Queue tokens for single component checks

[alexgadai]

Current Behavior:

(1) PUT /v1/component/project/{uuid} method does not give you token to know if the component is being processed or not. (2) GET /v1/vulnerability/component/{uuid} method returns code 200 + empty body for both cases: a. component has no vulnerabilities b. component is in the queue or being processed (and may have vulnerabilities when processing is finished)

Proposed Behavior:

Either (1) should return token (similar to PUT /v1/bom) or (2) should return processing status in response body.

Use case:

We would like to use Depedency Track for single component checks via API to implement our OSA Firewall functionality, but it is not possible now due to the lack of processing token. We cannot make sure that component has no vulnerabilities because it may be in the processing queue.

Test:

To test this issue, try to upload some big SBOM like this https://github.com/CycloneDX/bom-examples/tree/master/SBOM/protonmail-webclient-v4-0912dff and send (1) and (2) queries immediately after that. Try (2) again later (in 30 seconds or so) and see that the response is different.

[syalioune]

Use case seems to indicate that it is a duplicate of #374

[msymons]

Not really a dupe of #374 as this is about tracked components, not non-tracked.

Adding to milestone!

[nscuro]

The mentioned API endpoints already have access to the processing tokens, it's just a matter of returning them in the response. Should be a straightforward implementation.

[alexgadai]

Hello guys @nscuro @msymons Any chance this gets a new milestone?