Policy Violations do not show up in cloned projects

[ofg]

Current Behavior

Cloning a project which has license policy violations does not clone the license policy violations. In fact, policy violations is completely empty.

May be related to #2640

Steps to Reproduce

1. create a project with

project_name="test_project"
project_version="0.0.1"
filename="test-2.sbom"
curl -L -sS  \
    -X POST "${DEPENDENCY_TRACK_URL}/api/v1/bom" \
    -H "X-API-Key: $DEPENDENCY_TRACK_API_TOKEN" \
    -H "Content-Type: multipart/form-data" \
    -H "Accept: application/json" \
    -F "autoCreate=true" \
    -F "projectName=$project_name" \
    -F "projectVersion=$project_version" \
    -F "bom=@$filename"

test-2.sbom.zip

It shows the following license policy violation:

An it returns the following metrics calling /api/v1/metrics/project/<prj uuid>/current:

{
...
  "components": 5,
...
  "policyViolationsFail": 0,
  "policyViolationsWarn": 1,
  "policyViolationsInfo": 0,
  "policyViolationsTotal": 1,
  "policyViolationsAudited": 0,
  "policyViolationsUnaudited": 1,
  "policyViolationsSecurityTotal": 0,
  "policyViolationsSecurityAudited": 0,
  "policyViolationsSecurityUnaudited": 0,
  "policyViolationsLicenseTotal": 1,
  "policyViolationsLicenseAudited": 0,
  "policyViolationsLicenseUnaudited": 1,
...
}

2. Clone the project with

# src_prj_uuid is retrieved from project created by step 1
new_project_version="0.0.2"
curl -L -sS -w "%{http_code}" -o "$DT_RESPONSE_FILE" \
    -X PUT "${DEPENDENCY_TRACK_URL}/api/v1/project/clone" \
    -d "{ \
      \"project\": \"$src_prj_uuid\", \
      \"version\": \"$new_project_version\", \
      \"includeTags\": true, \
      \"includeProperties\": false, \
      \"includeComponents\": true, \
      \"includeServices\": true, \
      \"includeAuditHistory\": true, \
      \"includeACL\": true \
    }" \
    -H "X-API-Key: $DEPENDENCY_TRACK_API_TOKEN" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json"

The new project version 0.0.2 does not show any license policy violation:

Furthermore, it also does not show the "Last BOM Import" nor the "Last Measurement" timestamp:

And the returned metrics calling /api/v1/metrics/project/<prj uuid>/current does return http status code 200 but no response body.

3. Refresh project metrics with /api​/v1​/metrics​/project​/<prj uuid>​/refresh does set a new "Last Measurement" timestamp, and calling metrics/.../current now returns a response body - but it does not contain the correct policy violation numbers - and also the UI still shows no license policy violations:

...
  "components": 5,
...
  "policyViolationsFail": 0,
  "policyViolationsWarn": 0,
  "policyViolationsInfo": 0,
  "policyViolationsTotal": 0,
  "policyViolationsAudited": 0,
  "policyViolationsUnaudited": 0,
  "policyViolationsSecurityTotal": 0,
  "policyViolationsSecurityAudited": 0,
  "policyViolationsSecurityUnaudited": 0,
  "policyViolationsLicenseTotal": 0,
  "policyViolationsLicenseAudited": 0,
  "policyViolationsLicenseUnaudited": 0,
...
}

4. Repeat step 1 to 3 but accept the license policy violation in step 1. This is also not cloned.

Expected Behavior

After cloning a project, I would expect to see the same policy violations as within the original project.

I would also expect to see the audit trail in case a license policy violation had been ACCEPTED / REJECTED in the original project.

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.7 (AWS RDS PostgreSQL instance)

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Note to self: Policy violations are currently not considered in the project cloning logic:

https://github.com/DependencyTrack/dependency-track/blob/d4f1e8ef631ed4c22ff1a483f277713e22c09697/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java#L645C17-L652

Same goes for the violation analysis trail:

dependency-track/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

Lines 657 to 687 in d4f1e8e

	if (includeAuditHistory && includeComponents) {
	final List<Analysis> analyses = super.getAnalyses(source);
	if (analyses != null) {
	for (final Analysis sourceAnalysis: analyses) {
	Analysis analysis = new Analysis();
	analysis.setAnalysisState(sourceAnalysis.getAnalysisState());
	final Component clonedComponent = clonedComponents.get(sourceAnalysis.getComponent().getId());
	if (clonedComponent == null) {
	break;
	}
	analysis.setComponent(clonedComponent);
	analysis.setVulnerability(sourceAnalysis.getVulnerability());
	analysis.setSuppressed(sourceAnalysis.isSuppressed());
	analysis.setAnalysisResponse(sourceAnalysis.getAnalysisResponse());
	analysis.setAnalysisJustification(sourceAnalysis.getAnalysisJustification());
	analysis.setAnalysisState(sourceAnalysis.getAnalysisState());
	analysis.setAnalysisDetails(sourceAnalysis.getAnalysisDetails());
	analysis = persist(analysis);
	if (sourceAnalysis.getAnalysisComments() != null) {
	for (final AnalysisComment sourceComment: sourceAnalysis.getAnalysisComments()) {
	final AnalysisComment analysisComment = new AnalysisComment();
	analysisComment.setAnalysis(analysis);
	analysisComment.setTimestamp(sourceComment.getTimestamp());
	analysisComment.setComment(sourceComment.getComment());
	analysisComment.setCommenter(sourceComment.getCommenter());
	persist(analysisComment);
	}
	}
	}
	}
	}

[rkg-mm]

I think this issue here, #2640 and #1732 are duplicates @nscuro am I right?
we are currently implementing a solution for this, can we ensure these are the same requests so we can finish them all?

[nscuro]

@rkg-mm Looks like that to me too, yes. I'll close the others as duplicates so we can track it here.

[nscuro]

This was implemented with #3248.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.