Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Affected projects tab not updated when switching between aliases #481

Open
2 tasks done
valentijnscholten opened this issue Apr 26, 2023 · 6 comments · May be fixed by #509
Open
2 tasks done

Affected projects tab not updated when switching between aliases #481

valentijnscholten opened this issue Apr 26, 2023 · 6 comments · May be fixed by #509
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk

Comments

@valentijnscholten
Copy link
Contributor

Current Behavior

When viewing a vulnerability, it shows the number of affected projects in the header of that tab. When switching to an alias the screen gets updated with the data from the alias, but the affected project tab does not get updated. The affected number of projects is/will probably be wrong in this case.

Steps to Reproduce

  1. Go to a vulnerability that has some affected projects and at least one alias, i.e. https://dt/vulnerabilities/NVD/CVE-2023-29197
  2. Observe affected project count = X
  3. Click on an alias
  4. Observe affected project count is still X
  5. Press F5
  6. Observe affected project count is (usually) Y

Expected Behavior

The affected projects tab should be updated when switching between aliases.
I can see in the Bootstrap code this tab is "hardcodedly injected" and not tied to any bootstrap lifecycle or events.

Dependency-Track Frontend Version

4.8.0

Browser

Google Chrome

Browser Version

No response

Operating System

Windows

Checklist
@valentijnscholten valentijnscholten added defect Something isn't working in triage labels Apr 26, 2023
@valentijnscholten
Copy link
Contributor Author

@sephiroth-j Are you willing to help out on this one?
As a complete Vue newb I thought a quick google search would help me out here. But none of those results are working. Possibly because how the component is embedded in the template, I don't know. I also tried an event, but realized Vue is (supposed to be?) around 'properties down, events up`.

@sephiroth-j
Copy link
Contributor

I can take a look but it would help a lot if you can share a sbom with a suitable sample project (one that has a vulnerability with an alias).

@valentijnscholten
Copy link
Contributor Author

Hree's two SBOMs. One affected by CVE-2023-29197 and GHSA-wxmh-65f7-jcvw, the other only by GHSA-wxmh-65f7-jcvw. Had to zip them as GitHub doesn't like json files.
affected projects.zip

@sephiroth-j
Copy link
Contributor

I just wanted to report back that I found the error and fixed it. In the process I found other errors in the tab handling and also in the backend. I will report back later.

@sephiroth-j
Copy link
Contributor

sephiroth-j commented May 30, 2023
edited

As mentioned in my previous comment, there are several issues.

  1. that the table is not updated is because the AffectedProjects component does not respond to changes in routing and the URL for the backend query is not updated.

  2. it also turned out that the backend does not return affected projects for aliases. When we ship the fix for this, it will be even more noticeable! One of the sample projects is affected by CVE-2023-29197. The backend provides the expected response for this.

http://localhost:8080/api/v1/vulnerability/source/NVD/vuln/CVE-2023-29197/projects?searchText=

[{"name":"issue-481","version":"2","classifier":"APPLICATION","directDependencies":"[{\"name\":\"installers\",\"purl\":\"pkg:composer/composer/installers@1.12.0\",\"uuid\":\"7f7b2116-dc9f-4d06-abaf-74f0e72d7918\",\"version\":\"1.12.0\",\"group\":\"composer\",\"purlCoordinates\":\"pkg:composer/composer/installers@1.12.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware-sentry\",\"purl\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"uuid\":\"3267e769-292b-48e5-b8fb-05a332d37fdd\",\"version\":\"2.0.5\",\"group\":\"onedrop\",\"purlCoordinates\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware\",\"purl\":\"pkg:composer/shopware/shopware@5.7.6\",\"uuid\":\"7b2abf7d-3671-4f3e-a1df-80e06ed5cbdd\",\"version\":\"5.7.6\",\"group\":\"shopware\",\"purlCoordinates\":\"pkg:composer/shopware/shopware@5.7.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"ontiussimplesearch\",\"purl\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"uuid\":\"6d105fd9-fb29-4fdd-bb19-5a76f80fc9d1\",\"version\":\"4.1.59\",\"group\":\"store.shopware.com\",\"purlCoordinates\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpdotenv\",\"purl\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"uuid\":\"85b91a80-f306-407d-9548-7fd8c9cd1cc3\",\"version\":\"3.6.10\",\"group\":\"vlucas\",\"purlCoordinates\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"objectType\":\"COMPONENT\"},{\"name\":\"wbm-tag-manager\",\"purl\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"uuid\":\"2ba6330d-d718-42fb-b62f-f35b2af00dc8\",\"version\":\"3.5.6\",\"group\":\"webmatch\",\"purlCoordinates\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"composer-git-hooks-standard\",\"purl\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0?checksum=sha1%3A858ad6c5329ba062233514352c336311bf92ddbc\",\"uuid\":\"63f6fc8a-eebd-4e45-b776-d91809bad9ba\",\"version\":\"2.1.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-baseliner\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"uuid\":\"6735ff10-bc44-4178-8819-047cbb145fcb\",\"version\":\"2.1.1\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-standard\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"uuid\":\"3e3dcd03-f48f-4c49-bc3c-f3fab0f486a2\",\"version\":\"19.0.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"extension-installer\",\"purl\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"uuid\":\"0d9d75dd-cacc-4948-af03-3f6edbb41f8b\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan\",\"purl\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"uuid\":\"857c7d42-47e9-43ca-a8f0-0907b369e20f\",\"version\":\"1.5.7\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan-strict-rules\",\"purl\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"uuid\":\"3b12c708-41d3-4733-ae8e-e23734f9214a\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"objectType\":\"COMPONENT\"}]","uuid":"66f62111-c0c2-4dcb-82cf-c80f30894770","properties":[],"tags":[],"lastBomImport":1685297363288,"lastBomImportFormat":"CycloneDX 1.4","lastInheritedRiskScore":35.0,"active":true}]

The alias for this is GHSA-wxmh-65f7-jcvw. However, the response to this is an empty array.

http://localhost:8080/api/v1/vulnerability/source/GITHUB/vuln/GHSA-wxmh-65f7-jcvw/projects?searchText=

[]

  1. the tab name was extracted from the URL via regex - this is a little smelly. Optional path parameters should be used instead.

  2. the component contained logic to catch unknown tab names. This is better off in the router configuration

  3. activation of tabs also caused a Vue warning

Avoid mutating a prop directly since the value will be overwritten whenever the parent component re-renders. Instead, use a data or computed property based on the prop's value. Prop being mutated: "active"

I have fixed the first problem and the tab handling issues on the Vulnerability component as an example, but would create a separate PR for the others.

sephiroth-j added a commit to sephiroth-j/frontend that referenced this issue May 30, 2023
@sephiroth-j
update url and refresh the table when vulnId changes
c652559 
fixes DependencyTrack#481

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
@sephiroth-j sephiroth-j linked a pull request May 30, 2023 that will close this issue
Draft
3 tasks
@msymons msymons added p2 Non-critical bugs, and features that help organizations to identify and reduce risk and removed in triage labels May 31, 2023
@sephiroth-j sephiroth-j mentioned this issue May 31, 2023
Open
2 tasks
@sephiroth-j
Copy link
Contributor

filed DependencyTrack/dependency-track/issues/2794 for the backend issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 481: Affected projects tab not updated when switching between aliases sephiroth-j/frontend
3 participants
@valentijnscholten @msymons @sephiroth-j