Support component hash mismatch policy conditions

[nscuro]

Description

Supports component hash mismatch policy conditions.

Adds a new has_package_artifact_hash_mismatch CEL policy function that evaluates to true if and only if at least one component hash does not match what is reported by the upstream repository.

This closes a gap where hash matching was previously only explicitly surfaced via UI, but not really actionable.

Addressed Issue

N/A

Additional Details

Frontend PR: DependencyTrack/frontend#1573
Docs PR: DependencyTrack/docs#128

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
• This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

[owasp-dt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Copilot]

Pull request overview

Adds support for authoring CEL policy conditions that detect when a component’s stored hash differs from the upstream repository’s reported package artifact hash, making hash verification results actionable in policies.

Changes:

• Extend the policy Component proto and CEL persistence mapping to surface upstream artifact hashes (MD5/SHA-1/SHA-256/SHA-512).
• Add a new CEL member function component.has_package_artifact_hash_mismatch() and wire its field requirements into the CEL compiler.
• Add parameterized tests covering mismatch/match/no-overlap/no-metadata scenarios and document the design decision in an ADR follow-up.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
proto/src/main/proto/org/dependencytrack/policy/v1/policy.proto	Adds new package_artifact_* hash fields to the policy Component proto.
docs/adr/028-hash-verification-computed-not-materialized.md	Documents the new CEL function behavior and rationale as an ADR follow-up.
apiserver/src/test/java/org/dependencytrack/policy/cel/CelPolicyEngineTest.java	Adds parameterized tests for the new hash mismatch policy function.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyFieldMappingRegistry.java	Maps new proto fields to PACKAGE_ARTIFACT_METADATA.HASH_* columns.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyDao.java	Extends conditional join logic for PACKAGE_ARTIFACT_METADATA when fetching components.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyComponentRowMapper.java	Populates new upstream hash fields into the Component proto builder.
apiserver/src/main/java/org/dependencytrack/policy/cel/CelPolicyRequirements.java	Declares required fields for evaluating the new CEL function.
apiserver/src/main/java/org/dependencytrack/policy/cel/CelPolicyLibrary.java	Registers the new CEL function declaration and runtime binding.
apiserver/src/main/java/org/dependencytrack/policy/cel/CelPolicyFunctions.java	Implements the mismatch check logic and per-algorithm comparison helper.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.