Affected projects tab not updated when switching between aliases

[valentijnscholten]

Current Behavior

When viewing a vulnerability, it shows the number of affected projects in the header of that tab. When switching to an alias the screen gets updated with the data from the alias, but the affected project tab does not get updated. The affected number of projects is/will probably be wrong in this case.

Steps to Reproduce

1. Go to a vulnerability that has some affected projects and at least one alias, i.e. https://dt/vulnerabilities/NVD/CVE-2023-29197
2. Observe affected project count = X
3. Click on an alias
4. Observe affected project count is still X
5. Press F5
6. Observe affected project count is (usually) Y

Expected Behavior

The affected projects tab should be updated when switching between aliases.
I can see in the Bootstrap code this tab is "hardcodedly injected" and not tied to any bootstrap lifecycle or events.

Dependency-Track Frontend Version

4.8.0

Browser

Google Chrome

Browser Version

No response

Operating System

Windows

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[valentijnscholten]

@sephiroth-j Are you willing to help out on this one?
As a complete Vue newb I thought a quick google search would help me out here. But none of those results are working. Possibly because how the component is embedded in the template, I don't know. I also tried an event, but realized Vue is (supposed to be?) around 'properties down, events up`.

[sephiroth-j]

I can take a look but it would help a lot if you can share a sbom with a suitable sample project (one that has a vulnerability with an alias).

[valentijnscholten]

Hree's two SBOMs. One affected by CVE-2023-29197 and GHSA-wxmh-65f7-jcvw, the other only by GHSA-wxmh-65f7-jcvw. Had to zip them as GitHub doesn't like json files.
affected projects.zip

[sephiroth-j]

I just wanted to report back that I found the error and fixed it. In the process I found other errors in the tab handling and also in the backend. I will report back later.

[sephiroth-j]

As mentioned in my previous comment, there are several issues.

1. that the table is not updated is because the AffectedProjects component does not respond to changes in routing and the URL for the backend query is not updated.

2. it also turned out that the backend does not return affected projects for aliases. When we ship the fix for this, it will be even more noticeable! One of the sample projects is affected by CVE-2023-29197. The backend provides the expected response for this.

http://localhost:8080/api/v1/vulnerability/source/NVD/vuln/CVE-2023-29197/projects?searchText=

[{"name":"issue-481","version":"2","classifier":"APPLICATION","directDependencies":"[{\"name\":\"installers\",\"purl\":\"pkg:composer/composer/installers@1.12.0\",\"uuid\":\"7f7b2116-dc9f-4d06-abaf-74f0e72d7918\",\"version\":\"1.12.0\",\"group\":\"composer\",\"purlCoordinates\":\"pkg:composer/composer/installers@1.12.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware-sentry\",\"purl\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"uuid\":\"3267e769-292b-48e5-b8fb-05a332d37fdd\",\"version\":\"2.0.5\",\"group\":\"onedrop\",\"purlCoordinates\":\"pkg:composer/onedrop/shopware-sentry@2.0.5\",\"objectType\":\"COMPONENT\"},{\"name\":\"shopware\",\"purl\":\"pkg:composer/shopware/shopware@5.7.6\",\"uuid\":\"7b2abf7d-3671-4f3e-a1df-80e06ed5cbdd\",\"version\":\"5.7.6\",\"group\":\"shopware\",\"purlCoordinates\":\"pkg:composer/shopware/shopware@5.7.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"ontiussimplesearch\",\"purl\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"uuid\":\"6d105fd9-fb29-4fdd-bb19-5a76f80fc9d1\",\"version\":\"4.1.59\",\"group\":\"store.shopware.com\",\"purlCoordinates\":\"pkg:composer/store.shopware.com/ontiussimplesearch@4.1.59\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpdotenv\",\"purl\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"uuid\":\"85b91a80-f306-407d-9548-7fd8c9cd1cc3\",\"version\":\"3.6.10\",\"group\":\"vlucas\",\"purlCoordinates\":\"pkg:composer/vlucas/phpdotenv@3.6.10\",\"objectType\":\"COMPONENT\"},{\"name\":\"wbm-tag-manager\",\"purl\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"uuid\":\"2ba6330d-d718-42fb-b62f-f35b2af00dc8\",\"version\":\"3.5.6\",\"group\":\"webmatch\",\"purlCoordinates\":\"pkg:composer/webmatch/wbm-tag-manager@3.5.6\",\"objectType\":\"COMPONENT\"},{\"name\":\"composer-git-hooks-standard\",\"purl\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0?checksum=sha1%3A858ad6c5329ba062233514352c336311bf92ddbc\",\"uuid\":\"63f6fc8a-eebd-4e45-b776-d91809bad9ba\",\"version\":\"2.1.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/composer-git-hooks-standard@2.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-baseliner\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"uuid\":\"6735ff10-bc44-4178-8819-047cbb145fcb\",\"version\":\"2.1.1\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-baseliner@2.1.1\",\"objectType\":\"COMPONENT\"},{\"name\":\"php-code-sniffer-standard\",\"purl\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"uuid\":\"3e3dcd03-f48f-4c49-bc3c-f3fab0f486a2\",\"version\":\"19.0.0\",\"group\":\"redacted\",\"purlCoordinates\":\"pkg:composer/redacted/php-code-sniffer-standard@19.0.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"extension-installer\",\"purl\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"uuid\":\"0d9d75dd-cacc-4948-af03-3f6edbb41f8b\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/extension-installer@1.1.0\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan\",\"purl\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"uuid\":\"857c7d42-47e9-43ca-a8f0-0907b369e20f\",\"version\":\"1.5.7\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan@1.5.7\",\"objectType\":\"COMPONENT\"},{\"name\":\"phpstan-strict-rules\",\"purl\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"uuid\":\"3b12c708-41d3-4733-ae8e-e23734f9214a\",\"version\":\"1.1.0\",\"group\":\"phpstan\",\"purlCoordinates\":\"pkg:composer/phpstan/phpstan-strict-rules@1.1.0\",\"objectType\":\"COMPONENT\"}]","uuid":"66f62111-c0c2-4dcb-82cf-c80f30894770","properties":[],"tags":[],"lastBomImport":1685297363288,"lastBomImportFormat":"CycloneDX 1.4","lastInheritedRiskScore":35.0,"active":true}]

The alias for this is GHSA-wxmh-65f7-jcvw. However, the response to this is an empty array.

http://localhost:8080/api/v1/vulnerability/source/GITHUB/vuln/GHSA-wxmh-65f7-jcvw/projects?searchText=

[]

3. the tab name was extracted from the URL via regex - this is a little smelly. Optional path parameters should be used instead.

4. the component contained logic to catch unknown tab names. This is better off in the router configuration

5. activation of tabs also caused a Vue warning

Avoid mutating a prop directly since the value will be overwritten whenever the parent component re-renders. Instead, use a data or computed property based on the prop's value. Prop being mutated: "active"

I have fixed the first problem and the tab handling issues on the Vulnerability component as an example, but would create a separate PR for the others.

[sephiroth-j]

filed DependencyTrack/dependency-track/issues/2794 for the backend issue