g. using wildcards or regex would significantly reduce review overhead and improve compliance.

Use case:  Users submit requests for all component updates. The ability to policy approve requests that are minor version updates , e.g. 1.1 -> 1.2 , that are submitted to address vulnerabilities would significantly improve efficiency and reduce workload for submitters and approvers. It is extremely rare to have license changes in  bug fix patches, so this would be safer than using "any version" +  license.

Defining a Policy using "any version" + license is not a safe solution,  since licenses can change between major releases (from permissive to copyleft or non-OSI type license), and component definitions in PDL often club all licenses together at a component level (versus version level).  This allows requester to select any license from the list of licenses for that component, even if NOT correct for the specified version.  If policy-approval in effect then the wrong license could be selected and auto approved.  It is critical to NOT policy-approve a component where a license has changed from permissive to copyleft, AGPL or SSPL type of license.

Labels (1)
0 Kudos
(1) Reply
tphamda
Revenera
Revenera

Hi @mruscetta,

We sincerely apologize for our lack of response. Going forward, we will be making a concerted effort to respond to all forum questions in a timely manner as well as responding to all previously asked questions on our forum. If you or someone else still has this question, here is our response:

The ability to specify a component version range in a policy is available in Code Insight v7. If you require this feature to be in v6, please open a support case with us for further evaluation.