New option to only return outdated components and/or only direct dependencies in the ComponentResource #2568
Conversation
walterdeboer
changed the title
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
src/main/java/org/dependencytrack/persistence/ComponentQueryManager.java
Show resolved
Hide resolved
src/main/java/org/dependencytrack/tasks/repositories/MavenMetaAnalyzer.java
Outdated
Show resolved
Hide resolved
walterdeboer
force-pushed
the
feature/2567
branch
2 times, most recently
from
52c0694
to
64e8a24
Compare
walterdeboer
force-pushed
the
feature/2567
branch
from
64e8a24
to
8100665
Compare
walterdeboer
force-pushed
the
feature/2567
branch
3 times, most recently
from
29e4b7b
to
7a0adc3
Compare
|
Thank you for this feature. But you can actually upgrade indirect dependencies. In Gradle projects you can force versions of transitive dependencies. Of course you have to test the compatibility to your direct dependencies but sometimes it's the only way to get rid of some known vulnerabilities. So maybe showing of transitive dependencies or another switch to filter them would be a nice idea. |
|
When you don’t turn on the switch, you’ll see all dependencies. Isn’t this what you need then? Or do you mean you wan’t to see only transitive, without the direct dependencies? Seems to me that this would add much. Wouldn’t you want to fix all dependencies then?
I didn’t know gradle could do that. Good to know 🙂
|
|
No, I meant that I want to see all outdated dependencies, direct and transitive. ;) |
|
Oh sorry, of course. I was under the temporary illusion this functionality already existed.. I'll add an extra switch 👍 |
|
Thank you very much. This will help a lot. |
walterdeboer
force-pushed
the
feature/2567
branch
from
3fd0898
to
b220f21
Compare
walterdeboer
changed the title
|
@walterdeboer, following the release of v4.8.0, this PR now has conflicts that need to be resolved before it can be merged. Please can you fix things? Then the PR can be reviewed. |
…ect dependencies of the project Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>
| final PaginatedResult result; | ||
| String querySring ="SELECT FROM org.dependencytrack.model.Component WHERE project == :project "; | ||
| if (filter != null) { | ||
| querySring += " && (project == :project) && name.toLowerCase().matches(:name)"; | ||
| } | ||
| if (onlyOutdated) { | ||
| // Components are considered outdated when metadata does exists, but the version is different than latestVersion | ||
| // Different should always mean version < latestVersion |
There was a problem hiding this comment.
@walterdeboer @nscuro have we given any thought to latest version in a repo may be a BETA vs "prod/GA/GTM/stable" code? if the version we have is the last stable release, but the repo is showing a beta release...do we want to flag that as outdated?
There was a problem hiding this comment.
@melba-lopez That's a good point, and I fear it is somewhat subjective. That said, the focus is on flagging risk, so the question becomes "am I at risk of being outdated when there's a new BETA version available?". Unless the latest stable version has risky vulns (which would be flagged separately), relying on BETA software in itself would be an operational risk.
What @walterdeboer is trying to solve here is risk being flagged despite there not being any sane way forward (no stable version to update to).
An extension of this feature could be to capture both latest stable and latest unstable version from remote repositories, and then letting the users decide what they want to consider "latest".
| public PaginatedResult getComponents(final Project project, final boolean includeMetrics, final boolean onlyOutdated) { | ||
| return getComponentQueryManager().getComponents(project, includeMetrics, onlyOutdated); | ||
| public PaginatedResult getComponents(final Project project, final boolean includeMetrics, final boolean onlyOutdated, final boolean onlyDirect) { | ||
| return getComponentQueryManager().getComponents(project, includeMetrics, onlyOutdated, onlyDirect); |
There was a problem hiding this comment.
@walterdeboer Now seeing this PR. If i understand this right, this is enabling a new toggle switch to show only direct dependencies, hence why the previous PR #2537 has code comments about direct dependencies only?
There was a problem hiding this comment.
I've mixed up the code in #2537 I hope i've got it right now...
There was a problem hiding this comment.
I've mixed things up in PR #2537 with this one... I've pushed the right code in the other PR now
| metaComponent.setLastCheck(new Date()); | ||
| qm.persist(metaComponent); | ||
| } else { | ||
| // 500 components with no version metadata, all transitive dependencies |
There was a problem hiding this comment.
@walterdeboer Is the test here trying to state that if there is no metadata provided in the SBOM, or if a manually created component is made without metadata, that we assume it is transitive? Just trying to understand this comment here.
There was a problem hiding this comment.
This has nothing to do with the SBOM, when DT detects new versions in the remote repository, it creates a RepositoryMetaComponent. The components here have no RepositoryMetaComponent, so they represent te most current versions
Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>
walterdeboer
force-pushed
the
feature/2567
branch
from
b427473
to
b5330eb
Compare
|
@walterdeboer unfortunately the CI Test is failing 😞
|
Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>
@nscuro Hmm, the PolicyEngineTest fails randomly. I hope I fixed it |
There was a problem hiding this comment.
Thanks @walterdeboer, this is going to be super useful! 🚀
And of course thanks @melba-lopez for reviewing!
nscuro
changed the title
Description
Added onlyOutdated ApiParam and onlyDirect ApiParam to /v1/component/project endpoind to only show outdated components and/or only direct dependencies
Addressed Issue
closes #2567, adresses #1833
Additional Details
Only direct dependencies are reported when onlyOutdated is true. Also added a directDepencies switch for those who want to overwrite them in their project
Checklist
and I have updated the documentation accordingly