refector to tooltips

Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com>

Author: valentijnscholten

src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java

@@ -27,18 +27,23 @@
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Finding;
 import org.dependencytrack.model.GroupedFinding;
+import org.dependencytrack.model.Project;
 import org.dependencytrack.model.RepositoryMetaComponent;
 import org.dependencytrack.model.RepositoryType;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.model.VulnerabilityAlias;
 
 import javax.jdo.PersistenceManager;
 import javax.jdo.Query;
+import org.dependencytrack.resources.v1.vo.AffectedProject;
+
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 public class FindingsSearchQueryManager extends QueryManager implements IQueryManager {
 
@@ -157,10 +162,37 @@ public PaginatedResult getAllFindings(final Map<String, String> filters, final b
             }
             findings.add(finding);
         }
+        populateParentChains(findings);
         result.setObjects(findings);
         return result;
     }
 
+    /**
+     * Populates the parent chain for each finding's project so the UI can render tooltips
+     * (e.g. "Root > Parent > Project" for nested project hierarchies).
+     */
+    private void populateParentChains(List<Finding> findings) {
+        final Set<UUID> projectUuids = findings.stream()
+                .map(f -> (String) f.getComponent().get("project"))
+                .filter(s -> s != null && !s.isBlank())
+                .map(UUID::fromString)
+                .collect(Collectors.toSet());
+        if (projectUuids.isEmpty()) {
+            return;
+        }
+        final Map<UUID, Project> projectMap = getProjectsWithAncestorPaths(projectUuids);
+        for (final Finding finding : findings) {
+            final String projectUuidStr = (String) finding.getComponent().get("project");
+            if (projectUuidStr == null) {
+                continue;
+            }
+            final Project project = projectMap.get(UUID.fromString(projectUuidStr));
+            if (project != null) {
+                finding.getComponent().put("parent", AffectedProject.buildParentInfo(project.getParent()));
+            }
+        }
+    }
+
     /**
      * Returns a List of all Finding objects filtered by ACL and other optional filters. The resulting list is grouped by vulnerability.
      * @param filters      determines the filters to apply on the list of Finding objects

src/main/java/org/dependencytrack/persistence/PolicyQueryManager.java

@@ -419,6 +419,11 @@ public PaginatedResult getPolicyViolations(final Project project, boolean includ
             violation.getComponent().getResolvedLicense(); // force resolved license to ne included since its not the default
             violation.setAnalysis(getViolationAnalysis(violation.getComponent(), violation)); // Include the violation analysis by default
         }
+        populateAncestorPaths(result.getList(PolicyViolation.class).stream()
+                .map(PolicyViolation::getProject)
+                .filter(Objects::nonNull)
+                .distinct()
+                .toList());
         return result;
     }
 
@@ -444,6 +449,11 @@ public PaginatedResult getPolicyViolations(final Component component, boolean in
             violation.getComponent().getResolvedLicense(); // force resolved license to ne included since its not the default
             violation.setAnalysis(getViolationAnalysis(violation.getComponent(), violation)); // Include the violation analysis by default
         }
+        populateAncestorPaths(result.getList(PolicyViolation.class).stream()
+                .map(PolicyViolation::getProject)
+                .filter(Objects::nonNull)
+                .distinct()
+                .toList());
         return result;
     }
 
@@ -475,6 +485,11 @@ public PaginatedResult getPolicyViolations(boolean includeSuppressed, boolean sh
             violation.getComponent().getResolvedLicense(); // force resolved license to be included since it's not the default
             violation.setAnalysis(getViolationAnalysis(violation.getComponent(), violation)); // Include the violation analysis by default
         }
+        populateAncestorPaths(result.getList(PolicyViolation.class).stream()
+                .map(PolicyViolation::getProject)
+                .filter(Objects::nonNull)
+                .distinct()
+                .toList());
         return result;
     }
 

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -1642,6 +1642,7 @@ public PaginatedResult getChildrenProjects(final UUID uuid, final boolean includ
         preprocessACLs(query, queryFilter, params, false);
         query.getFetchPlan().addGroup(Project.FetchGroup.ALL.name());
         result = execute(query, params);
+        populateAncestorPaths(result.getList(Project.class));
         if (includeMetrics) {
             // Populate each Project object in the paginated result with transitive related
             // data to minimize the number of round trips a client needs to make, process, and render.
@@ -1671,6 +1672,7 @@ public PaginatedResult getChildrenProjects(final Classifier classifier, final UU
         preprocessACLs(query, queryFilter, params, false);
         query.getFetchPlan().addGroup(Project.FetchGroup.ALL.name());
         result = execute(query, params);
+        populateAncestorPaths(result.getList(Project.class));
         if (includeMetrics) {
             // Populate each Project object in the paginated result with transitive related
             // data to minimize the number of round trips a client needs to make, process, and render.
@@ -1703,7 +1705,9 @@ public PaginatedResult getChildrenProjects(final Tag tag, final UUID uuid, final
         final Map<String, Object> params = filterBuilder.getParams();
 
         preprocessACLs(query, queryFilter, params, false);
+        query.getFetchPlan().addGroup(Project.FetchGroup.ALL.name());
         result = execute(query, params);
+        populateAncestorPaths(result.getList(Project.class));
         if (includeMetrics) {
             // Populate each Project object in the paginated result with transitive related
             // data to minimize the number of round trips a client needs to make, process, and render.
@@ -1819,6 +1823,24 @@ public boolean doesProjectExist(final String name, final String version) {
         }
     }
 
+    /**
+     * Fetches projects by their UUIDs and populates their ancestor paths.
+     * Returns a map of project UUID to project for efficient lookup.
+     *
+     * @param uuids project UUIDs to fetch
+     * @return map of project UUID to project with ancestor chains wired
+     */
+    public Map<UUID, Project> getProjectsWithAncestorPaths(Collection<UUID> uuids) {
+        if (uuids == null || uuids.isEmpty()) {
+            return Map.of();
+        }
+        final List<Project> projects = fetchProjectsByUuids(Set.copyOf(uuids));
+        populateAncestorPaths(projects);
+        return projects.stream()
+                .filter(p -> p.getUuid() != null)
+                .collect(Collectors.toMap(Project::getUuid, p -> p, (a, b) -> a));
+    }
+
     private static boolean isChildOf(Project project, UUID uuid) {
         boolean isChild = false;
         if (project.getParent() != null){

src/main/java/org/dependencytrack/persistence/QueryManager.java

@@ -447,6 +447,10 @@ public boolean doesProjectExist(final String name, final String version) {
         return getProjectQueryManager().doesProjectExist(name, version);
     }
 
+    public Map<UUID, Project> getProjectsWithAncestorPaths(final Collection<UUID> uuids) {
+        return getProjectQueryManager().getProjectsWithAncestorPaths(uuids);
+    }
+
     public Tag getTagByName(final String name) {
         return getTagQueryManager().getTagByName(name);
     }

src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java

@@ -208,6 +208,12 @@ public Response getViolationsByComponent(@Parameter(description = "The UUID of t
      * <p>
      * This ensures that responses include not only the violations themselves, but also the associated
      * {@link org.dependencytrack.model.Policy}, which is required to tell the policy name and violation state.
+     * <p>
+     * <b>Parent path limitation:</b> Only the direct parent (one level) is included in the project. A full
+     * ancestor chain is difficult to support here because: (1) Higher JDO fetch depth triggers cycles
+     * (Project↔children, Component↔project) and causes "Input is too deeply nested" serialization errors;
+     * (2) This API returns raw JDO entities—a proper full chain would require a response VO with
+     * {@link org.dependencytrack.resources.v1.vo.ProjectParentInfo} (like {@code AffectedProject}), i.e. an API contract change.
      *
      * @param qm         The {@link QueryManager} to use
      * @param violations The {@link PolicyViolation}s to detach
@@ -216,7 +222,7 @@ public Response getViolationsByComponent(@Parameter(description = "The UUID of t
      */
     private Collection<PolicyViolation> detachViolations(final QueryManager qm, final Collection<PolicyViolation> violations) {
         final PersistenceManager pm = qm.getPersistenceManager();
-        pm.getFetchPlan().setMaxFetchDepth(2); // Ensure policy is included
+        pm.getFetchPlan().setMaxFetchDepth(2); // Policy + project + direct parent only; higher depth triggers cycles
         pm.getFetchPlan().setDetachmentOptions(FetchPlan.DETACH_LOAD_FIELDS);
         return qm.getPersistenceManager().detachCopyAll(violations);
     }

src/main/java/org/dependencytrack/resources/v1/TagResource.java

@@ -43,6 +43,7 @@
 import org.dependencytrack.resources.v1.openapi.PaginatedApi;
 import org.dependencytrack.resources.v1.problems.ProblemDetails;
 import org.dependencytrack.resources.v1.problems.TagOperationProblemDetails;
+import org.dependencytrack.resources.v1.vo.AffectedProject;
 import org.dependencytrack.resources.v1.vo.TagListResponseItem;
 import org.dependencytrack.resources.v1.vo.TaggedCollectionProjectListResponseItem;
 import org.dependencytrack.resources.v1.vo.TaggedNotificationRuleListResponseItem;
@@ -62,9 +63,12 @@
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 
+import org.dependencytrack.model.Project;
+
 @Path("/v1/tag")
 @io.swagger.v3.oas.annotations.tags.Tag(name = "tag")
 @SecurityRequirements({
@@ -201,12 +205,24 @@ public Response getTaggedProjects(
         //   Will likely need a migration to cleanup existing tags for this.
 
         final List<TaggedProjectRow> taggedProjectListRows;
+        final Map<UUID, Project> projectMap;
         try (final var qm = new QueryManager(getAlpineRequest())) {
             taggedProjectListRows = qm.getTaggedProjects(tagName);
+            final var uuids = taggedProjectListRows.stream()
+                    .map(row -> UUID.fromString(row.uuid()))
+                    .toList();
+            projectMap = qm.getProjectsWithAncestorPaths(uuids);
         }
 
         final List<TaggedProjectListResponseItem> tags = taggedProjectListRows.stream()
-                .map(row -> new TaggedProjectListResponseItem(UUID.fromString(row.uuid()), row.name(), row.version()))
+                .map(row -> {
+                    final var project = projectMap.get(UUID.fromString(row.uuid()));
+                    final var parent = project != null
+                            ? AffectedProject.buildParentInfo(project.getParent())
+                            : null;
+                    return new TaggedProjectListResponseItem(
+                            UUID.fromString(row.uuid()), row.name(), row.version(), parent);
+                })
                 .toList();
         final long totalCount = taggedProjectListRows.isEmpty() ? 0 : taggedProjectListRows.getFirst().totalCount();
         return Response.ok(tags).header(TOTAL_COUNT_HEADER, totalCount).build();
@@ -312,12 +328,24 @@ public Response getTaggedCollectionProjects(
         //   Will likely need a migration to cleanup existing tags for this.
 
         final List<TagQueryManager.TaggedCollectionProjectRow> taggedCollectionProjectListRows;
+        final Map<UUID, Project> projectMap;
         try (final var qm = new QueryManager(getAlpineRequest())) {
             taggedCollectionProjectListRows = qm.getTaggedCollectionProjects(tagName);
+            final var uuids = taggedCollectionProjectListRows.stream()
+                    .map(row -> UUID.fromString(row.uuid()))
+                    .toList();
+            projectMap = qm.getProjectsWithAncestorPaths(uuids);
         }
 
         final List<TaggedCollectionProjectListResponseItem> tags = taggedCollectionProjectListRows.stream()
-                .map(row -> new TaggedCollectionProjectListResponseItem(UUID.fromString(row.uuid()), row.name(), row.version()))
+                .map(row -> {
+                    final var project = projectMap.get(UUID.fromString(row.uuid()));
+                    final var parent = project != null
+                            ? AffectedProject.buildParentInfo(project.getParent())
+                            : null;
+                    return new TaggedCollectionProjectListResponseItem(
+                            UUID.fromString(row.uuid()), row.name(), row.version(), parent);
+                })
                 .toList();
         final long totalCount = taggedCollectionProjectListRows.isEmpty() ? 0 : taggedCollectionProjectListRows.getFirst().totalCount();
         return Response.ok(tags).header(TOTAL_COUNT_HEADER, totalCount).build();

src/main/java/org/dependencytrack/resources/v1/vo/TaggedCollectionProjectListResponseItem.java

@@ -32,5 +32,6 @@
 public record TaggedCollectionProjectListResponseItem(
         @Schema(description = "UUID of the collection project", requiredMode = REQUIRED) UUID uuid,
         @Schema(description = "Name of the collection project", requiredMode = REQUIRED) String name,
-        @Schema(description = "Version of the collection project") String version) {
+        @Schema(description = "Version of the collection project") String version,
+        @Schema(description = "Parent project (nested chain for hierarchy display)") ProjectParentInfo parent) {
 }

src/main/java/org/dependencytrack/resources/v1/vo/TaggedProjectListResponseItem.java

@@ -32,5 +32,6 @@
 public record TaggedProjectListResponseItem(
         @Schema(description = "UUID of the project", requiredMode = REQUIRED) UUID uuid,
         @Schema(description = "Name of the project", requiredMode = REQUIRED) String name,
-        @Schema(description = "Version of the project") String version) {
+        @Schema(description = "Version of the project") String version,
+        @Schema(description = "Parent project (nested chain for hierarchy display)") ProjectParentInfo parent) {
 }

src/test/java/org/dependencytrack/persistence/ProjectQueryManagerTest.java

@@ -157,4 +157,43 @@ void testGetProjectPopulatesNestedParentChain() {
         Assertions.assertNull(fetched.getParent().getParent().getParent());
     }
 
+    @Test
+    void testGetProjectPopulatesDeepParentChain() {
+        // 4 levels: root -> level1 -> level2 -> leaf
+        final Project root = qm.createProject("root", null, "1.0", null, null, null, true, false);
+        final Project level1 = new Project();
+        level1.setName("level1");
+        level1.setVersion("1.0");
+        level1.setParent(root);
+        qm.persist(level1);
+        final Project level2 = new Project();
+        level2.setName("level2");
+        level2.setVersion("1.0");
+        level2.setParent(level1);
+        qm.persist(level2);
+        final Project leaf = new Project();
+        leaf.setName("leaf");
+        leaf.setVersion("1.0");
+        leaf.setParent(level2);
+        qm.persist(leaf);
+
+        final Project fetched = qm.getProject(leaf.getUuid().toString());
+        Assertions.assertNotNull(fetched);
+
+        // All ancestors must have name/version populated (validates fetch group fix)
+        Assertions.assertNotNull(fetched.getParent());
+        Assertions.assertEquals("level2", fetched.getParent().getName());
+        Assertions.assertEquals("1.0", fetched.getParent().getVersion());
+
+        Assertions.assertNotNull(fetched.getParent().getParent());
+        Assertions.assertEquals("level1", fetched.getParent().getParent().getName());
+        Assertions.assertEquals("1.0", fetched.getParent().getParent().getVersion());
+
+        Assertions.assertNotNull(fetched.getParent().getParent().getParent());
+        Assertions.assertEquals("root", fetched.getParent().getParent().getParent().getName());
+        Assertions.assertEquals("1.0", fetched.getParent().getParent().getParent().getVersion());
+
+        Assertions.assertNull(fetched.getParent().getParent().getParent().getParent());
+    }
+
 }