Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOM View #6035

Draft
wants to merge 115 commits into
base: master
Choose a base branch
from
Draft

SBOM View #6035

wants to merge 115 commits into from

Conversation

kemley76
Copy link
Contributor

Adding ability to view SBOM results both in the main results table and in a new, separate SBOM specific view.

charleshu-8 and others added 28 commits July 10, 2024 12:51
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
…nts table

Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
charleshu-8 and others added 26 commits August 13, 2024 14:43
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Charles Hu <computerscience@verizon.net>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Signed-off-by: Kaden Emley <kemley@mitre.org>
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
1 New Code Smells (required ≤ 0)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

@kemley76
Copy link
Contributor Author

Status as of 8/16/24

Dependent on #5986

Features added

  • SBOM view with component table and dependency tree
  • ability to choose what columns to display in component table (name, description, version, number of dependencies, etc.)
  • any vulnerabilities affecting a component appear in the table as a button for navigating back to results view
  • each component has an expandable section that contains all the rest of the component information (properties, external references, licenses, vulnerabilities, dependencies, parents, etc.)
  • ability to filter components by severity, bom-ref, and freeform search
  • vulnerabilities that impact an SBOM component have a button to display them in the SBOM view's component table
  • dependency tree view that shows the dependency relationships between components
  • ability to navigate to components that match a given filter
  • an indicator for if a component in the tree has any vulnerabilities

What is left to add

I think the SBOM view is functional as it is, but these are just what I would probably add if I had enough time

  • it would be nice to display the vulnerabilities in the dependency tree view a bit better. Colored chips might be nice, but there can be any number of vulnerabilities present on a component, so that might be tricky. It would also be nice to indicate if a component has any vulnerabilities in any of its descendants.
  • Information panels and tooltips in various menus (search bar, settings icon, filter icon, SBOM view as a whole) to explain how to use the SBOM view to its fullest.
  • Automated frontend/Cypress tests. None of the SBOM view is being validated by tests at the moment. The tests should at the very least, load in a good sample file and ensure that the right amount of components load in the table and the filtering works.
  • There seems to be a small issue with navigation in the tree view. Some components either aren't present in the dependency tree (might be an issue with the SBOM itself) or cannot be found with the filter navigation feature ("Go" chip that takes user to dependency tree view). I noticed this with the dropwizard-vulns sample file.
  • A change over time view. This has not been started at all, so it can be a separate PR. It would allow users to compare multiple SBOMs of the same target and see how it evolved over time (packages added/removed, version updates, authorship changes, vulnerabilities/patches, etc.)

Copy link
Contributor

mergify bot commented Aug 19, 2024

This pull request has a conflict. Could you fix it @kemley76?

@Amndeep7 Amndeep7 mentioned this pull request Oct 4, 2024
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request heimdall-frontend Issue is related to the Heimdall-Lite frontend
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants