Difference between bom/token endpoint and event/token endpoint

[caiocfonseca1]

Hello, we are using a custom script for our CI pipelines and we've been using the bom/token endpoint to check whether the bom processing has finished before going to the next step (that is checking if there is any violations on the project so we can block a vulnerable project)

The thing is, with the increase of the size of our enviroment, we started having 2 frequent errors:

1 - The momento that the processing is returned as false, we use the lookup endpoint to check on some status on the project and the the UnauditedSecurityViolations to check whether it has any new violations. On first time scans, this search has returned an error because this metric doesn't exist yet in the returned json. Only on a second run on the pipeline we would get this results (probably because the necessary time to process this information has passed so now it is available in the lookup endpoint)

2 - The bigger problem for us as security: When a new vulnerable component is introduced, sometimes the lookup endpoint would also return 0 on the UnauditedSecurityViolations and it would allow the pipeline to follow through, even if it should have been stopped. This is a bigger problem because if fails silently, it returns no error because there is no vulnerabilities when in fact a new vulnerable component have just been introduced to the application.

I then started looking for solutions online and on documentation and I noticed that there is an event/token endpoint that from the nature of it, it seems to be more broad and check any time of event (not just bom processing) for a given token. I swapped to the event/token endpoint as a solution to this problem, but there was maybe some situations that it seemed the bom/token and event/token works the same (in this scenario) so this woudn't be solving our problem.

I have some solutions in mind but they are more complicated and might add some latency to the pipeline. I use the lookup endpoint to check for this metrics because we were already using to get the project ID so it seemed the best option to just get the UnauditedSecurityViolations.

My questions are: Does the bom/token and event/token work the same or the event token will guarantee that ALL tasks associated with that token have finished?

Am I wrong for using the lookup endpoint? This lack of synchronization between the state of the tasks and the metrics that come from the lookup is inherent problem of dependency-track?

I am using version 4.12.7. Thanks very much.