Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Graph weirdness for root component when using processing v2 #1026

Open
2 tasks done
malice00 opened this issue Oct 3, 2024 · 2 comments
Open
2 tasks done

Dependency Graph weirdness for root component when using processing v2 #1026

malice00 opened this issue Oct 3, 2024 · 2 comments
Labels
defect Something isn't working good first issue Good for newcomers hacktoberfest Issues eligible for Hacktoberfest contributions p3 Nice-to-have features size/S Small effort

Comments

@malice00
Copy link

malice00 commented Oct 3, 2024

Current Behavior

After activating v2 processing, the root component in a dependency graph is inconsistently rendered either as the name and version of the project (as it was in 4.11.x) or as a PURL. I'm not quite sure when/why it chooses to do one or the other, but I'd prefer it to use the previous way as to keep in line with all projects that were created before 4.12.

Steps to Reproduce

  1. Not sure, will do some more testing to try and figure out if this is random or reproducible

Expected Behavior

I expect the displayed name in the graph to be consistent between projects and prefer it to be the 'name version'-variant as it was before 4.12.

Dependency-Track Frontend Version

4.12.0

Browser

Mozilla Firefox

Browser Version

130.0.1

Operating System

macOS

Checklist
@malice00 malice00 added defect Something isn't working in triage labels Oct 3, 2024
@malice00
Copy link
Author

malice00 commented Oct 3, 2024

So, further testing seems to point at the fact that the projects that show 'name version' have sub-components defined in the SBOM (so metadata > component > components), whereas the projects that show the PURL have only a root component...

Maybe this is actually an issue for the DT repo? I started posting it here because I had this behavior in the UI, but now I'm not so sure if this is the right place...

@nscuro
Copy link
Member

nscuro commented Oct 3, 2024

Same cause as DependencyTrack/dependency-track#3978 (comment).

Processing V1 did not import metadata.component.purl into the project but V2 does. The code of the dependency graph prefers PURL over name+version:

frontend/src/views/portfolio/projects/ProjectDependencyGraph.vue

Lines 531 to 550 in 4ccfd8b

createNodeLabel: function (identity) {
// could be a project or a component
if (identity.purlCoordinates) {
return identity.purlCoordinates;
} else if (identity.purl) {
return identity.purl;
} else {
let label = '';
if (identity.groupId) {
label += identity.groupId + ' ';
}
if (identity.name) {
label += identity.name;
}
if (identity.version) {
label += ' ' + identity.version;
}
return label;
}
},

Given that projects are otherwise referred to by name and version throughout the application, I do agree that the dependency graph should follow that, and consistently use name and version for the root node.

@nscuro nscuro added p3 Nice-to-have features good first issue Good for newcomers size/S Small effort hacktoberfest Issues eligible for Hacktoberfest contributions and removed in triage labels Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working good first issue Good for newcomers hacktoberfest Issues eligible for Hacktoberfest contributions p3 Nice-to-have features size/S Small effort
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nscuro @malice00