search

DependencyTrack / frontend

Frontend UI for Dependency-Track
https://dependencytrack.org/
Apache License 2.0
99 stars 147 forks source link

Affected projects tab not updated when switching between aliases #481

Open valentijnscholten opened 1 year ago

valentijnscholten commented 1 year ago

Current Behavior

When viewing a vulnerability, it shows the number of affected projects in the header of that tab. When switching to an alias the screen gets updated with the data from the alias, but the affected project tab does not get updated. The affected number of projects is/will probably be wrong in this case.

Steps to Reproduce

  1. Go to a vulnerability that has some affected projects and at least one alias, i.e. https://dt/vulnerabilities/NVD/CVE-2023-29197
  2. Observe affected project count = X
  3. Click on an alias
  4. Observe affected project count is still X
  5. Press F5
  6. Observe affected project count is (usually) Y

Expected Behavior

The affected projects tab should be updated when switching between aliases. I can see in the Bootstrap code this tab is "hardcodedly injected" and not tied to any bootstrap lifecycle or events.

Dependency-Track Frontend Version

4.8.0

Browser

Google Chrome

Browser Version

No response

Operating System

Windows

Checklist

valentijnscholten commented 1 year ago

@sephiroth-j Are you willing to help out on this one? As a complete Vue newb I thought a quick google search would help me out here. But none of those results are working. Possibly because how the component is embedded in the template, I don't know. I also tried an event, but realized Vue is (supposed to be?) around 'properties down, events up`.

sephiroth-j commented 1 year ago

I can take a look but it would help a lot if you can share a sbom with a suitable sample project (one that has a vulnerability with an alias).

valentijnscholten commented 1 year ago

Hree's two SBOMs. One affected by CVE-2023-29197 and GHSA-wxmh-65f7-jcvw, the other only by GHSA-wxmh-65f7-jcvw. Had to zip them as GitHub doesn't like json files. affected projects.zip

sephiroth-j commented 1 year ago

I just wanted to report back that I found the error and fixed it. In the process I found other errors in the tab handling and also in the backend. I will report back later.

sephiroth-j commented 1 year ago

As mentioned in my previous comment, there are several issues.

  1. that the table is not updated is because the AffectedProjects component does not respond to changes in routing and the URL for the backend query is not updated.

  2. it also turned out that the backend does not return affected projects for aliases. When we ship the fix for this, it will be even more noticeable! One of the sample projects is affected by CVE-2023-29197. The backend provides the expected response for this.

http://localhost:8080/api/v1/vulnerability/source/NVD/vuln/CVE-2023-29197/projects?searchText=

[{"name":"issue-481","version":"2","classifier":"APPLICATION","directDependencies":"[{\"name\":\"installers\",\"purl\":\"pkg:composer/composer/installers@1.12.0\",\"uuid\":\"7f7b2116-dc9f-4d06-abaf-74f0e72d7918\",\"version\":\"1.12.0\",\"group\":\"composer\",\"purlCoordinates\":\"pkg:composer/composer/installers@1.12.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware-sentry\",\"purl\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"uuid\":\"3267e769-292b-48e5-b8fb-05a332d37fdd\",\"version\":\"2.0.5\",\"group\":\"onedrop\",\"purlCoordinates\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware\",\"purl\":\"pkg:composer/shopware/shopware@5.7.6\",\"uuid\":\"7b2abf7d-3671-4f3e-a1df-80e06ed5cbdd\",\"version\":\"5.7.6\",\"group\":\"shopware\",\"purlCoordinates\":\"pkg:composer/shopware/shopware@5.7.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"ontiussimplesearch\",\"purl\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"uuid\":\"6d105fd9-fb29-4fdd-bb19-5a76f80fc9d1\",\"version\":\"4.1.59\",\"group\":\"store.shopware.com\",\"purlCoordinates\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpdotenv\",\"purl\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"uuid\":\"85b91a80-f306-407d-9548-7fd8c9cd1cc3\",\"version\":\"3.6.10\",\"group\":\"vlucas\",\"purlCoordinates\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"objectType\":\"COMPONENT\"},{\"name\":\"wbm-tag-manager\",\"purl\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"uuid\":\"2ba6330d-d718-42fb-b62f-f35b2af00dc8\",\"version\":\"3.5.6\",\"group\":\"webmatch\",\"purlCoordinates\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"composer-git-hooks-standard\",\"purl\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0?checksum=sha1%3A858ad6c5329ba062233514352c336311bf92ddbc\",\"uuid\":\"63f6fc8a-eebd-4e45-b776-d91809bad9ba\",\"version\":\"2.1.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-baseliner\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"uuid\":\"6735ff10-bc44-4178-8819-047cbb145fcb\",\"version\":\"2.1.1\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-standard\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"uuid\":\"3e3dcd03-f48f-4c49-bc3c-f3fab0f486a2\",\"version\":\"19.0.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"extension-installer\",\"purl\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"uuid\":\"0d9d75dd-cacc-4948-af03-3f6edbb41f8b\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan\",\"purl\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"uuid\":\"857c7d42-47e9-43ca-a8f0-0907b369e20f\",\"version\":\"1.5.7\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan-strict-rules\",\"purl\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"uuid\":\"3b12c708-41d3-4733-ae8e-e23734f9214a\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"objectType\":\"COMPONENT\"}]","uuid":"66f62111-c0c2-4dcb-82cf-c80f30894770","properties":[],"tags":[],"lastBomImport":1685297363288,"lastBomImportFormat":"CycloneDX 1.4","lastInheritedRiskScore":35.0,"active":true}]

The alias for this is GHSA-wxmh-65f7-jcvw. However, the response to this is an empty array.

http://localhost:8080/api/v1/vulnerability/source/GITHUB/vuln/GHSA-wxmh-65f7-jcvw/projects?searchText=

[]

  1. the tab name was extracted from the URL via regex - this is a little smelly. Optional path parameters should be used instead.

  2. the component contained logic to catch unknown tab names. This is better off in the router configuration

  3. activation of tabs also caused a Vue warning

Avoid mutating a prop directly since the value will be overwritten whenever the parent component re-renders. Instead, use a data or computed property based on the prop's value. Prop being mutated: "active"

I have fixed the first problem and the tab handling issues on the Vulnerability component as an example, but would create a separate PR for the others.

sephiroth-j commented 1 year ago

filed DependencyTrack/dependency-track/issues/2794 for the backend issue