Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API /api/v1/analysis - PUT call does not populate analisisDetail #3470

Open
2 tasks done
ArtWachowski opened this issue Feb 15, 2024 · 2 comments · May be fixed by #3551
Open
2 tasks done

API /api/v1/analysis - PUT call does not populate analisisDetail #3470

ArtWachowski opened this issue Feb 15, 2024 · 2 comments · May be fixed by #3551
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk

Comments

@ArtWachowski
Copy link

ArtWachowski commented Feb 15, 2024
edited
Loading

Current Behavior

I noticed that analysisDetails text is delivered as expected and populated in Details box but it is not actually "pushed" to the Audit Trail.

Steps to Reproduce

  1. Create API call

curl -k -X PUT "$BASE_URL" \ -H "Content-Type: application/json" \ -H "X-Api-Key: $API_KEY" \ -d "{ \"project\": \"$PROJECT_ID\", \"component\": \"$COMPONENT_ID\", \"vulnerability\": \"$VUUID\", \"analysisState\": \"EXPLOITABLE\", \"analysisResponse\": \"NOT_SET\", \"analysisDetails\": \"MY TEXT HERE\", \"isSuppressed\": false }"
2. Access WebUI
3. Investigate Audit Trial section // observe Details section

Expected Behavior

Audit Trial should have a full record from API transaction, AnalysisState works as expected, AnalysisDetais does not.

14 Feb 2024 at 12:15:16
Analysis: NOT_SET → EXPLOITABLE

14 Feb 2024 at 12:15:16
Details: MY TEXT HERE

image (8)

Dependency-Track Version

4.9.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist
@ArtWachowski ArtWachowski added defect Something isn't working in triage labels Feb 15, 2024
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk good first issue Good for newcomers and removed in triage labels Feb 15, 2024
@surajbora59
Copy link

surajbora59 commented Feb 24, 2024
edited
Loading

@nscuro , currently their is details Column in Analysis table

image

Response:
image

The changes will involve creating new table for details which will store analysis Id, details text, and timestamp. For below details.

14 Feb 2024 at 12:15:16
Details: MY TEXT HERE

P.S. I'm not sure if Frontend is handled for this. If not, this will need to be handled separately. It will involve maintaining backward compatibility, which can be done by ensuring that analysisDetails is present in the response. Additionally, we can introduce a new object that will contain all the new required details.

@nscuro
Copy link
Member

nscuro commented Feb 25, 2024

@surajbora59 This shouldn't require a new table at all.

As you found out, the details information is already persisted, it's just that the audit trail is not properly populated.

This appears to be caused by this code:

dependency-track/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java

Lines 159 to 171 in 91afc7d

if (analysis != null) {
analysisStateChange = AnalysisCommentUtil.makeStateComment(qm, analysis, request.getAnalysisState(), commenter);
AnalysisCommentUtil.makeJustificationComment(qm, analysis, request.getAnalysisJustification(), commenter);
AnalysisCommentUtil.makeAnalysisResponseComment(qm, analysis, request.getAnalysisResponse(), commenter);
AnalysisCommentUtil.makeAnalysisDetailsComment(qm, analysis, request.getAnalysisDetails(), commenter);
suppressionChange = AnalysisCommentUtil.makeAnalysisSuppressionComment(qm, analysis, request.isSuppressed(), commenter);
analysis = qm.makeAnalysis(component, vulnerability, request.getAnalysisState(), request.getAnalysisJustification(), request.getAnalysisResponse(), request.getAnalysisDetails(), request.isSuppressed());
} else {
analysis = qm.makeAnalysis(component, vulnerability, request.getAnalysisState(), request.getAnalysisJustification(), request.getAnalysisResponse(), request.getAnalysisDetails(), request.isSuppressed());
analysisStateChange = true; // this is a new analysis - so set to true because it was previously null
if (AnalysisState.NOT_SET != request.getAnalysisState()) {
qm.makeAnalysisComment(analysis, String.format("Analysis: %s → %s", AnalysisState.NOT_SET, request.getAnalysisState()), commenter);
}

If no Analysis existed previously, only one comment is created. Whereas if one existed already, a comment is made for each changed field. This logic needs to be adjusted such that even in the former case, each provided field gets its own entry.

sebD added a commit to sebD/dependency-track that referenced this issue Mar 14, 2024
@sebD
Adds analysis comments for justification, state and details for new a…
a0efd46 
…nalysis added either via UI or directly via REST call.

Does add more comments when using the UI but reflects state of the vulnerability audit better.

Fixes: DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
@sebD sebD linked a pull request Mar 14, 2024 that will close this issue
Draft
5 tasks
sebD added a commit to sebD/dependency-track that referenced this issue Mar 14, 2024
@sebD
DependencyTrack#3470: corrects unit tests following changes in analys…
60d749e 
…is comments modifications

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Mar 20, 2024
@sebD
Centralizes analysis and affering comments management into a dedicate…
315ad3e 
…d service

Adds analysis comments for justification, state and details for new analysis added either via UI or directly via REST call.

 Fixes DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Mar 21, 2024
@sebD
DependencyTrack#3470: fixes failing tests
4072424 
Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Mar 22, 2024
@sebD
DependencyTrack#3470: adds possibility to pass query manager to Analy…
785469c 
…sisService to avoid "Object with id 'x' is managed by a different persistence manager" error types

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 7, 2024
@sebD
Adds analysis comments for justification, state and details for new a…
e4351d7 
…nalysis added either via UI or directly via REST call.

Does add more comments when using the UI but reflects state of the vulnerability audit better.

Fixes: DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 7, 2024
@sebD
Centralizes analysis and affering comments management into a dedicate…
4059053 
…d service

Adds analysis comments for justification, state and details for new analysis added either via UI or directly via REST call.

 Fixes DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 7, 2024
@sebD
DependencyTrack#3470: fixes failing tests
fcf7c6c 
Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 7, 2024
@sebD
DependencyTrack#3470: adds possibility to pass query manager to Analy…
067338c 
…sisService to avoid "Object with id 'x' is managed by a different persistence manager" error types

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 7, 2024
@sebD
Fixes DependencyTrack#3470: adds possibility to pass query manager to…
5dffd9f 
… AnalysisService to avoid "Object with id 'x' is managed by a different persistence manager" error types

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 12, 2024
@sebD
Adds analysis comments for justification, state and details for new a…
5b57542 
…nalysis added either via UI or directly via REST call.

Does add more comments when using the UI but reflects state of the vulnerability audit better.

Fixes: DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 12, 2024
@sebD
Centralizes analysis and affering comments management into a dedicate…
beeeb91 
…d service

Adds analysis comments for justification, state and details for new analysis added either via UI or directly via REST call.

 Fixes DependencyTrack#3470

Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 12, 2024
@sebD
DependencyTrack#3470: fixes failing tests
1bf9874 
Signed-off-by: Sebastien Delcoigne <[email protected]>
sebD added a commit to sebD/dependency-track that referenced this issue Apr 12, 2024
@sebD
Fixes DependencyTrack#3470: adds possibility to pass query manager to…
62bf367 
… AnalysisService to avoid "Object with id 'x' is managed by a different persistence manager" error types

Signed-off-by: Sebastien Delcoigne <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds audit trail comments for all fields of new analysis sebD/dependency-track
3 participants
@nscuro @ArtWachowski @surajbora59