search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 552 forks source link

🚧 WIP: Add Project Tags To Findings #3797

Open aravindparappil46 opened 4 months ago

aravindparappil46 commented 4 months ago

⚠️ NOTE: This is a Draft PR. Need help figuring out how to filter Findings by tags

Description

In order to display tags in the vulnerability audit page, added tags to the response of /findings API.

Addressed Issue

Partially addresses frontend issue: https://github.com/DependencyTrack/frontend/issues/849

Additional Details

Right now, this PR just adds the tags to the /finding API response (used by the Vulnerability Audit page to display it)

Help Needed Need some help figuring out how to filter Finding by tags πŸ€”

I understand that filtering is currently done in FindingsSearchQueryManager.processFilters(), but unsure how to edit the SQL query to be able to filter by project tags.

I see that Tag is a child table of Parent, so guessing we need some LEFT JOIN magic in Finding.QUERY_ALL_FINDINGS πŸͺ„ 🧠

Checklist

codacy-production[bot] commented 4 months ago

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
:white_check_mark: +0.00% (target: -1.00%) :white_check_mark: 100.00% (target: 70.00%)
Coverage variation details | | Coverable lines | Covered lines | Coverage | | ------------- | ------------- | ------------- | ------------- | | Common ancestor commit (f785fc5998ebc43ec18810ae04c33f11a59967e9) | 21708 | 16478 | 75.91% | | | Head commit (40eddd4ec5e772559ce4adb198b936e22dc67e37) | 21711 (+3) | 16481 (+3) | 75.91% (**+0.00%**) | **Coverage variation** is the difference between the coverage for the head and common ancestor commits of the pull request branch: ` - `
Diff coverage details | | Coverable lines | Covered lines | Diff coverage | | ------------- | ------------- | ------------- | ------------- | | Pull request (#3797) | 3 | 3 | **100.00%** | **Diff coverage** is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: `/ * 100%`

See your quality gate settings    Change summary preferences

Codacy will stop sending the deprecated coverage status from June 5th, 2024. Learn more

nscuro commented 4 months ago

Need some help figuring out how to filter Finding by tags πŸ€”

I understand that filtering is currently done in FindingsSearchQueryManager.processFilters(), but unsure how to edit the SQL query to be able to filter by project tags.

I see that Tag is a child table of Parent, so guessing we need some LEFT JOIN magic in Finding.QUERY_ALL_FINDINGS πŸͺ„ 🧠

I would advise against LEFT JOINs for 1:N relationships like the Project <-> Tag one, since it will cause duplicate rows for each tag.

This should be solvable with a simple EXISTS subquery, for example: 

EXISTS (
  SELECT 1
    FROM "TAG"
   INNER JOIN "PROJECTS_TAGS"
      ON "PROJECTS_TAGS"."TAG_ID" = "TAG"."ID"
   WHERE "PROJECTS_TAGS"."PROJECT_ID" = "PROJECT"."ID"
     AND "TAG"."NAME" = 'foo'
)

Similar to how it's done for the portfolio ACL check:

https://github.com/DependencyTrack/dependency-track/blob/f785fc5998ebc43ec18810ae04c33f11a59967e9/src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java#L351-L378

valentijnscholten commented 3 months ago

There's also users that use the parent construct to create a hierarchy of projects. How would that be handled? Might be a lot easier if tags can be set on findings and filter on those. The risk is that you get a LOT of tag-finding relationship entries if you have lots of findings with tag java for example.

nscuro commented 3 months ago

@valentijnscholten There's also users that use the parent construct to create a hierarchy of projects. How would that be handled?

Good question. How would you expect it to be handled? At the moment there's not a lot of "inheritance" logic for the parent-child construct.