Customize Risk Score Backend

[leec94]

Description

WIP issue, to go along with DependencyTrack/frontend#657

This issue is to allow customization of the risk score by a user, through a new settings page.
Changes

• Adding new risk score values to use, set by the frontend
• TODO: use values to recalculate risk score, may require changes to database
• TODO: allow changed risk score weight to recalculate risk score history.

Addressed Issue

DependencyTrack/frontend#657
#2824

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[leec94]

To do list from feedback below:

• Use new ConfigPropertys when calculating inherited risk score
  • add new values for risk score weights in ConfigPropertyConstrants (typo?)
  • define validation steps using updatePropertyValueInternal
  • use ConfigProprtyResource to update property via REST API from front end
• Make risk score weights configurable via ConfigProperty
  • update Metrics#interitedRiskScore to use weighted scores from ConfigProperty...
• Potentially log an audit event that the weights have been modified, and by whom

Feedback on changes needed to complete this PR:

Hey Caroline, I think for the backend part we can work incrementally, in more digestible chunks that you feel comfortable working on. 🙂
Generally, these are the relevant code areas:

• The ComponentMetricsUpdateTask iterates over all vulnerabilities a component is affected by, accumulates the severities, and calculates the risk score based on that.
• The weights of the risk score are currently hardcoded in the Metrics#inheritedRiskScore method.

Changes in the weights will reflect in metrics the next time component metrics are calculated, which happens hourly per default for the entire portfolio.
If you want to make this configurable, you need to define new ConfigPropertyConstants for it. The default values for those are persisted automatically upon startup.
You can access these properties at runtime via QueryManager, see here for example: https://github.com/DependencyTrack/dependency-track/blob/e827c0b2f4e775b0b77ec428e[…]/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java
ConfigPropertys are updated via REST API using these endpoints (you should see them being used throughout the frontend codebase): https://github.com/DependencyTrack/dependency-track/blob/e827c0b2f4e775b0b77ec428e[…]va/org/dependencytrack/resources/v1/ConfigPropertyResource.java
Behind the scenes, both of these REST endpoints end up calling updatePropertyValueInternal. This is where you can add additional validation steps (e.g. "weight should not be lower than 1, not higher than 10").
For an MVP implementation, the following should work:

• Make risk score weights configurable via ConfigProperty
• Use new ConfigPropertys when calculating inherited risk score
• Potentially log an audit event that the weights have been modified, and by whom (super.getPrincipal().getName() is available in any *Resource class, e.g. https://github.com/DependencyTrack/dependency-track/blob/e827c0b2f4e775b0b77ec428e[…]main/java/org/dependencytrack/resources/v1/ProjectResource.java).