feat(dependency-track): support parent ID for autocreate projects (#534) (#543)

Signed-off-by: Seb Dangerfield <[email protected]>

Author: sedan07

app/controlplane/plugins/core/dependency-track/v1/README.md

@@ -45,6 +45,7 @@ See https://docs.chainloop.dev/guides/dependency-track/
 
 |Field|Type|Required|Description|
 |---|---|---|---|
+|parentID|string|no|ID of parent project to create a new project under|
 |projectID|string|no|The ID of the existing project to send the SBOMs to|
 |projectName|string|no|The name of the project to create and send the SBOMs to|
 
@@ -76,9 +77,19 @@ See https://docs.chainloop.dev/guides/dependency-track/
       "type": "string",
       "minLength": 1,
       "description": "The name of the project to create and send the SBOMs to"
+    },
+    "parentID": {
+      "type": "string",
+      "minLength": 1,
+      "description": "ID of parent project to create a new project under"
     }
   },
   "additionalProperties": false,
-  "type": "object"
+  "type": "object",
+  "dependentRequired": {
+    "parentID": [
+      "projectName"
+    ]
+  }
 }
 ```

app/controlplane/plugins/core/dependency-track/v1/client/sbom.go

@@ -44,6 +44,8 @@ type SBOMUploader struct {
 	sbom io.Reader
 	// Either use a projectID or create a new one by name
 	projectID, projectName string
+	// Optional parentID to use with projectName
+	parentID string
 }
 
 func newBase(host, apiKey string) (*base, error) {
@@ -69,7 +71,7 @@ func NewIntegration(host, apiKey string, checkAutoCreate bool) (*Integration, er
 	return &Integration{base: b, checkAutoCreate: checkAutoCreate}, nil
 }
 
-func NewSBOMUploader(host, apiKey string, sbom io.Reader, projectID, projectName string) (*SBOMUploader, error) {
+func NewSBOMUploader(host, apiKey string, sbom io.Reader, projectID, projectName string, parentID string) (*SBOMUploader, error) {
 	b, err := newBase(host, apiKey)
 	if err != nil {
 		return nil, err
@@ -79,7 +81,11 @@ func NewSBOMUploader(host, apiKey string, sbom io.Reader, projectID, projectName
 		return nil, errors.New("either existing project ID or new name is required")
 	}
 
-	return &SBOMUploader{b, sbom, projectID, projectName}, nil
+	if parentID != "" && projectName == "" {
+		return nil, errors.New("project name is required with parent ID")
+	}
+
+	return &SBOMUploader{b, sbom, projectID, projectName, parentID}, nil
 }
 
 const bomUploadPermission = "BOM_UPLOAD"
@@ -118,26 +124,33 @@ func (d *SBOMUploader) Validate(ctx context.Context) error {
 		return fmt.Errorf("validating the permissions: %w", err)
 	}
 
-	if d.projectID == "" {
+	if d.projectID == "" && d.parentID == "" {
 		return nil
 	}
 
-	// Check if the project exists
+	var existingProjectID string
+	if d.projectID != "" {
+		existingProjectID = d.projectID
+	} else {
+		existingProjectID = d.parentID
+	}
+
+	// Check if the project or parent project exists
 	var projectFound bool
 	projects, err := listProjects(d.host, d.apiKey)
 	if err != nil {
 		return fmt.Errorf("checking that the project exists: %w", err)
 	}
 
 	for _, p := range projects {
-		if p.ID == d.projectID {
+		if p.ID == existingProjectID {
 			projectFound = true
 			break
 		}
 	}
 
 	if !projectFound {
-		return fmt.Errorf("project with ID %q not found", d.projectID)
+		return fmt.Errorf("project with ID %q not found", existingProjectID)
 	}
 
 	return nil
@@ -153,6 +166,10 @@ func (d *SBOMUploader) Do(_ context.Context) error {
 	if autocreate {
 		values["autoCreate"] = strings.NewReader("true")
 		values["projectName"] = strings.NewReader(d.projectName)
+
+		if d.parentID != "" {
+			values["parentUUID"] = strings.NewReader(d.parentID)
+		}
 	} else {
 		values["project"] = strings.NewReader(d.projectID)
 	}

app/controlplane/plugins/core/dependency-track/v1/client/sbom_test.go

@@ -29,26 +29,30 @@ const hostname = "http://example.com"
 func TestNewSBOMUploader(t *testing.T) {
 	const projectID = "existing-project-id"
 	const projectName = "new project name"
+	const parentID = "parent-existing-project-id"
 	var sbomReader = bytes.NewBuffer(nil)
 
 	tests := []struct {
-		hostname, apiKey, projectID, projectName string
-		sbom                                     io.Reader
-		wantError                                bool
+		hostname, apiKey, projectID, projectName, parentID string
+		sbom                                               io.Reader
+		wantError                                          bool
 	}{
 		// no api key
-		{hostname, "", projectID, projectName, sbomReader, true},
+		{hostname, "", projectID, projectName, parentID, sbomReader, true},
 		// invalid hostname
-		{"invalid-hostname", "apikey", projectID, projectName, sbomReader, true},
+		{"invalid-hostname", "apikey", projectID, projectName, parentID, sbomReader, true},
 		// both projectID and name
-		{hostname, "apikey", projectID, projectName, sbomReader, true},
-		{hostname, "apikey", projectID, "", sbomReader, false},
-		{hostname, "apikey", "", projectName, sbomReader, false},
+		{hostname, "apikey", projectID, projectName, "", sbomReader, true},
+		{hostname, "apikey", projectID, "", "", sbomReader, false},
+		{hostname, "apikey", "", projectName, "", sbomReader, false},
+		// parent ID
+		{hostname, "apikey", projectID, "", parentID, sbomReader, true},
+		{hostname, "apikey", "", projectName, parentID, sbomReader, false},
 	}
 
 	assert := assert.New(t)
 	for _, tc := range tests {
-		got, err := NewSBOMUploader(tc.hostname, tc.apiKey, tc.sbom, tc.projectID, tc.projectName)
+		got, err := NewSBOMUploader(tc.hostname, tc.apiKey, tc.sbom, tc.projectID, tc.projectName, tc.parentID)
 		if tc.wantError {
 			assert.Error(err)
 			continue
@@ -63,6 +67,7 @@ func TestNewSBOMUploader(t *testing.T) {
 			},
 			tc.sbom,
 			tc.projectID, tc.projectName,
+			tc.parentID,
 		}, got)
 	}
 }

app/controlplane/plugins/core/dependency-track/v1/extension.go

@@ -27,6 +27,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/plugins/core/dependency-track/v1/client"
 	"github.com/chainloop-dev/chainloop/app/controlplane/plugins/sdk/v1"
 	"github.com/go-kratos/kratos/v2/log"
+	"github.com/invopop/jsonschema"
 )
 
 type DependencyTrack struct {
@@ -46,6 +47,18 @@ type attachmentRequest struct {
 	// Either one or the other
 	ProjectID   string `json:"projectID,omitempty" jsonschema:"oneof_required=projectID,minLength=1,description=The ID of the existing project to send the SBOMs to"`
 	ProjectName string `json:"projectName,omitempty" jsonschema:"oneof_required=projectName,minLength=1,description=The name of the project to create and send the SBOMs to"`
+
+	ParentID string `json:"parentID,omitempty" jsonschema:"minLength=1,description=ID of parent project to create a new project under"`
+}
+
+// Enforces the requirement that parentID requires the presence of projectName
+// invopop/jsonschema doesn't appear to support dependentRequired through reflection
+func (x attachmentRequest) JSONSchemaExtend(schema *jsonschema.Schema) {
+	schema.DependentRequired = map[string][]string{
+		"parentID": {
+			"projectName",
+		},
+	}
 }
 
 // Internal state for both registration and attachment
@@ -57,6 +70,7 @@ type registrationConfig struct {
 type attachmentConfig struct {
 	ProjectID   string `json:"projectId"`
 	ProjectName string `json:"projectName"`
+	ParentID    string `json:"parentId"`
 }
 
 const description = "Send CycloneDX SBOMs to your Dependency-Track instance"
@@ -65,7 +79,7 @@ func New(l log.Logger) (sdk.FanOut, error) {
 	base, err := sdk.NewFanOut(
 		&sdk.NewParams{
 			ID:          "dependency-track",
-			Version:     "1.3",
+			Version:     "1.4",
 			Description: description,
 			Logger:      l,
 			InputSchema: &sdk.InputSchema{
@@ -134,10 +148,10 @@ func (i *DependencyTrack) Attach(ctx context.Context, req *sdk.AttachmentRequest
 		return nil, fmt.Errorf("invalid attachment configuration: %w", err)
 	}
 
-	i.Logger.Infow("msg", "attachment OK", "projectID", request.ProjectID, "projectName", request.ProjectName)
+	i.Logger.Infow("msg", "attachment OK", "projectID", request.ProjectID, "projectName", request.ProjectName, "parentID", request.ParentID)
 
 	// We want to store the project configuration
-	rawConfig, err := sdk.ToConfig(&attachmentConfig{ProjectID: request.ProjectID, ProjectName: request.ProjectName})
+	rawConfig, err := sdk.ToConfig(&attachmentConfig{ProjectID: request.ProjectID, ProjectName: request.ProjectName, ParentID: request.ParentID})
 	if err != nil {
 		return nil, fmt.Errorf("marshalling configuration: %w", err)
 	}
@@ -204,7 +218,8 @@ func doExecute(ctx context.Context, req *sdk.ExecutionRequest, sbom *sdk.Execute
 		req.RegistrationInfo.Credentials.Password,
 		bytes.NewReader(sbom.Content),
 		attachmentConfig.ProjectID,
-		projectName)
+		projectName,
+		attachmentConfig.ParentID)
 	if err != nil {
 		return fmt.Errorf("creating uploader: %w", err)
 	}
@@ -281,7 +296,7 @@ func validateAttachment(ctx context.Context, rc *registrationConfig, ac *attachm
 	}
 
 	// Instantiate an actual client to see if it would work with the current configuration
-	d, err := client.NewSBOMUploader(rc.Domain, credentials.Password, nil, ac.ProjectID, ac.ProjectName)
+	d, err := client.NewSBOMUploader(rc.Domain, credentials.Password, nil, ac.ProjectID, ac.ProjectName, ac.ParentID)
 	if err != nil {
 		return fmt.Errorf("creating uploader: %w", err)
 	}
@@ -313,6 +328,10 @@ func validateAttachmentConfiguration(rc *registrationConfig, ac *attachmentReque
 		return errors.New("project id or name must be provided")
 	}
 
+	if ac.ParentID != "" && ac.ProjectName == "" {
+		return errors.New("project name must be provided to work with parent id")
+	}
+
 	return nil
 }
 

app/controlplane/plugins/core/dependency-track/v1/extension_test.go

@@ -193,6 +193,15 @@ func TestValidateAttachmentInput(t *testing.T) {
 			input:  map[string]interface{}{"projectID": "project-id", "projectName": "project-name"},
 			errMsg: "valid against schemas at indexes 0 and 1",
 		},
+		{
+			name:  "valid request, project name and parent ID",
+			input: map[string]interface{}{"projectName": "project-name", "parentID": "parent-id"},
+		},
+		{
+			name:   "invalid with project ID and parent ID",
+			input:  map[string]interface{}{"projectID": "project-id", "parentID": "parent-id"},
+			errMsg: "property 'projectName' is required, if 'parentID' property exists",
+		},
 	}
 
 	integration, err := New(nil)
@@ -293,3 +302,36 @@ func TestValidateExecuteOpts(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateAttachmentConfiguration(t *testing.T) {
+	testCases := []struct {
+		allowAutoCreate                  bool
+		projectID, projectName, parentID string
+		errMsg                           string
+	}{
+		{false, "project-id", "", "", ""},
+		{true, "", "project-name", "", ""},
+		{true, "", "project-name", "parent-id", ""},
+		{false, "", "project-name", "", "auto creation of projects is not supported in this integration"},
+		{false, "", "", "", "project id or name must be provided"},
+		{false, "project-id", "", "parent-id", "project name must be provided to work with parent id"},
+	}
+
+	for _, tc := range testCases {
+		rc := &registrationConfig{
+			Domain:          "http://dtrack.localhost",
+			AllowAutoCreate: tc.allowAutoCreate,
+		}
+		ac := &attachmentRequest{
+			ProjectID:   tc.projectID,
+			ProjectName: tc.projectName,
+			ParentID:    tc.parentID,
+		}
+		err := validateAttachmentConfiguration(rc, ac)
+		if tc.errMsg != "" {
+			assert.ErrorContains(t, err, tc.errMsg)
+		} else {
+			assert.Nil(t, err)
+		}
+	}
+}

docs/integrations.md

@@ -10,7 +10,7 @@ Below you can find the list of currently available integrations. If you can't fi
 
 | ID | Version | Description | Material Requirement |
 | --- | --- | --- | --- |
-| [dependency-track](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/dependency-track/v1/README.md) | 1.3 | Send CycloneDX SBOMs to your Dependency-Track instance | SBOM_CYCLONEDX_JSON |
+| [dependency-track](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/dependency-track/v1/README.md) | 1.4 | Send CycloneDX SBOMs to your Dependency-Track instance | SBOM_CYCLONEDX_JSON |
 | [discord-webhook](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/discord-webhook/v1/README.md) | 1.1 | Send attestations to Discord |  |
 | [guac](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/guac/v1/README.md) | 1.0 | Export Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume it | SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON |
 | [slack-webhook](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/slack-webhook/v1/README.md) | 1.0 | Send attestations to Slack |  |