search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 553 forks source link

API /api/v1/analysis - PUT call does not populate analisisDetail #3470

Open ArtWachowski opened 7 months ago

ArtWachowski commented 7 months ago

Current Behavior

I noticed that analysisDetails text is delivered as expected and populated in Details box but it is not actually "pushed" to the Audit Trail.

Steps to Reproduce

  1. Create API call

curl -k -X PUT "$BASE_URL" \ -H "Content-Type: application/json" \ -H "X-Api-Key: $API_KEY" \ -d "{ \"project\": \"$PROJECT_ID\", \"component\": \"$COMPONENT_ID\", \"vulnerability\": \"$VUUID\", \"analysisState\": \"EXPLOITABLE\", \"analysisResponse\": \"NOT_SET\", \"analysisDetails\": \"MY TEXT HERE\", \"isSuppressed\": false }"

  1. Access WebUI
  2. Investigate Audit Trial section // observe Details section

Expected Behavior

Audit Trial should have a full record from API transaction, AnalysisState works as expected, AnalysisDetais does not.

14 Feb 2024 at 12:15:16 Analysis: NOT_SET → EXPLOITABLE

14 Feb 2024 at 12:15:16 Details: MY TEXT HERE

image (8)

Dependency-Track Version

4.9.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

surajbora59 commented 7 months ago

@nscuro , currently their is details Column in Analysis table

image

Response:

image

The changes will involve creating new table for details which will store analysis Id, details text, and timestamp. For below details.

14 Feb 2024 at 12:15:16 Details: MY TEXT HERE

P.S. I'm not sure if Frontend is handled for this. If not, this will need to be handled separately. It will involve maintaining backward compatibility, which can be done by ensuring that analysisDetails is present in the response. Additionally, we can introduce a new object that will contain all the new required details.

nscuro commented 7 months ago

@surajbora59 This shouldn't require a new table at all.

As you found out, the details information is already persisted, it's just that the audit trail is not properly populated.

This appears to be caused by this code:

https://github.com/DependencyTrack/dependency-track/blob/91afc7d9350227d454124b22caa861c7d02dadc8/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java#L159-L171

If no Analysis existed previously, only one comment is created. Whereas if one existed already, a comment is made for each changed field. This logic needs to be adjusted such that even in the former case, each provided field gets its own entry.