search

DependencyTrack / frontend

Frontend UI for Dependency-Track
https://dependencytrack.org/
Apache License 2.0
100 stars 146 forks source link

Expanding graph node: "A is undefined" #966

Open rkg-mm opened 1 month ago

rkg-mm commented 1 month ago

Current Behavior

I have a project which seems to break the frontend graph. Can't share the SBOM unfortunately, but maybe we can identify the failure anyway or at least add some error handling to that place.

The map "a" here doesn't contain the UUID of the component that is tried to read from it, resulting in A being undefined in the next line.

image

It's an SBOM produced by cdxgen from a complex android app using gradle.

Steps to Reproduce

  1. Open a specific project with unknown triggering conditions
  2. Open Graph, root + 1st level shows fine
  3. Expand any 2nd level by clicking "+"
  4. Wait mouse icon on that "+" never goes away, graph doesn't open and error in console as shown above.

Expected Behavior

Should expand the graph.

Dependency-Track Frontend Version

4.11.4

Browser

Mozilla Firefox

Browser Version

No response

Operating System

Windows

Checklist

rkg-mm commented 1 month ago

Should be this code line: https://github.com/DependencyTrack/frontend/blob/0eb71ebf0f07bfb5462b7f832e98d6ea567244c8/src/views/portfolio/projects/ProjectDependencyGraph.vue#L500

nscuro commented 1 month ago

Seems like a rather simple thing to fix with an additional null / undefined check. Question is, how do we handle this?

I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.

Also, BOM Upload Processing V2 should log a warning when it encounters "broken" dependency graphs: https://github.com/DependencyTrack/dependency-track/blob/122039a5d1bee1156cdef93f5a2fc5f1015959bc/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L657-L660. Would be interesting if it catches this specific issue.

rkg-mm commented 1 month ago

I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.

Probably best, with some mouseover information?

Also, BOM Upload Processing V2 should log a warning when it encounters "broken" dependency graphs: https://github.com/DependencyTrack/dependency-track/blob/122039a5d1bee1156cdef93f5a2fc5f1015959bc/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L657-L660. Would be interesting if it catches this specific issue.

Doesn't seem like it catched it:

2024-08-10 16:53:40,801 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Consuming uploaded BOM [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:40,807 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Consumed 183 components (183 before de-duplication), 0 services (0 before de-duplication), and 123 dependency graph entries [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:40,833 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 183 components [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,716 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 0 services [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,719 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] Processing 123 dependency graph entries [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,987 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTaskV2] BOM processed successfully in 00:00:02.208 [bomSerialNumber=faff1de0-ff24-4ae1-b3b3-8b384dcbd618, bomFormat=CycloneDX, bomUploadToken=f466963e-aee2-46e7-8c0d-89b89863844d, projectName=redacted, bomSpecVersion=1.5, projectUuid=9de39327-deb4-4904-a0a2-e0548c89b346, projectVersion=null, bomVersion=1]
2024-08-10 16:53:42,992 [] INFO [org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 183 components
2024-08-10 16:53:44,474 [] INFO [org.dependencytrack.tasks.scanners.InternalAnalysisTask] Starting internal analysis task
msymons commented 1 month ago

I'm thinking displaying a red, or otherwise highlighted node, to point out this issue would be preferable over a simple warning popup.

I do not think that colour should be used (or, not colour alone) as Dependency-Track has a requirement to be accessible.

Is the way that we use mouseover in DT compatible with accessibility requirements?