feat: [five-c] Product compliance tab

[tdruez]

Issues

• Issue: five-c: Design user experience (UX) #402
• Issue: five-c: Create dashboards #403
• Issue: five-c: Create dashboards - basic #404
• Issue: five-c: Implement drill-down from dashboard #407

Changes

• Add a "Compliance" tab to the product details view (see implementation details bellow)
• The "Compliance" tab is available when at least 1 package exists in a Product.
• Add filters for the "Inventory" tab: "Compliance issues", "Licenses", "Has licenses", "License compliance issues"
• The data point presented in the "Compliance" tab leverage the new filter to easily drill down to the problematic data.
• Add a risk_level generated field based on risk_score, this allows to store the risk level label, such as "critical", along the risk_score that is stored as float.
• Add a get_risk_level utility function to convert a float risk_score into its risk_level string value.

The "Compliance" tab is composed of:

• 4 metric cards:
  • "Total packages" card: alert at the Package level.
  • "License compliance" card: alert at the
  • "License coverage" card: missing license at the ProductPackage level.
  • "Vulnerabilities" card: vulnerabilities affecting the product with a risk above the threshold
• 2 compliance panels:
  • "License compliance": present the license distribution and their policy violations
  • "Security compliance": overview of the most risky/urgent vulnerabilities

Screens of the new UI

[DennisClark]

Hi @tdruez The Product Compliance tab is quite impressive! I explored a number of Products in Staging Starship and the performance is especially nice, quite zippy, and the data presented looks quite useful.

I did encounter a curious thing in a rather "messy" product in Staging Starship
nodejs-goof d240896711e31c540fc1cab79ae2e4cf63f00b1a (see screenshot):

• The "Vulnerabilities" panel shows 193 with the message "All below risk threshold of 7.0" (which makes sense because the dataspace is set to 7.0); however,
• The "Security Compliance" panel shows some interesting details, including a number of vulnerabilities at the Critical risk level, and the message "7 of 193 vulnerabilities at or above risk threshold (high)"

so there may be a bug of some sort there.

I also think it might be more useful for the initial presentation of the Compliance tab to show the vulnerabilities in the Security Compliance panel in descending Risk level sequence, so that the user will immediately see the ones that most need attention.

[tdruez]

so there may be a bug of some sort there.
I also think it might be more useful for the initial presentation of the Compliance tab to show the vulnerabilities in the Security Compliance panel in descending Risk level sequence, so that the user will immediately see the ones that most need attention.

Thanks for reporting this one. It's a sorting issue when the risk_score is None, by default PostgreSQL return the empty values first. Anyway, the ordering now properly push the None values at the end and the vulnerabilities are displayed from the highest risk to the lowest.

[DennisClark]

@tdruez great progress, the problems I mentioned in my previous comment appear to be resolved now in Staging Starship. I was happy to see that adjusting the Risk Threshold on a product produced the correct results in the security compliance display.

The links to the detailed lists of packages with policy violations are very nice; however, I did find one product, DependencyTrack 4.12.1, where there seems to be a problem with the list (screenshots attached):

The License compliance panel shows
82%
34 packages with license policy violations

but the linked list of packages shows
86 of 191 results
License compliance issues: "true"
and the list includes packages without compliance issues
so there might be a problem with the filtering logic.

[tdruez]

so there might be a problem with the filtering logic.

@DennisClark Thanks for catching this, the filter was not using a proper DISTINCT ending up in duplicates entry in the filtered inventory, when multiple licenses of the same expression were having each a policy issue.
This is now fixed.

[DennisClark]

@tdruez latest fix confirmed. additional testing is going well, no problems.