Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Show in Dependency-Graph" Button in "Affected Projects" List #2942

Merged
merged 3 commits into from
Dec 10, 2023
Merged

Add "Show in Dependency-Graph" Button in "Affected Projects" List #2942

merged 3 commits into from
Dec 10, 2023

Conversation

rbt-mm
Copy link
Contributor

@rbt-mm rbt-mm commented Aug 8, 2023
edited
Loading

Description

This PR adds the Show in Dependency-Graph button to the every project in the Affected Projects tab of a vulnerability, but only if the affected project has a dependency graph.
Clicking the button redirects the user to the projects dependency graph and highlights the affected component.

Addressed Issue

DependencyTrack/frontend#533

Additional Details

Frontend PR: DependencyTrack/frontend#573

Checklist

  • I have read and understand the contributing guidelines
    - [ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
    - [ ] This PR introduces changes to the database model, and I have added corresponding update logic
    - [ ] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

rbt-mm and others added 3 commits August 2, 2023 13:40
@rbt-mm
Add new attribute ´affectedComponent´ to Project
75f7d0d 
Adds the new transient attribute ´affectedComponent´ to the ´Project´
class which allows the Frontend to link from the
´Vulnerability - Affected Projects´ tab to the project's dependency
graph with the affected component being highlighted

Signed-off-by: RBickert <rbt@mm-software.com>
@rbt-mm
Include new attribute "affectedComponent" in test
0fae5e8 
Signed-off-by: RBickert <rbt@mm-software.com>
@rbt-mm
Merge pull request #26 from rbt-mm/rbt-open-dependency-graph-from-aff…
c301d0d 
…ected-projects

Add "Show in Dependency-Graph" Button in "Affected Projects" List
@rbt-mm rbt-mm mentioned this pull request Aug 8, 2023
Merged
1 task
@rkg-mm
Copy link
Contributor

rkg-mm commented Oct 24, 2023

@nscuro any reason for not merging this?

@nscuro
Copy link
Member

nscuro commented Oct 24, 2023

@rkg-mm No particular reason other than me overlooking it. I'll have a look in the coming days. Thanks for the ping.

@nscuro nscuro self-assigned this Oct 24, 2023
@rkg-mm
Copy link
Contributor

rkg-mm commented Oct 24, 2023

@nscuro ok thanks, just wanted to make sure we didn't miss something :D

@nscuro nscuro added this to the 4.10 milestone Oct 26, 2023
@nscuro
Copy link
Member

nscuro commented Nov 6, 2023

I think there is a caveat here:

The modified endpoint returns projects affected by a given vulnerability. It is possible that multiple components in a project are affected, but this implementation does not cover this case and will only ever yield a single component per project.

Few options I see:

  • We return the UUIDs of all affected components for a project. Clicking the button in the UI will then go on to highlight all of them in the graph.
  • We keep it at a single component per project, but clearly indicate that it's only one of potentially multiple. In this case, we need to make sure that it's deterministically the same component UUID when requesting the endpoint multiple times.

@rkg-mm
Copy link
Contributor

rkg-mm commented Nov 6, 2023

@nscuro you are right. Which solution do you prefer?

@nscuro
Copy link
Member

nscuro commented Nov 13, 2023
edited
Loading

@rkg-mm I would love to see the former option, as the other can be confusing. But have not looked into how much effort it is to support this in the dependency graph view.

@rbt-mm
Copy link
Contributor Author

rbt-mm commented Nov 14, 2023

@nscuro I think these are probably all the steps necessary to implement the new solution:

Backend

  • Return all the UUIDs of all affected components for a project in the Vulnerability API endpoint.
  • Modify the method to get the dependency graph of a component to accept an array of components instead of just a single component.
  • Modify the SQL statement to get the parent nodes of every component in the array.
    • This will create a new possible case where a searched UUID can also be the parentNode of another searched UUID. I don't think that this case will create problems, but a new test should probably be written to cover it.

Frontend

  • Clicking the Show in dependency graph button must redirect to a project's dependency graph and the URL must contain the UUID of every component affected by the Vulnerability.
    • The different UUIDs in the URL need to be separated by some kind separator (e.g. /<projectUUID>/dependencyGraph/<componentUUID1>|<componentUUID2>)
    • The maximum length of a URL in the address bar is 2048 characters so we shouldn't run into any problems here.
  • The code that sets the labels of the dependency graph nodes must be modified to check for every UUID in the URL so that every node that contains any of these UUIDs can be highlighted.
  • The current message, which is displayed when the UUID in the URL cannot be found in the dependency graph, only says Dependency could not be found in dependency graph. Maybe for multiple UUIDs in the URL, this needs to be changed to specify which of the UUIDs couldn't be found in the dependency graph.

I think this would probably need 1 or 2 days to implement, but unfortunately I currently cannot allocate my time to implement this myself.

@nscuro
Copy link
Member

nscuro commented Nov 19, 2023

Thanks for those details @rbt-mm, very helpful! We also can't work on this within the 4.10 milestone, but should be able to in 4.11 if needed. I'm thus pushing this to 4.11.

@nscuro nscuro modified the milestones: 4.10, 4.11 Nov 19, 2023
@nscuro nscuro removed their assignment Dec 7, 2023
@rkg-mm rkg-mm mentioned this pull request Dec 9, 2023
Merged
5 tasks
@rkg-mm
Copy link
Contributor

rkg-mm commented Dec 9, 2023

@nscuro I made the discussed improvements. I wasn't able to push on the original branch from @rbt-mm so I created a new PR which replaces this here: #3285

I also improved the performance of the tree by a lot and refactored some code to simplify it.

@nscuro nscuro merged commit d7cae8e into DependencyTrack:master Dec 10, 2023
9 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 10, 2024
@nscuro nscuro added the enhancement New feature or request label Mar 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
4.11
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rbt-mm @rkg-mm @nscuro