Master branch: Added proper component reconciliation on scan and bom processing - #123

Author: stevespringett

src/main/java/org/owasp/dependencytrack/persistence/QueryManager.java

@@ -917,6 +917,45 @@ public void removeDependencyIfExist(Project project, Component component) {
         }
     }
 
+    /**
+     * Intelligently adds dependencies for components that are not already a dependency
+     * of the specified project and removes the dependency relationship for components
+     * that are not in the list of specified components.
+     * @param project the project to bind components to
+     * @param components the complete list of components that should be dependencies of the project
+     */
+    public void reconcileDependencies(Project project, List<Component> components) {
+        // Holds a list of all Components that are existing dependencies of the specified project
+        final List<Component> existingProjectDependencies = new ArrayList<>();
+        getAllDependencies(project).forEach(item -> existingProjectDependencies.add(item.getComponent()));
+        reconcileDependencies(project, existingProjectDependencies, components);
+    }
+
+    /**
+     * Intelligently adds dependencies for components that are not already a dependency
+     * of the specified project and removes the dependency relationship for components
+     * that are not in the list of specified components.
+     * @param project the project to bind components to
+     * @param existingProjectDependencies the complete list of existing dependent components
+     * @param components the complete list of components that should be dependencies of the project
+     */
+    public void reconcileDependencies(Project project, List<Component> existingProjectDependencies, List<Component> components) {
+        // Removes components as dependencies to the project for all
+        // components not included in the list provided
+        for (Component existingDependency: existingProjectDependencies) {
+            boolean keep = false;
+            for (Component component: components) {
+                if (component.getId() == existingDependency.getId()) {
+                    keep = true;
+                }
+            }
+            if (!keep) {
+                removeDependencyIfExist(project, existingDependency);
+            }
+        }
+        components.forEach(component -> createDependencyIfNotExist(project, component, null, null));
+    }
+
     /**
      * Returns a List of all Dependency for the specified Project.
      * This method if designed NOT to provide paginated results.

src/main/java/org/owasp/dependencytrack/tasks/BomUploadProcessingTask.java

@@ -54,8 +54,14 @@ public void inform(Event e) {
             final byte[] bomBytes = event.getBom();
             QueryManager qm = new QueryManager();
             try {
+                final Project project = qm.getObjectByUuid(Project.class, event.getProjectUuid());
                 final List<Component> components;
                 final List<Component> flattenedComponents = new ArrayList<>();
+
+                // Holds a list of all Components that are existing dependencies of the specified project
+                final List<Component> existingProjectDependencies = new ArrayList<>();
+                qm.getAllDependencies(project).forEach(item -> existingProjectDependencies.add(item.getComponent()));
+
                 final String bomString = new String(bomBytes);
                 if (bomString.startsWith("<?xml") && bomString.contains("<bom") && bomString.contains("http://cyclonedx.org/schema/bom")) {
                     final CycloneDxParser parser = new CycloneDxParser(qm);
@@ -64,12 +70,13 @@ public void inform(Event e) {
                     final SpdxDocumentParser parser = new SpdxDocumentParser(qm);
                     components = parser.parse(bomBytes);
                 }
-                final Project project = qm.getObjectByUuid(Project.class, event.getProjectUuid());
                 final Date date = new Date();
                 final Bom bom = qm.createBom(project, date);
                 for (Component component: components) {
                     processComponent(qm, bom, project, component, flattenedComponents);
                 }
+
+                qm.reconcileDependencies(project, existingProjectDependencies, flattenedComponents);
                 qm.updateLastBomImport(project, date);
                 EventService.getInstance().publish(new VulnerabilityAnalysisEvent(flattenedComponents));
             } catch (Exception ex) {

src/main/java/org/owasp/dependencytrack/tasks/ScanUploadProcessingTask.java

@@ -138,8 +138,6 @@ public void inform(Event e) {
                         component = qm.updateComponent(component, false);
                     }
 
-                    qm.createDependencyIfNotExist(project, component, null, null);
-
                     if (dependency.getVulnerabilities() != null && dependency.getVulnerabilities().getVulnerabilities() != null) {
                         for (org.owasp.dependencytrack.parser.dependencycheck.model.Vulnerability dcvuln: dependency.getVulnerabilities().getVulnerabilities()) {
 
@@ -171,6 +169,8 @@ public void inform(Event e) {
                                 .getSource(), evidence.getName(), evidence.getValue());
                     }
                 }
+
+                qm.reconcileDependencies(project, components);
                 qm.updateLastScanImport(project, date);
                 EventService.getInstance().publish(new VulnerabilityAnalysisEvent(components));
             } catch (Exception ex) {