Last BOM import results from Dependency-Track unclear

[denniebouman]

Describe the bug
When using multiple projects in Dependency-Track, with:

Metric type: Source up-to-dateness
Source type: Dependency Track
Project event type(s): last BOM import

Then all projects are displayed in the Dependency-Track tab, regardless whether they meet the metric target or not.
The metric may indicate (with the correct metric target) which project has the oldest BOM import, based on the number of days.

The above causes confusion, because other metrics, most of the time, show the number of violations in the metric and only the findings in the detail tab.

Possible adjustment(s)

• Make metrics configurable for:
  • Metric scale: Count and Metric unit: days
  • Metric scale: Count and Metric unit: number of violations
• Keep the implementation as-is and in the detail tab provide the violations with a color with the deviations from the metric target
• Keep implementation as-is and use a toggle to show only violations in the detail tab, or all projects
• ..

[fniessink]

For Dependency-Track as source for source up-to-dateness, use the value of the "Project event types" to determine which date(s) to use to evaluate the DT-projects in the list of measurement entities. Add an EntityAttribute with visible=False to base the color on to the data model:

EntityAttribute(name="Status", visible=False, color={
    "target_not_met": Color.NEGATIVE,
    "target_met": Color.POSITIVE,
    "near_target": Color.WARNING,
})

Adapt the collector to add the status to the entity.

Out of scope:

• For Dependency-Track, showing which date was actually used to evaluate the DT-project.
• Sources other than Dependency-Track, since none of them have measurement entities.