Avoid duplicates with alias BACKEND #3685
Conversation
This commit introduces a new functionality that addresses the issue of duplicate vulnerabilities by comparing the priority of sources and the aliases attached to a component. The implementation required adding new database rows to support the changes. To ensure the correctness of the implementation, tests have been added to validate the behavior of the updated functionality. In addition, a new API endpoint has been added to get the actual Enabled Sources. It is important to note that this update specifically affects the addVulnerability function and is not able to delete a vulnerability in any case. Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
|
Not sure if I fully understand the PR. Does it only one vulnerability, the one from the source with the highest priority? It feels to me that this would be a "bolt on" solution to a database model that should be changed. Wouldn't it be better to have data model that has one vulnerability that can have multiple aliases (from different sources possibly)? Currently with multiple aliases/sources there are (can be / most often are) multiple rows of vulnerabilities. This makes a lot of things harder and more complicated. For example determining the number of affected project for a vulnerability or something "as simple as" sorting the list of vulnerabilities by number of affected projects. |
PR Description updated: I hope that with the example images the PR will be better explained @valentijnscholten |
… I remove it for now, issues with isEmpty, better use != null Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesCodacy will stop sending the deprecated coverage status from June 5th, 2024. Learn more |
…y-track into AvoidDuplicatesWithAlias Signed-off-by: Andres Tito <andres.tito@rohde-schwarz.com>
|
I think this might also solve #2181 would be greatly appreciated :) 🎉 |
Description
This PR introduces a new functionality that addresses the issue of duplicate vulnerabilities by comparing the priority of sources and the aliases attached to a component.
The implementation required adding new database rows to support the changes.
To ensure the correctness of the implementation, tests have been added to validate the behavior of the updated functionality.
In addition, a new API endpoint has been added to get the actual Enabled Sources.
It is important to note that this update specifically affects the addVulnerability function and is not able to delete a vulnerability in any case.
Fronted changes: DependencyTrack/frontend#838
I'm open to discussing any changes or improvements👍🏽
Examples:
Alias Deduplication Disabled
Vulnerability source with highest priority: NVD
Vulnerability source with highest priority: GITHUB
Addressed Issue
This PR fixes #1994 and #2181
Additional Details
Add a new file named ConfigPropertyQueryManager.java to manage functions related to the EnabledSources
Checklist