Merge pull request #1072 from DependencyTrack/component-occurrences

Ingest component occurrences

Author: nscuro

pom.xml

@@ -92,7 +92,7 @@
         <lib.cpe-parser.version>2.1.0</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.3</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>9.1.0</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>10.1.0</lib.cyclonedx-java.version>
         <lib.datanucleus-postgresql.version>0.3.0</lib.datanucleus-postgresql.version>
         <lib.jaxb.runtime.version>4.0.5</lib.jaxb.runtime.version>
         <!--

src/main/java/org/dependencytrack/model/Component.java

@@ -35,6 +35,10 @@
 import org.dependencytrack.persistence.converter.OrganizationalEntityJsonConverter;
 import org.dependencytrack.resources.v1.serializers.CustomPackageURLSerializer;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import javax.jdo.annotations.Column;
 import javax.jdo.annotations.Convert;
 import javax.jdo.annotations.Element;
@@ -51,13 +55,10 @@
 import javax.jdo.annotations.PrimaryKey;
 import javax.jdo.annotations.Serialized;
 import javax.jdo.annotations.Unique;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.UUID;
@@ -80,6 +81,7 @@
                 @Persistent(name = "vulnerabilities"),
         }),
         @FetchGroup(name = "BOM_UPLOAD_PROCESSING", members = {
+                @Persistent(name = "occurrences"),
                 @Persistent(name = "properties")
         }),
         @FetchGroup(name = "IDENTITY", members = {
@@ -356,6 +358,10 @@ public enum FetchGroup {
     @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "id ASC"))
     private Collection<Component> children;
 
+    @Persistent(mappedBy = "component", defaultFetchGroup = "false")
+    @JsonIgnore
+    private Set<ComponentOccurrence> occurrences;
+
     @Persistent(mappedBy = "component", defaultFetchGroup = "false")
     @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "groupName ASC, propertyName ASC, id ASC"))
     private List<ComponentProperty> properties;
@@ -406,6 +412,10 @@ public enum FetchGroup {
     private transient boolean expandDependencyGraph;
     private transient String author;
 
+    // TODO: Move this to another class, similar to ConciseProjectListItem.
+    //  This is only relevant when listing components.
+    private transient Long occurrenceCount;
+
     public Component(){}
 
     public Component(final long id) {
@@ -751,6 +761,21 @@ public void setChildren(Collection<Component> children) {
         this.children = children;
     }
 
+    public Set<ComponentOccurrence> getOccurrences() {
+        return occurrences;
+    }
+
+    public void setOccurrences(final Set<ComponentOccurrence> occurrences) {
+        this.occurrences = occurrences;
+    }
+
+    public void addOccurrence(final ComponentOccurrence occurrence) {
+        if (occurrences == null) {
+            occurrences = new HashSet<>();
+        }
+        occurrences.add(occurrence);
+    }
+
     public List<ComponentProperty> getProperties() {
         return properties;
     }
@@ -759,6 +784,13 @@ public void setProperties(List<ComponentProperty> properties) {
         this.properties = properties;
     }
 
+    public void addProperty(final ComponentProperty property) {
+        if (properties == null) {
+            properties = new ArrayList<>();
+        }
+        properties.add(property);
+    }
+
     public List<Vulnerability> getVulnerabilities() {
         return vulnerabilities;
     }
@@ -891,6 +923,14 @@ public void setAuthor(String author){
         this.author=author;
     }
 
+    public Long getOccurrenceCount() {
+        return occurrenceCount;
+    }
+
+    public void setOccurrenceCount(final Long occurrenceCount) {
+        this.occurrenceCount = occurrenceCount;
+    }
+
     @Override
     public String toString() {
         if (getPurl() != null) {

src/main/java/org/dependencytrack/model/ComponentOccurrence.java

@@ -0,0 +1,168 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.model;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import org.datanucleus.api.jdo.annotations.CreateTimestamp;
+
+import javax.jdo.annotations.Column;
+import javax.jdo.annotations.ForeignKey;
+import javax.jdo.annotations.ForeignKeyAction;
+import javax.jdo.annotations.Index;
+import javax.jdo.annotations.NotPersistent;
+import javax.jdo.annotations.PersistenceCapable;
+import javax.jdo.annotations.Persistent;
+import javax.jdo.annotations.PrimaryKey;
+import java.time.Instant;
+import java.util.UUID;
+
+/**
+ * @since 5.6.0
+ */
+@PersistenceCapable(table = "COMPONENT_OCCURRENCE")
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class ComponentOccurrence {
+
+    public record Identity(
+            String location,
+            Integer line,
+            Integer offset,
+            String symbol) {
+
+        public static Identity of(final ComponentOccurrence occurrence) {
+            return new Identity(
+                    occurrence.getLocation(),
+                    occurrence.getLine(),
+                    occurrence.getOffset(),
+                    occurrence.getSymbol());
+        }
+
+    }
+
+    @PrimaryKey(name = "COMPONENT_OCCURRENCE_PK")
+    @Persistent(customValueStrategy = "uuid-v7")
+    @Column(name = "ID", sqlType = "UUID")
+    private UUID id;
+
+    @Persistent
+    @ForeignKey(
+            name = "COMPONENT_OCCURRENCE_COMPONENT_FK",
+            deferred = "true",
+            deleteAction = ForeignKeyAction.CASCADE,
+            updateAction = ForeignKeyAction.NONE)
+    @Index(name = "COMPONENT_OCCURRENCE_COMPONENT_ID_IDX")
+    @Column(name = "COMPONENT_ID", allowsNull = "false")
+    @JsonIgnore
+    private Component component;
+
+    @Persistent
+    @Column(name = "LOCATION")
+    private String location;
+
+    @Persistent
+    @Column(name = "LINE")
+    private Integer line;
+
+    @Persistent
+    @Column(name = "OFFSET")
+    private Integer offset;
+
+    @Persistent
+    @Column(name = "SYMBOL")
+    private String symbol;
+
+    @Persistent
+    @CreateTimestamp
+    @Column(name = "CREATED_AT")
+    @JsonFormat(
+            shape = JsonFormat.Shape.NUMBER_INT,
+            without = JsonFormat.Feature.WRITE_DATE_TIMESTAMPS_AS_NANOSECONDS)
+    private Instant createdAt;
+
+    @NotPersistent
+    @JsonIgnore
+    private transient Integer totalCount;
+
+    public UUID getId() {
+        return id;
+    }
+
+    public void setId(final UUID id) {
+        this.id = id;
+    }
+
+    public Component getComponent() {
+        return component;
+    }
+
+    public void setComponent(final Component component) {
+        this.component = component;
+    }
+
+    public String getLocation() {
+        return location;
+    }
+
+    public void setLocation(final String location) {
+        this.location = location;
+    }
+
+    public Integer getLine() {
+        return line;
+    }
+
+    public void setLine(final Integer line) {
+        this.line = line;
+    }
+
+    public Integer getOffset() {
+        return offset;
+    }
+
+    public void setOffset(final Integer offset) {
+        this.offset = offset;
+    }
+
+    public String getSymbol() {
+        return symbol;
+    }
+
+    public void setSymbol(final String symbol) {
+        this.symbol = symbol;
+    }
+
+    public Instant getCreatedAt() {
+        return createdAt;
+    }
+
+    public void setCreatedAt(final Instant createdAt) {
+        this.createdAt = createdAt;
+    }
+
+    public Integer getTotalCount() {
+        return totalCount;
+    }
+
+    public void setTotalCount(final Integer totalCount) {
+        this.totalCount = totalCount;
+    }
+
+}

src/main/java/org/dependencytrack/model/sqlmapping/ComponentProjection.java

@@ -159,6 +159,7 @@ public class ComponentProjection {
 
     public Boolean isCustomLicense;
 
+    public long occurrenceCount;
     public Long totalCount;
 
     public static Component mapToComponent(ComponentProjection result) {
@@ -197,6 +198,7 @@ public static Component mapToComponent(ComponentProjection result) {
         if (result.externalReferences != null) {
             componentPersistent.setExternalReferences(SerializationUtils.deserialize(result.externalReferences));
         }
+        componentPersistent.setOccurrenceCount(result.occurrenceCount);
         componentPersistent.setPurl(result.purl);
         componentPersistent.setPurlCoordinates(result.purlCoordinates);
         componentPersistent.setVersion(result.version);