Merge pull request #359 from DependencyTrack/integrity-check-mop-up

DependencyTrack · Oct 19, 2023 · f06b808 · f06b808
2 parents f0097a0 + a8b40b7
commit f06b808
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 1 deletion.
diff --git a/src/main/java/org/dependencytrack/event/kafka/componentmeta/IntegrityCheck.java b/src/main/java/org/dependencytrack/event/kafka/componentmeta/IntegrityCheck.java
@@ -81,7 +81,10 @@ private static IntegrityMatchStatus calculateIntegrityCheckStatus(IntegrityMatch
                 && (sha256Status == COMPONENT_MISSING_HASH || sha256Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN)
                 && (sha512Status == COMPONENT_MISSING_HASH || sha512Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN)) {
             return COMPONENT_MISSING_HASH;
-        } else if (md5Status == HASH_MATCH_UNKNOWN && sha1Status == HASH_MATCH_UNKNOWN && sha256Status == HASH_MATCH_UNKNOWN && sha512Status == HASH_MATCH_UNKNOWN) {
+        } else if ((md5Status == HASH_MATCH_UNKNOWN || md5Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN)
+                && (sha1Status == HASH_MATCH_UNKNOWN || sha1Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN)
+                && (sha256Status == HASH_MATCH_UNKNOWN || sha256Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN)
+                && (sha512Status == HASH_MATCH_UNKNOWN || sha512Status == COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN))  {
             return HASH_MATCH_UNKNOWN;
         } else if (md5Status == HASH_MATCH_PASSED || sha1Status == HASH_MATCH_PASSED || sha256Status == HASH_MATCH_PASSED || sha512Status == HASH_MATCH_PASSED) {
             return HASH_MATCH_PASSED;

diff --git a/src/main/java/org/dependencytrack/persistence/ComponentQueryManager.java b/src/main/java/org/dependencytrack/persistence/ComponentQueryManager.java
@@ -409,6 +409,11 @@ public Component updateComponent(Component transientComponent, boolean commitInd
      */
     protected void deleteComponents(Project project) {
         final Query<Component> query = pm.newQuery(Component.class, "project == :project");
+        query.setParameters(project);
+        List<Component> components = query.executeList();
+        for(Component component : components) {
+            executeAndClose(pm.newQuery(Query.JDOQL, "DELETE FROM org.dependencytrack.model.IntegrityAnalysis WHERE component == :component"), component);
+        }
         try {
             query.deletePersistentAll(project);
         } finally {
@@ -443,6 +448,8 @@ public void recursivelyDelete(Component component, boolean commitIndex) {
             executeAndClose(pm.newQuery(Query.JDOQL, "DELETE FROM org.dependencytrack.model.DependencyMetrics WHERE component == :component"), component);
             executeAndClose(pm.newQuery(Query.JDOQL, "DELETE FROM org.dependencytrack.model.FindingAttribution WHERE component == :component"), component);
             executeAndClose(pm.newQuery(Query.JDOQL, "DELETE FROM org.dependencytrack.model.PolicyViolation WHERE component == :component"), component);
+            executeAndClose(pm.newQuery(Query.JDOQL, "DELETE FROM org.dependencytrack.model.IntegrityAnalysis WHERE component == :component"), component);
+
 
             // The component itself must be deleted via deletePersistentAll, otherwise relationships
             // (e.g. with Vulnerability via COMPONENTS_VULNERABILITIES table) will not be cleaned up properly.

diff --git a/...est/java/org/dependencytrack/event/kafka/processor/RepositoryMetaResultProcessorTest.java b/...est/java/org/dependencytrack/event/kafka/processor/RepositoryMetaResultProcessorTest.java
@@ -224,6 +224,56 @@ public void processUpdateIntegrityResultTest() {
         assertThat(analysis.getComponent().getPurl().toString()).isEqualTo("pkg:maven/foo/[email protected]");
     }
 
+    @Test
+    public void testIntegrityCheckWhenComponentHashIsMissing() {
+        // Create an active project with one component.
+        final var projectA = qm.createProject("acme-app-a", null, "1.0.0", null, null, null, true, false);
+        final var componentProjectA = new Component();
+        UUID uuid = UUID.randomUUID();
+        componentProjectA.setProject(projectA);
+        componentProjectA.setName("acme-lib-a");
+        componentProjectA.setVersion("1.0.1");
+        componentProjectA.setPurl("pkg:maven/foo/[email protected]");
+        componentProjectA.setPurlCoordinates("pkg:maven/foo/[email protected]");
+        componentProjectA.setUuid(uuid);
+        componentProjectA.setMd5("098f6bcd4621d373cade4e832627b4f6");
+        componentProjectA.setSha1("a94a8fe5ccb19ba61c4c0873d391e987982fbbd3");
+
+        Component c = qm.persist(componentProjectA);
+
+        var integrityMetaComponent = new IntegrityMetaComponent();
+        integrityMetaComponent.setPurl("pkg:maven/foo/[email protected]");
+        integrityMetaComponent.setStatus(FetchStatus.IN_PROGRESS);
+        Date date = Date.from(Instant.now().minus(15, ChronoUnit.MINUTES));
+        integrityMetaComponent.setLastFetch(date);
+        qm.persist(integrityMetaComponent);
+
+        final var result = AnalysisResult.newBuilder()
+                .setComponent(org.hyades.proto.repometaanalysis.v1.Component.newBuilder()
+                        .setUuid(c.getUuid().toString())
+                        .setPurl("pkg:maven/foo/[email protected]"))
+                .setIntegrityMeta(IntegrityMeta.newBuilder()
+                        .setMetaSourceUrl("test").build())
+                .build();
+
+        inputTopic.pipeInput(new TestRecord<>("pkg:maven/foo/[email protected]", result, Instant.now()));
+        qm.getPersistenceManager().refresh(integrityMetaComponent);
+        integrityMetaComponent = qm.getIntegrityMetaComponent("pkg:maven/foo/[email protected]");
+        assertThat(integrityMetaComponent).isNotNull();
+        assertThat(integrityMetaComponent.getRepositoryUrl()).isEqualTo("test");
+        assertThat(integrityMetaComponent.getLastFetch()).isAfter(date);
+        assertThat(integrityMetaComponent.getStatus()).isEqualTo(FetchStatus.NOT_AVAILABLE);
+
+        IntegrityAnalysis analysis = qm.getIntegrityAnalysisByComponentUuid(c.getUuid());
+        assertThat(analysis.getIntegrityCheckStatus()).isEqualTo(IntegrityMatchStatus.HASH_MATCH_UNKNOWN);
+        assertThat(analysis.getMd5HashMatchStatus()).isEqualTo(IntegrityMatchStatus.HASH_MATCH_UNKNOWN);
+        assertThat(analysis.getSha1HashMatchStatus()).isEqualTo(IntegrityMatchStatus.HASH_MATCH_UNKNOWN);
+        assertThat(analysis.getSha256HashMatchStatus()).isEqualTo(IntegrityMatchStatus.COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN);
+        assertThat(analysis.getSha512HashMatchStatus()).isEqualTo(IntegrityMatchStatus.COMPONENT_MISSING_HASH_AND_MATCH_UNKNOWN);
+        assertThat(analysis.getUpdatedAt()).isNotNull();
+        assertThat(analysis.getComponent().getPurl().toString()).isEqualTo("pkg:maven/foo/[email protected]");
+    }
+
     @Test
     public void testIntegrityCheckWithDataInDb() {
         // Create an active project with one component.

diff --git a/src/test/java/org/dependencytrack/resources/v1/ComponentResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/ComponentResourceTest.java
@@ -25,6 +25,7 @@
 import org.dependencytrack.ResourceTest;
 import org.dependencytrack.event.kafka.KafkaTopics;
 import org.dependencytrack.model.Component;
+import org.dependencytrack.model.IntegrityAnalysis;
 import org.dependencytrack.model.Project;
 import org.dependencytrack.model.RepositoryMetaComponent;
 import org.dependencytrack.model.RepositoryType;
@@ -36,6 +37,7 @@
 import org.junit.Assert;
 import org.junit.Test;
 
+import javax.jdo.JDOObjectNotFoundException;
 import javax.json.JsonArray;
 import javax.json.JsonObject;
 import javax.ws.rs.client.Entity;
@@ -45,6 +47,8 @@
 import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.dependencytrack.model.IntegrityMatchStatus.HASH_MATCH_UNKNOWN;
 
 public class ComponentResourceTest extends ResourceTest {
 
@@ -520,12 +524,24 @@ public void deleteComponentTest() {
         Project project = qm.createProject("Acme Application", null, null, null, null, null, true, false);
         Component component = new Component();
         component.setProject(project);
+        component.setUuid(UUID.randomUUID());
         component.setName("My Component");
         component.setVersion("1.0");
         component = qm.createComponent(component, false);
+        IntegrityAnalysis analysis = new IntegrityAnalysis();
+        analysis.setComponent(component);
+        analysis.setIntegrityCheckStatus(HASH_MATCH_UNKNOWN);
+        analysis.setMd5HashMatchStatus(HASH_MATCH_UNKNOWN);
+        analysis.setSha1HashMatchStatus(HASH_MATCH_UNKNOWN);
+        analysis.setSha256HashMatchStatus(HASH_MATCH_UNKNOWN);
+        analysis.setSha512HashMatchStatus(HASH_MATCH_UNKNOWN);
+        analysis.setUpdatedAt(new Date());
+        IntegrityAnalysis integrityResponse = qm.persist(analysis);
         Response response = target(V1_COMPONENT + "/" + component.getUuid().toString())
                 .request().header(X_API_KEY, apiKey).delete();
         Assert.assertEquals(204, response.getStatus(), 0);
+        assertThatExceptionOfType(JDOObjectNotFoundException.class)
+                .isThrownBy(() -> qm.getObjectById(IntegrityAnalysis.class, integrityResponse.getId()));
     }
 
     @Test