PURL NO_MATCH policy condition doesn't match by ?type

[jakub-bochenski]

Current Behavior

Setup a policy with condition

{
	"subject": "PACKAGE_URL",
	"operator": "NO_MATCH",
	"value": "pkg:maven/com.mysql/mysql-connector-j@8.0.33?type=jar"
}

Upload a BOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "components": [
     {
        "type" : "library",
        "group" : "com.mysql",
        "name" : "mysql-connector-j",
        "version" : "8.0.33",
        "purl" : "pkg:maven/com.mysql/mysql-connector-j@8.0.33?type=jar"
      }
  ]
}

Observe that the policy is triggered.

If you define a policy with condition (notice no ?type)

{
	"subject": "PACKAGE_URL",
	"operator": "NO_MATCH",
	"value": "pkg:maven/com.mysql/mysql-connector-j@8.0.33"
}

Then the policy will not trigger for the above BOM

Expected Behavior

PURL policy condition should match a component with exactly the same PURL

Dependency-Track Version

4.13.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[stohrendorf]

The policy condition values are treated as regular expressions, try escaping the ?, so that your expression does not only match @8.0.33type=jar or @8.0.3type=jar (notice how ? gets removed).

[jakub-bochenski]

thanks, that explains the behavior

it would be nice if this was documented, I don't think it's described anywhere now?