Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing support for supplier and manufacturer #2737

Closed
2 tasks done
stevespringett opened this issue May 11, 2023 · 6 comments · Fixed by #3179
Closed
2 tasks done

Add missing support for supplier and manufacturer #2737

stevespringett opened this issue May 11, 2023 · 6 comments · Fixed by #3179
Assignees
@melba-lopez
Labels
cdx-1.4 Related to CycloneDX specification v1.4 enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP
Milestone
4.10

Comments

@stevespringett
Copy link
Member

Current Behavior

DT does not support supplier on the component or supplier and manufacturer at the metadata level. This is an oversight as OrganizationalEntity.java was created for this purpose and is used by CycloneDX service to support providers. But OrganizationalEntity was never added to the BOM or component objects.

Proposed Behavior

Add support for supplier on the component and supplier and manufacturer at the BOM metadata level.

Considering this is an NTIA minimum requirement, this needs to be added asap.

Checklist
@stevespringett stevespringett added the enhancement New feature or request label May 11, 2023
@stevespringett stevespringett added this to the 4.9 milestone May 11, 2023
@stevespringett
Copy link
Member Author

Related to #2373

@msymons msymons added p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP cdx-1.4 Related to CycloneDX specification v1.4 labels May 11, 2023
melba-lopez added a commit to melba-lopez/dependency-track that referenced this issue Jun 29, 2023
@melba-lopez
Initial commit for addressing Issue DependencyTrack#2737
a3a3534 
Signed-off-by: Melba Lopez <[email protected]>
melba-lopez added a commit to melba-lopez/dependency-track that referenced this issue Jul 4, 2023
@melba-lopez
Adding supplier support with fix for organizational entity; addressin…
f95b5a1 
…g Issue DependencyTrack#2737

Signed-off-by: Melba Lopez <[email protected]>
@melba-lopez melba-lopez mentioned this issue Jul 4, 2023
Closed
5 tasks
melba-lopez added a commit to melba-lopez/dependency-track that referenced this issue Jul 6, 2023
@melba-lopez
Added a persistent column for supplier, bom upload processing for sup…
e585ff1 
…plier, still tweaking how to add supplier contact info; addressing Issue DependencyTrack#2737

Signed-off-by: Melba Lopez <[email protected]>
@melba-lopez melba-lopez self-assigned this Sep 15, 2023
melba-lopez added a commit to melba-lopez/dependency-track that referenced this issue Sep 24, 2023
@melba-lopez
Mel issue 2737 (#38)
237d839 
* Initial commit for addressing Issue DependencyTrack#2737

Signed-off-by: Melba Lopez <[email protected]>

* Adding supplier support with fix for organizational entity; addressing Issue DependencyTrack#2737

Signed-off-by: Melba Lopez <[email protected]>

* Added a persistent column for supplier, bom upload processing for supplier, still tweaking how to add supplier contact info; addressing Issue DependencyTrack#2737

Signed-off-by: Melba Lopez <[email protected]>

* Updates per nscuro comments.

Co-authored by: Melba Lopez <[email protected]>
Co-authored by: nscuro <[email protected]>

Signed-off-by: Melba Lopez <[email protected]>

* Update Component.java - missing ;
Signed-off-by: Melba Lopez <[email protected]>

* Update ModelConverter.java

Putting back code (mouse is acting up on me and accidentally deleted code)
Signed-off-by: Melba Lopez <[email protected]>

---------

Signed-off-by: Melba Lopez <[email protected]>
@melba-lopez melba-lopez mentioned this issue Sep 24, 2023
Closed
5 tasks
@leec94 leec94 mentioned this issue Oct 12, 2023
Merged
5 tasks
@nscuro nscuro modified the milestones: 4.9, 4.9.1 Oct 16, 2023
@nscuro nscuro modified the milestones: 4.9.1, 4.10 Oct 26, 2023
@leec94
Copy link
Contributor

leec94 commented Nov 6, 2023

is this completed now with the merged PR? @nscuro

@nscuro
Copy link
Member

nscuro commented Nov 7, 2023
edited
Loading

Hey @leec94, I found a few wrinkles while dabbling around locally:

  1. As per CDX spec, components have only suppliers, but no manufacturers. The current implementation has both assigned to Project and Component, but manufacturer can never be populated for those.
  2. metadata.manufacture and metadata.supplier in the spec map to Bom#manufacture and Bom#supplier respectively. The current implementation however assigns metadata.manufacture to Project#manufacture, and metadata.component.supplier and metadata.supplier are ignored entirely.
  3. We need changes in the frontend to display this information. ComponentDetailsModal and ProjectDetailsModal must be extended with a Supplier tab. We have something similar for service providers in ServiceDetailsModal already.

I raised #3179 with some initial work for (1) and (2).

Another more general complication I'm seeing: If metadata.manufacturer and metadata.supplier map to the Bom model in DT, then how should DT behave when exporting a project as CycloneDX again?

The relationship between Bom and Project in DT is N:1, and because projects can be edited manually there is no guarantee that the last uploaded BOM still represents reality. Also, binding these attributes to Bom means that users will never be able to manually craft manufacturer and supplier data in DT, without having uploaded a BOM before.

@stevespringett, any thoughts? I think we may need a new table to track this kind of metadata (PROJECT_METADATA?). That table would then also hold things like tools, lifecycle, authors, etc. in the future.

@nscuro nscuro mentioned this issue Nov 7, 2023
Merged
5 tasks
@nscuro
Copy link
Member

nscuro commented Nov 7, 2023

Ah, found this #2373 (comment):

These things could also be asserted in a BOM and we should likely store them somewhere related to the project, but also lock them so that they cannot be modified.

I think that answers my question. So separate table it is.

@nscuro nscuro mentioned this issue Nov 8, 2023
Merged
1 task
@nscuro
Copy link
Member

nscuro commented Nov 8, 2023
edited
Loading

OK I may have gotten it wrong again.

It seems like metadata.manufacturer would indeed map to Project#manufacturer. But metadata.supplier would be something separate from Project, because there's already metadata.component.supplier that maps to Project#supplier.

So something along the lines of:

image

For reference, I asked about these fields in the #specification CycloneDX Slack channel: https://cyclonedx.slack.com/archives/CVA0G10FN/p1699447821448959

@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@melba-lopez melba-lopez

Labels
cdx-1.4 Related to CycloneDX specification v1.4 enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP
Projects
None yet
Milestone
4.10
5 participants
@stevespringett @leec94 @msymons @nscuro @melba-lopez