Add suppress and unsuppress for all projects #4880
Conversation
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
9903454 to
db6c363
Compare
This commit introduces functionality to suppress or unsuppress a vulnerability in all projects where the affected component appears. It streamlines bulk vulnerability management across projects, reducing the need for repetitive actions and ensuring consistent analysis state for shared components. Signed-off-by: rufhe513 <rufhe513@student.liu.se>
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
|
Did I miss something, or would this circumvent ACL permissions? If User A suppresses this in Project A with this flag active, this would suppress the finding also in Project B and C. However, If user does only have permissions on A+B, not on C, he still would alter this for project C. This is a no-go :( I also have the need for something like this, but this needs more detailed planning I think. The even more important use case for me would e.g. be, to add a vuln analysis to all versions of the same project, but not to completely different projects. |
| List<Component> matchingComponents = new ArrayList<>(); | ||
| if(request.isSuppressAllFlag()) { | ||
| List<Project> allProjects = qm.getProjects().getList(Project.class); | ||
| for (Project project1 : allProjects) { | ||
| List<Component> components = qm.getAllComponents(project1); | ||
| for (Component c : components) { | ||
| if (c.getName().equals(component.getName()) && c.getVersion().compareTo(component.getVersion()) <= 0) { | ||
| matchingComponents.add(c); | ||
| } | ||
| } | ||
| } | ||
| } else { | ||
| matchingComponents.add(component); | ||
| } | ||
|
|
||
| String commenter = null; |
There was a problem hiding this comment.
This looks inefficient is it will retrieve all components one-by-one. There also seems to be an assumption that the suppression needs to happen for all versions older than or equal to the version of the component selected for the suppression?
| @@ -74,7 +76,8 @@ public AnalysisRequest(@JsonProperty(value = "project") String project, | |||
| @JsonProperty(value = "analysisResponse") AnalysisResponse analysisResponse, | |||
| @JsonProperty(value = "analysisDetails") String analysisDetails, | |||
| @JsonProperty(value = "comment") String comment, | |||
| @JsonProperty(value = "isSuppressed") Boolean suppressed) { | |||
| @JsonProperty(value = "isSuppressed") Boolean suppressed, | |||
| @JsonProperty(value = "suppressAllFlag") Boolean suppressAllFlag) { | |||
There was a problem hiding this comment.
Not sure if this is a clear enough name, but I think the Flag part should be removed from the name.
|
Not sure what the future plans of DT are regarding bulk suppression, but maybe it would be better implemented in the Audit Vulnerabilities view. |
…-track into issue3-final
Description
This commit introduces functionality to suppress or unsuppress a vulnerability in all projects where the affected component appears. It streamlines bulk vulnerability management across projects, reducing the need for repetitive actions and ensuring consistent analysis state for shared components.
Addressed Issue
closes #1495
Additional Details
This fix identifies the component to be suppressed across all projects in which it appears. It matches components by name and compares their versions. Only components with a version less than or equal to the selected component’s version will be suppressed.
I have also contributed in frontend
DependencyTrack/frontend#1236
Checklist