Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supplier and manufacturer corrections #3179

Merged

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Nov 7, 2023

Description

This PR introduces a new database table, PROJECT_METADATA.

This table is used to store information that is located in the metadata node of CycloneDX documents, but not directly refers to metadata.component (the project in DT's data model). This currently includes:

  • metadata.authors: (Human) authors of the BOM
  • metadata.supplier: Supplier organization of the BOM

authors and supplier are not stored in dedicated tables, but as serialized JSON in a TEXT column instead. Opposed to the ORM's default @Serialized, this makes it possible for RDBMSes with native JSON support to query contents of those fields.

Note
PROJECT_METADATA is only populated at BOM ingestion, and is not currently modifiable via UI or REST API.

Addressed Issue

#2737 (comment)

Closes #2737

Additional Details

Frontend PR: DependencyTrack/frontend#646

Schema of the new table:

Name Type Nullable Example
PROJECT_ID BIGINT 1
SUPPLIER TEXT {"name": "bar"}
AUTHORS TEXT [{"name": "baz"}]

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@nscuro nscuro added this to the 4.10 milestone Nov 7, 2023
@nscuro nscuro force-pushed the supplier-manufacturer-corrections branch from fa6f8a7 to 81eebdd Compare November 14, 2023 14:24
This maps to `metadata.manufacturer` and `metadata.supplier` in CycloneDX.

Signed-off-by: nscuro <[email protected]>
Components do not have manufacturers in CycloneDX, but they do have suppliers: https://cyclonedx.org/docs/1.5/json/#components

Additionally, add `supplier` to the default fetch group, as otherwise it would be lazy-loaded.

Signed-off-by: nscuro <[email protected]>
…supplier`

Use JSON for serialization instead of DataNucleus' `@Serialized`, as this makes it possible for non-DataNucleus and non-Java applications to access and query the data.

Most RDBMSes also support JSON queries, which can come in handy here for analytics queries.

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro force-pushed the supplier-manufacturer-corrections branch from dddaa18 to 609c4f8 Compare November 27, 2023 19:07
As per CycloneDX specification, `metadata.manufacturer` refers to `metadata.component`, whereas `metadata.supplier` and `metadata.authors` refer to the BOM itself.

Keeping `manufacturer` in `ProjectMetadata` is awkward and confusing.

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro marked this pull request as ready for review November 27, 2023 21:50
@nscuro nscuro merged commit 065e483 into DependencyTrack:master Nov 28, 2023
9 checks passed
@nscuro nscuro deleted the supplier-manufacturer-corrections branch November 28, 2023 22:42
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add missing support for supplier and manufacturer
1 participant