Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate Global Component Model to Per Project Model #593

Closed
stevespringett opened this issue Feb 17, 2020 · 3 comments
Closed

Migrate Global Component Model to Per Project Model #593

stevespringett opened this issue Feb 17, 2020 · 3 comments
Assignees
@stevespringett
Labels
enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP pending release
Milestone
4.0

Comments

@stevespringett
Copy link
Member

Currently, components exist globally and their use is tied to zero or more projects through the dependency object. This has the advantage in that it's fast to determine where a component is used, but has many disadvantages. At the time when Dependency-Check was used for vulnerability analysis, having global audits was necessary to scale the false positive problem. This scenario no longer exists so the reasoning for having global audit capabilities has greatly decreased.

This major enhancement will be to move away from a global component model to a per project component model.

This will allow DT to:

  • Have different sets of facts for seemingly the same component
    • different hash values to identify potentially malicious components
    • identify modified components
    • different licenses bases on usage
  • Identify provenance and pedigree for modified components
  • Identify unique assembly/sub-assembly on a per project basis
    • parts, compound parts, final goods assembled with each assembly being independently verifiable

In order for DT to fully realize the benefits of CycloneDX and future versions of SPDX (v3.0+), this enhancement needs to be made.

It will still be possible to retrieve component usage across portfolio, but the queries involved will need to change and may introduce a performance impact. Database storage requirements will also increase.

Related to: #590, #372 , #251
@stevespringett stevespringett added the enhancement New feature or request label Feb 17, 2020
@stevespringett stevespringett added this to the 3.9 milestone Feb 17, 2020
@stevespringett stevespringett self-assigned this Feb 17, 2020
@stevespringett stevespringett added the p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP label Feb 17, 2020
@stevespringett stevespringett modified the milestones: 3.9, 3.10 Mar 21, 2020
@stevespringett stevespringett mentioned this issue Mar 24, 2020
Closed
@stevespringett stevespringett mentioned this issue Apr 6, 2020
Open
@stevespringett stevespringett mentioned this issue Apr 24, 2020
Closed
@stevespringett stevespringett mentioned this issue May 21, 2020
Closed
@stevespringett stevespringett modified the milestones: 3.10, 3.9 May 29, 2020
stevespringett added a commit that referenced this issue Aug 2, 2020
@stevespringett
#593 - Global model refactor. Added finding attribution.
e025c0b
stevespringett added a commit that referenced this issue Aug 5, 2020
@stevespringett
#593 - Global model refactor. Updated unit tests. Fixed multiple issu…
c48e5d3 
…es resulting from failed tests.
stevespringett added a commit that referenced this issue Aug 5, 2020
@stevespringett
#593 - Global model refactor. Corrected type issues.
29e261b
stevespringett added a commit that referenced this issue Aug 8, 2020
@stevespringett
#593 - Added project uuid to component within finding response
a855200
stevespringett added a commit that referenced this issue Aug 27, 2020
@stevespringett
#593 - fixed query logic that caused duplicate projects to be created…
52e35d1 
… when vulnerabilities were added to component. Simplified use of FindingAttribution when adding a vuln to a component. Added FindingAttribution support to Findings API.
stevespringett added a commit that referenced this issue Sep 3, 2020
@stevespringett
#593 - Added support for caching of vulnerability analysis results. W…
ad21615 
…ithout a global component model, the potential for individual component analysis is exponential. This change, along with minor refactor of all vulnerability analyzers, allow results to be cached per Package URL + analyzer + url. Also added was a task that runs every 3 days that removes all cached results.
@stevespringett stevespringett mentioned this issue Sep 3, 2020
Merged
@stevespringett
Copy link
Member Author

NOTE: This appears to be mostly complete.
TODO: Upgrade logic.

stevespringett added a commit that referenced this issue Sep 19, 2020
@stevespringett
#593 - Removed global analysis capabilities
83e0143
stevespringett added a commit that referenced this issue Oct 6, 2020
@stevespringett
#593 - Added component identify search across portfolio. Added additi…
8767a35 
…onal hash search functionality. Added independent lucene index searching for components, licenses, vulns, projects.
lislei added a commit to lislei/dependency-track that referenced this issue Oct 20, 2020
@lislei
DependencyTrack#593 Bugfix: Postgres compatible query
9080a41 
Postgres 10 is sensitive to order of join statements. This fixes:
 `ERROR:  missing FROM-clause entry for table "VULNERABILITY" at character 1122`
@rvsoni rvsoni mentioned this issue Nov 12, 2020
Closed
stevespringett added a commit that referenced this issue Nov 15, 2020
@stevespringett
Merge pull request #812 from lislei/bugfix_postgres
65f032c 
#593: Postgres compatible query
@stevespringett
Copy link
Member Author

Closing. Implemented in v4.0 - to be released soon.

@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stevespringett stevespringett

Labels
enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP pending release
Projects
None yet
Milestone
4.0
Development

No branches or pull requests
1 participant
@stevespringett