Move manufacturer from ProjectMetadata to Project

As per CycloneDX specification, `metadata.manufacturer` refers to `metadata.component`, whereas `metadata.supplier` and `metadata.authors` refer to the BOM itself.

Keeping `manufacturer` in `ProjectMetadata` is awkward and confusing.

Signed-off-by: nscuro <[email protected]>

src/main/java/org/dependencytrack/model/Project.java

@@ -139,6 +139,11 @@ public enum FetchGroup {
     @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS, message = "The publisher may only contain printable characters")
     private String publisher;
 
+    @Persistent(defaultFetchGroup = "true")
+    @Convert(OrganizationalEntityJsonConverter.class)
+    @Column(name = "MANUFACTURER", jdbcType = "CLOB", allowsNull = "true")
+    private OrganizationalEntity manufacturer;
+
     @Persistent(defaultFetchGroup = "true")
     @Convert(OrganizationalEntityJsonConverter.class)
     @Column(name = "SUPPLIER", jdbcType = "CLOB", allowsNull = "true")
@@ -304,6 +309,14 @@ public void setPublisher(String publisher) {
         this.publisher = publisher;
     }
 
+    public OrganizationalEntity getManufacturer() {
+        return manufacturer;
+    }
+
+    public void setManufacturer(final OrganizationalEntity manufacturer) {
+        this.manufacturer = manufacturer;
+    }
+
     public OrganizationalEntity getSupplier() {
         return supplier;
     }

src/main/java/org/dependencytrack/model/ProjectMetadata.java

@@ -34,6 +34,11 @@
 import java.util.List;
 
 /**
+ * Metadata that relates to, but does not directly describe, a {@link Project}.
+ * <p>
+ * In CycloneDX terms, {@link ProjectMetadata} represents data from the {@code metadata} node
+ * of a BOM (except {@code metadata.component}, which represents a {@link Project} in Dependency-Track).
+ *
  * @since 4.10.0
  */
 @PersistenceCapable(table = "PROJECT_METADATA")
@@ -51,11 +56,6 @@ public class ProjectMetadata {
     @JsonIgnore
     private Project project;
 
-    @Persistent(defaultFetchGroup = "true")
-    @Convert(OrganizationalEntityJsonConverter.class)
-    @Column(name = "MANUFACTURER", jdbcType = "CLOB", allowsNull = "true")
-    private OrganizationalEntity manufacturer;
-
     @Persistent(defaultFetchGroup = "true")
     @Convert(OrganizationalEntityJsonConverter.class)
     @Column(name = "SUPPLIER", jdbcType = "CLOB", allowsNull = "true")
@@ -82,14 +82,6 @@ public void setProject(final Project project) {
         this.project = project;
     }
 
-    public OrganizationalEntity getManufacturer() {
-        return manufacturer;
-    }
-
-    public void setManufacturer(final OrganizationalEntity manufacturer) {
-        this.manufacturer = manufacturer;
-    }
-
     public OrganizationalEntity getSupplier() {
         return supplier;
     }

src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java

@@ -432,6 +432,8 @@ public static org.cyclonedx.model.Metadata createMetadata(final Project project)
         tool.setVersion(alpine.Config.getInstance().getApplicationVersion());
         metadata.setTools(Collections.singletonList(tool));
         if (project != null) {
+            metadata.setManufacture(convert(project.getManufacturer()));
+
             final org.cyclonedx.model.Component cycloneComponent = new org.cyclonedx.model.Component();
             cycloneComponent.setBomRef(project.getUuid().toString());
             cycloneComponent.setAuthor(StringUtils.trimToNull(project.getAuthor()));
@@ -476,7 +478,6 @@ public static org.cyclonedx.model.Metadata createMetadata(final Project project)
 
             if (project.getMetadata() != null) {
                 metadata.setAuthors(convertContacts(project.getMetadata().getAuthors()));
-                metadata.setManufacture(convert(project.getMetadata().getManufacturer()));
                 metadata.setSupplier(convert(project.getMetadata().getSupplier()));
             }
         }

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -519,6 +519,7 @@ public Project updateProject(Project transientProject, boolean commitIndex) {
         final Project project = getObjectByUuid(Project.class, transientProject.getUuid());
         project.setAuthor(transientProject.getAuthor());
         project.setPublisher(transientProject.getPublisher());
+        project.setManufacturer(transientProject.getManufacturer());
         project.setSupplier(transientProject.getSupplier());
         project.setGroup(transientProject.getGroup());
         project.setName(transientProject.getName());
@@ -580,6 +581,7 @@ public Project clone(UUID from, String newVersion, boolean includeTags, boolean
         }
         Project project = new Project();
         project.setAuthor(source.getAuthor());
+        project.setManufacturer(source.getManufacturer());
         project.setSupplier(source.getSupplier());
         project.setPublisher(source.getPublisher());
         project.setGroup(source.getGroup());
@@ -601,7 +603,6 @@ public Project clone(UUID from, String newVersion, boolean includeTags, boolean
             final var metadata = new ProjectMetadata();
             metadata.setProject(project);
             metadata.setAuthors(source.getMetadata().getAuthors());
-            metadata.setManufacturer(source.getMetadata().getManufacturer());
             metadata.setSupplier(source.getMetadata().getSupplier());
             persist(metadata);
         }

src/main/java/org/dependencytrack/resources/v1/ProjectResource.java

@@ -382,6 +382,7 @@ public Response patchProject(
                 modified |= setIfDifferent(jsonProject, project, Project::getPurl, Project::setPurl);
                 modified |= setIfDifferent(jsonProject, project, Project::getSwidTagId, Project::setSwidTagId);
                 modified |= setIfDifferent(jsonProject, project, Project::isActive, Project::setActive);
+                modified |= setIfDifferent(jsonProject, project, Project::getManufacturer, Project::setManufacturer);
                 modified |= setIfDifferent(jsonProject, project, Project::getSupplier, Project::setSupplier);
                 if (jsonProject.getParent() != null && jsonProject.getParent().getUuid() != null) {
                     final Project parent = qm.getObjectByUuid(Project.class, jsonProject.getParent().getUuid());

src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

@@ -113,13 +113,13 @@ public void inform(final Event e) {
                         bomProcessingFailedBomVersion = bomSpecVersion;
                         bomVersion = cycloneDxBom.getVersion();
                         if (cycloneDxBom.getMetadata() != null) {
+                            project.setManufacturer(ModelConverter.convert(cycloneDxBom.getMetadata().getManufacture()));
+
                             final var projectMetadata = new ProjectMetadata();
-                            projectMetadata.setManufacturer(ModelConverter.convert(cycloneDxBom.getMetadata().getManufacture()));
                             projectMetadata.setSupplier(ModelConverter.convert(cycloneDxBom.getMetadata().getSupplier()));
                             projectMetadata.setAuthors(ModelConverter.convertCdxContacts(cycloneDxBom.getMetadata().getAuthors()));
                             if (project.getMetadata() != null) {
                                 qm.runInTransaction(() -> {
-                                    project.getMetadata().setManufacturer(projectMetadata.getManufacturer());
                                     project.getMetadata().setSupplier(projectMetadata.getSupplier());
                                     project.getMetadata().setAuthors(projectMetadata.getAuthors());
                                 });

src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java

@@ -107,24 +107,24 @@ public void exportProjectAsCycloneDxInventoryTest() {
         vulnerability.setSeverity(Severity.HIGH);
         vulnerability = qm.createVulnerability(vulnerability, false);
 
+        final var projectManufacturer = new OrganizationalEntity();
+        projectManufacturer.setName("projectManufacturer");
         final var projectSupplier = new OrganizationalEntity();
         projectSupplier.setName("projectSupplier");
         var project = new Project();
         project.setName("acme-app");
         project.setClassifier(Classifier.APPLICATION);
+        project.setManufacturer(projectManufacturer);
         project.setSupplier(projectSupplier);
         project = qm.createProject(project, null, false);
 
         final var bomSupplier = new OrganizationalEntity();
         bomSupplier.setName("bomSupplier");
-        final var bomManufacturer = new OrganizationalEntity();
-        bomManufacturer.setName("bomManufacturer");
         final var bomAuthor = new OrganizationalContact();
         bomAuthor.setName("bomAuthor");
         final var projectMetadata = new ProjectMetadata();
         projectMetadata.setProject(project);
         projectMetadata.setAuthors(List.of(bomAuthor));
-        projectMetadata.setManufacturer(bomManufacturer);
         projectMetadata.setSupplier(bomSupplier);
         qm.persist(projectMetadata);
 
@@ -212,7 +212,7 @@ public void exportProjectAsCycloneDxInventoryTest() {
                             "version": "SNAPSHOT"
                         },
                         "manufacture": {
-                          "name": "bomManufacturer"
+                          "name": "projectManufacturer"
                         },
                         "supplier": {
                           "name": "bomSupplier"

src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java

@@ -587,6 +587,13 @@ public void patchProjectNotFoundTest() {
     public void patchProjectSuccessfullyPatchedTest() {
         final var tags = Stream.of("tag1", "tag2").map(qm::createTag).collect(Collectors.toUnmodifiableList());
         final var p1 = qm.createProject("ABC", "Test project", "1.0", tags, null, null, true, false);
+        final var projectManufacturerContact = new OrganizationalContact();
+        projectManufacturerContact.setName("manufacturerContactName");
+        final var projectManufacturer = new OrganizationalEntity();
+        projectManufacturer.setName("manufacturerName");
+        projectManufacturer.setUrls(new String[]{"https://manufacturer.example.com"});
+        projectManufacturer.setContacts(List.of(projectManufacturerContact));
+        p1.setManufacturer(projectManufacturer);
         final var projectSupplierContact = new OrganizationalContact();
         projectSupplierContact.setName("supplierContactName");
         final var projectSupplier = new OrganizationalEntity();
@@ -604,6 +611,13 @@ public void patchProjectSuccessfullyPatchedTest() {
             t.setName(name);
             return t;
         }).collect(Collectors.toUnmodifiableList()));
+        final var jsonProjectManufacturerContact = new OrganizationalContact();
+        jsonProjectManufacturerContact.setName("newManufacturerContactName");
+        final var jsonProjectManufacturer = new OrganizationalEntity();
+        jsonProjectManufacturer.setName("manufacturerName");
+        jsonProjectManufacturer.setUrls(new String[]{"https://manufacturer.example.com"});
+        jsonProjectManufacturer.setContacts(List.of(jsonProjectManufacturerContact));
+        jsonProject.setManufacturer(jsonProjectManufacturer);
         final var jsonProjectSupplierContact = new OrganizationalContact();
         jsonProjectSupplierContact.setName("newSupplierContactName");
         final var jsonProjectSupplier = new OrganizationalEntity();
@@ -622,6 +636,17 @@ public void patchProjectSuccessfullyPatchedTest() {
                 .isEqualTo("""
                         {
                           "publisher": "new publisher",
+                          "manufacturer": {
+                            "name": "manufacturerName",
+                            "urls": [
+                              "https://manufacturer.example.com"
+                            ],
+                            "contacts": [
+                              {
+                                "name": "newManufacturerContactName"
+                              }
+                            ]
+                          },
                           "supplier": {
                             "name": "supplierName",
                             "urls": [
@@ -837,12 +862,15 @@ public void getProjectsWithoutDescendantsOfTest() {
     public void cloneProjectTest() {
         EventService.getInstance().subscribe(CloneProjectEvent.class, CloneProjectTask.class);
 
+        final var projectManufacturer = new OrganizationalEntity();
+        projectManufacturer.setName("projectManufacturer");
         final var projectSupplier = new OrganizationalEntity();
         projectSupplier.setName("projectSupplier");
 
         final var project = new Project();
         project.setName("acme-app");
         project.setVersion("1.0.0");
+        project.setManufacturer(projectManufacturer);
         project.setSupplier(projectSupplier);
         project.setAccessTeams(List.of(team));
         qm.persist(project);
@@ -856,14 +884,11 @@ public void cloneProjectTest() {
 
         final var metadataAuthor = new OrganizationalContact();
         metadataAuthor.setName("metadataAuthor");
-        final var metadataManufacturer = new OrganizationalEntity();
-        metadataManufacturer.setName("metadataManufacturer");
         final var metadataSupplier = new OrganizationalEntity();
         metadataSupplier.setName("metadataSupplier");
         final var metadata = new ProjectMetadata();
         metadata.setProject(project);
         metadata.setAuthors(List.of(metadataAuthor));
-        metadata.setManufacturer(metadataManufacturer);
         metadata.setSupplier(metadataSupplier);
         qm.persist(metadata);
 
@@ -920,6 +945,8 @@ public void cloneProjectTest() {
                     assertThat(clonedProject.getUuid()).isNotEqualTo(project.getUuid());
                     assertThat(clonedProject.getSupplier()).isNotNull();
                     assertThat(clonedProject.getSupplier().getName()).isEqualTo("projectSupplier");
+                    assertThat(clonedProject.getManufacturer()).isNotNull();
+                    assertThat(clonedProject.getManufacturer().getName()).isEqualTo("projectManufacturer");
                     assertThat(clonedProject.getAccessTeams()).containsOnly(team);
 
                     final List<ProjectProperty> clonedProperties = qm.getProjectProperties(clonedProject);
@@ -939,8 +966,6 @@ public void cloneProjectTest() {
                     assertThat(clonedMetadata).isNotNull();
                     assertThat(clonedMetadata.getAuthors())
                             .satisfiesExactly(contact -> assertThat(contact.getName()).isEqualTo("metadataAuthor"));
-                    assertThat(clonedMetadata.getManufacturer())
-                            .satisfies(entity -> assertThat(entity.getName()).isEqualTo("metadataManufacturer"));
                     assertThat(clonedMetadata.getSupplier())
                             .satisfies(entity -> assertThat(entity.getName()).isEqualTo("metadataSupplier"));
 

src/test/java/org/dependencytrack/tasks/BomUploadProcessingTaskTest.java

@@ -137,30 +137,31 @@ public void informTest() throws Exception {
         assertThat(project.getLastBomImport()).isNotNull();
         assertThat(project.getExternalReferences()).isNotNull();
         assertThat(project.getExternalReferences()).hasSize(4);
-        assertThat(project.getSupplier()).isNotNull();
-        assertThat(project.getSupplier().getName()).isEqualTo("Foo Incorporated");
-        assertThat(project.getSupplier().getUrls()).containsOnly("https://foo.bar.com");
-        assertThat(project.getSupplier().getContacts()).satisfiesExactly(contact -> {
-            assertThat(contact.getName()).isEqualTo("Foo Jr.");
-            assertThat(contact.getEmail()).isEqualTo("[email protected]");
-            assertThat(contact.getPhone()).isEqualTo("123-456-7890");
-        });
-
-        assertThat(project.getMetadata()).isNotNull();
-        assertThat(project.getMetadata().getAuthors()).satisfiesExactly(contact -> {
-            assertThat(contact.getName()).isEqualTo("Author");
-            assertThat(contact.getEmail()).isEqualTo("[email protected]");
-            assertThat(contact.getPhone()).isEqualTo("123-456-7890");
-        });
-        assertThat(project.getMetadata().getManufacturer()).satisfies(supplier -> {
+        assertThat(project.getSupplier()).satisfies(supplier -> {
             assertThat(supplier.getName()).isEqualTo("Foo Incorporated");
             assertThat(supplier.getUrls()).containsOnly("https://foo.bar.com");
             assertThat(supplier.getContacts()).satisfiesExactly(contact -> {
+                assertThat(contact.getName()).isEqualTo("Foo Jr.");
+                assertThat(contact.getEmail()).isEqualTo("[email protected]");
+                assertThat(contact.getPhone()).isEqualTo("123-456-7890");
+            });
+        });
+        assertThat(project.getManufacturer()).satisfies(manufacturer -> {
+            assertThat(manufacturer.getName()).isEqualTo("Foo Incorporated");
+            assertThat(manufacturer.getUrls()).containsOnly("https://foo.bar.com");
+            assertThat(manufacturer.getContacts()).satisfiesExactly(contact -> {
                 assertThat(contact.getName()).isEqualTo("Foo Sr.");
                 assertThat(contact.getEmail()).isEqualTo("[email protected]");
                 assertThat(contact.getPhone()).isEqualTo("800-123-4567");
             });
         });
+
+        assertThat(project.getMetadata()).isNotNull();
+        assertThat(project.getMetadata().getAuthors()).satisfiesExactly(contact -> {
+            assertThat(contact.getName()).isEqualTo("Author");
+            assertThat(contact.getEmail()).isEqualTo("[email protected]");
+            assertThat(contact.getPhone()).isEqualTo("123-456-7890");
+        });
         assertThat(project.getMetadata().getSupplier()).satisfies(manufacturer -> {
             assertThat(manufacturer.getName()).isEqualTo("Foo Incorporated");
             assertThat(manufacturer.getUrls()).containsOnly("https://foo.bar.com");