Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚧 WIP: Add Project Tags To Findings #3797

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

🚧 WIP: Add Project Tags To Findings #3797

wants to merge 1 commit into from

Conversation

aravindparappil46
Copy link
Contributor

@aravindparappil46 aravindparappil46 commented Jun 2, 2024
edited
Loading

⚠️ NOTE: This is a Draft PR. Need help figuring out how to filter Findings by tags

Description

In order to display tags in the vulnerability audit page, added tags to the response of /findings API.

Addressed Issue

Partially addresses frontend issue: DependencyTrack/frontend#849

Additional Details

Right now, this PR just adds the tags to the /finding API response (used by the Vulnerability Audit page to display it)

Help Needed
Need some help figuring out how to filter Finding by tags 🤔

I understand that filtering is currently done in FindingsSearchQueryManager.processFilters(), but unsure how to edit the SQL query to be able to filter by project tags.

I see that Tag is a child table of Parent, so guessing we need some LEFT JOIN magic in Finding.QUERY_ALL_FINDINGS 🪄 🧠

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@aravindparappil46
Add Project Tags To Findings
40eddd4 
In order to display tags in the vulnerability audit page, added tags to the resultant finding object

Signed-off-by: Aravind Parappil <[email protected]>
@aravindparappil46 aravindparappil46 mentioned this pull request Jun 2, 2024
Open
2 tasks
@codacy-production Codacy Production
Copy link

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.00% (target: -1.00%) 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (f785fc5) 21708 16478 75.91%
Head commit (40eddd4) 21711 (+3) 16481 (+3) 75.91% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#3797) 3 3 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Codacy will stop sending the deprecated coverage status from June 5th, 2024. Learn more

@nscuro
Copy link
Member

nscuro commented Jun 3, 2024

Need some help figuring out how to filter Finding by tags 🤔

I understand that filtering is currently done in FindingsSearchQueryManager.processFilters(), but unsure how to edit the SQL query to be able to filter by project tags.

I see that Tag is a child table of Parent, so guessing we need some LEFT JOIN magic in Finding.QUERY_ALL_FINDINGS 🪄 🧠

I would advise against LEFT JOINs for 1:N relationships like the Project <-> Tag one, since it will cause duplicate rows for each tag.

This should be solvable with a simple EXISTS subquery, for example:

EXISTS (
  SELECT 1
    FROM "TAG"
   INNER JOIN "PROJECTS_TAGS"
      ON "PROJECTS_TAGS"."TAG_ID" = "TAG"."ID"
   WHERE "PROJECTS_TAGS"."PROJECT_ID" = "PROJECT"."ID"
     AND "TAG"."NAME" = 'foo'
)

Similar to how it's done for the portfolio ACL check:

dependency-track/src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java

Lines 351 to 378 in f785fc5

if (queryFilter.isEmpty()) {
queryFilter.append(" WHERE ");
} else {
queryFilter.append(" AND ");
}
final var teamIds = new ArrayList<>(getTeamIds(principal));
if (teamIds.isEmpty()) {
queryFilter.append(":false");
params.put("false", false);
return;
}
// NB: Need to work around the fact that the RDBMSes can't agree on how to do member checks. Oh joy! :)))
final var teamIdChecks = new ArrayList<String>();
for (int i = 0; i < teamIds.size(); i++) {
teamIdChecks.add("\"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = :teamId" + i);
params.put("teamId" + i, teamIds.get(i));
}
queryFilter.append("""
EXISTS (
SELECT 1
FROM "PROJECT_ACCESS_TEAMS"
WHERE "PROJECT_ACCESS_TEAMS"."PROJECT_ID" = "PROJECT"."ID"
AND (%s)
)""".formatted(String.join(" OR ", teamIdChecks)));
}

valentijnscholten
valentijnscholten reviewed Jun 5, 2024
View reviewed changes
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Comment on lines +132 to 136
final Project project = component.getProject();
if (project != null) {
finding.getComponent().put("tags", project.getTags());
}
final Analysis analysis = getAnalysis(component, vulnerability);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be made more clear that these are project tags and not finding tags? A future DT version might have finding level tags. Name the field project-tags?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@valentijnscholten Totally agree. Will make the change!

@valentijnscholten
Copy link
Contributor

There's also users that use the parent construct to create a hierarchy of projects. How would that be handled? Might be a lot easier if tags can be set on findings and filter on those. The risk is that you get a LOT of tag-finding relationship entries if you have lots of findings with tag java for example.

@nscuro
Copy link
Member

nscuro commented Jun 8, 2024

@valentijnscholten There's also users that use the parent construct to create a hierarchy of projects. How would that be handled?

Good question. How would you expect it to be handled? At the moment there's not a lot of "inheritance" logic for the parent-child construct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valentijnscholten valentijnscholten valentijnscholten left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aravindparappil46 @nscuro @valentijnscholten