/api/v1/sbom/{id}/advisory contains packages without id.

[carlosthe19916]

Steps to reproduce:

• Star the backend with the latest version
• Upload all data from D1 https://github.com/trustification/trustify/tree/main/etc/datasets/ds1
• get the quarkus-sbom advisories using /api/v1/sbom/urn%3Auuid%3A01935352-6dc7-7582-9241-b2577f404d3f/advisory
  The response will be similar to

[
    {
        "uuid": "urn:uuid:e635c662-fc76-4c07-87b3-908226d95fd1",
        "identifier": "https://www.redhat.com/#CVE-2023-2798",
        "issuer": {
            "id": "a80a05f2-7a3c-48a3-9a17-5252f9f1c17e",
            "name": "Red Hat Product Security",
            "cpe_key": null,
            "website": null
        },
        "published": "2023-05-25T00:00:00Z",
        "modified": "2023-08-10T12:02:50Z",
        "withdrawn": null,
        "title": "Stack overflow crash causes Denial of Service (DoS)",
        "labels": {
            "type": "csaf"
        },
        "status": [
            {
                "normative": true,
                "identifier": "CVE-2023-2798",
                "title": null,
                "description": null,
                "reserved": null,
                "published": null,
                "modified": null,
                "withdrawn": null,
                "discovered": null,
                "released": null,
                "cwes": [],
                "average_severity": "high",
                "status": "not_affected",
                "context": {
                    "cpe": "cpe:/a:redhat:quarkus:2:*:*:*"
                },
                "packages": [
                    {
                        "id": "",
                        "name": "htmlUnit",
                        "version": null,
                        "purl": [],
                        "cpe": []
                    }
                ]
            }
        ]
    },

I cut the response for better understanding

If you see the field status.packages then we have a package without id and only name.

The problem is that I am using this current data for the image below:

• If you see the affected dependencies column you will see a count of packages affected by the Vulnerability.
• After clicking on a row|number at the affected dependencies column then there is supposed to be a table with all packages. Each package is link-able to the Page Package Details, which means that for each package it should be possible to go to the Package Details page. For navigating to the UI Package Details page we need an ID for each package.

[jcrossley3]

I wondered about this TODO in the code. Is this issue the result of that TODO, @dejanb?

[jcrossley3]

• get the quarkus-sbom advisories using /api/v1/sbom/urn%3Auuid%3A01935352-6dc7-7582-9241-b2577f404d3f/advisory

At the risk of telling you something you already know, those ID's are universally unique so will never match any other SBOM ingested in anyone else's environment.

If you wanted to be pedantic in your already-excellently-detailed steps to reproduce you could do something like:

ID=$(http get "http://localhost:8080/api/v1/sbom?q=quarkus" | jq -r '.items[0].id')
http get "http://localhost:8080/api/v1/sbom/$ID/advisory" | jq . | head -n 100

But it's not necessary.

And it's totally fine to refer to your own ID's in your issues, I just wanted to make sure you knew they were meaningless in any db other than your own. Apologies if you already did. 😄

[carlosthe19916]

yeah, sorry. I was in a hurry and copied and pasted the URLs from my browser. So I used my unique ID from my DB.

And thanks for sharing the http command. That's a better way of reproducing and navigating JSONs. I'll keep it in mind so I can use it in future issues

[dejanb]

I wondered about this TODO in the code. Is this issue the result of that TODO, @dejanb?

Yes. There's some work started to solve this with #994. The idea is to try to use in-mem graph for this search (an alternative is db query).

[dejanb]

@carlosthe19916 can you try #1048 and see if it works for you

[dejanb]

@JimFuller-RedHat #1041 didn't do the trick, as we need actual component based on name, not the roots. I implemented db version of the functionality for now (#1048) and we can revisit this later if needed.