Open rkg-mm opened 1 month ago
Seems like a rather simple thing to fix with an additional null
/ undefined
check. Question is, how do we handle this?
I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.
Also, BOM Upload Processing V2 should log a warning when it encounters "broken" dependency graphs: https://github.com/DependencyTrack/dependency-track/blob/122039a5d1bee1156cdef93f5a2fc5f1015959bc/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L657-L660. Would be interesting if it catches this specific issue.
I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.
Probably best, with some mouseover information?
Also, BOM Upload Processing V2 should log a warning when it encounters "broken" dependency graphs: https://github.com/DependencyTrack/dependency-track/blob/122039a5d1bee1156cdef93f5a2fc5f1015959bc/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L657-L660. Would be interesting if it catches this specific issue.
Doesn't seem like it catched it:
2024-08-10 16:53:40,801 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Consuming uploaded BOM [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:40,807 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Consumed 183 components (183 before de-duplication), 0 services (0 before de-duplication), and 123 dependency graph entries [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:40,833 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 183 components [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,716 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 0 services [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,719 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 123 dependency graph entries [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,987 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] BOM processed successfully in 00:00:02.208 [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,992 [] INFO [org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 183 components
2024-08-10 16:53:44,474 [] INFO [org.dependencytrack.tasks.scanners.InternalAnalysisTask] Starting internal analysis task
I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.
I do not think that colour should be used (or, not colour alone) as Dependency-Track has a requirement to be accessible.
Is the way that we use mouseover in DT compatible with accessibility requirements?
Current Behavior
I have a project which seems to break the frontend graph. Can't share the SBOM unfortunately, but maybe we can identify the failure anyway or at least add some error handling to that place.
The map "a" here doesn't contain the UUID of the component that is tried to read from it, resulting in A being undefined in the next line.
It's an SBOM produced by cdxgen from a complex android app using gradle.
Steps to Reproduce
Expected Behavior
Should expand the graph.
Dependency-Track Frontend Version
4.11.4
Browser
Mozilla Firefox
Browser Version
No response
Operating System
Windows
Checklist