Merge pull request #996 from DependencyTrack/backport-pr-4234

Author: nscuro

apiserver/src/main/java/org/dependencytrack/model/PolicyViolation.java

@@ -49,9 +49,7 @@
 @PersistenceCapable
 @JsonInclude(JsonInclude.Include.NON_NULL)
 @JsonIgnoreProperties(ignoreUnknown = true)
-// TODO: Add @Unique composite constraint on the fields component, policyCondition, and type.
-//   The legacy PolicyEngine erroneously allows for duplicates on those fields, but CelPolicyEngine
-//   will never produce such duplicates. Until we remove the legacy engine, we can't add this constraint.
+@Index(members = {"component", "project", "policyCondition"}, unique = "true")
 public class PolicyViolation implements Serializable {
 
     public enum Type {
@@ -78,12 +76,12 @@ public enum Type {
     @Persistent(defaultFetchGroup = "true")
     @ForeignKey(name = "POLICYVIOLATION_COMPONENT_FK", updateAction = ForeignKeyAction.NONE, deleteAction = ForeignKeyAction.CASCADE, deferred = "true")
     @Column(name = "COMPONENT_ID", allowsNull = "false")
-    @Index(name = "POLICYVIOLATION_COMPONENT_IDX")
     private Component component;
 
     @Persistent(defaultFetchGroup = "true")
     @ForeignKey(name = "POLICYVIOLATION_POLICYCONDITION_FK", updateAction = ForeignKeyAction.NONE, deleteAction = ForeignKeyAction.CASCADE, deferred = "true")
     @Column(name = "POLICYCONDITION_ID", allowsNull = "false")
+    @Index(name = "POLICYVIOLATION_POLICYCONDITION_ID_IDX")
     private PolicyCondition policyCondition;
 
     @Persistent

apiserver/src/test/java/org/dependencytrack/resources/v1/PolicyViolationResourceTest.java

@@ -121,33 +121,49 @@ public void getViolationsByProjectTest() {
         component0.setVersion("1.0");
         component0 = qm.createComponent(component0, false);
 
-        var component1 = new Component();
-        component1.setProject(project);
-        component1.setName("Acme Component 1");
-        component1.setVersion("1.0");
-        component1 = qm.createComponent(component1, false);
-
         final Policy policy0 = qm.createPolicy("Blacklisted Version 0", Policy.Operator.ALL, Policy.ViolationState.FAIL);
         final PolicyCondition condition0 = qm.createPolicyCondition(policy0, PolicyCondition.Subject.VERSION, PolicyCondition.Operator.NUMERIC_EQUAL, "1.0");
 
         final Policy policy1 = qm.createPolicy("Blacklisted Version 1", Policy.Operator.ALL, Policy.ViolationState.FAIL);
         final PolicyCondition condition1 = qm.createPolicyCondition(policy1, PolicyCondition.Subject.VERSION, PolicyCondition.Operator.NUMERIC_EQUAL, "1.0");
 
-        ArrayList<PolicyViolation> filteredPolicyViolations = new ArrayList<>();
-        for (int i=0; i<10; i++) {
-            final boolean componentFilter = (i == 3);
-            final boolean conditionFilter = (i == 7);
+        final var filteredPolicyViolations = new ArrayList<PolicyViolation>();
+
+        var violationFiltered0 = new PolicyViolation();
+        violationFiltered0.setType(PolicyViolation.Type.OPERATIONAL);
+        violationFiltered0.setComponent(component0);
+        violationFiltered0.setPolicyCondition(condition1);
+        violationFiltered0.setTimestamp(new Date());
+        violationFiltered0 = qm.persist(violationFiltered0);
+        filteredPolicyViolations.add(violationFiltered0);
+
+        var componentForCondition0 = new Component();
+        componentForCondition0.setProject(project);
+        componentForCondition0.setName("Acme Component 1");
+        componentForCondition0.setVersion("1.0");
+        componentForCondition0 = qm.createComponent(componentForCondition0, false);
+
+        var violationFiltered1 = new PolicyViolation();
+        violationFiltered1.setType(PolicyViolation.Type.OPERATIONAL);
+        violationFiltered1.setComponent(componentForCondition0);
+        violationFiltered1.setPolicyCondition(condition0);
+        violationFiltered1.setTimestamp(new Date());
+        violationFiltered1 = qm.persist(violationFiltered1);
+        filteredPolicyViolations.add(violationFiltered1);
+
+        for (int i = 2; i < 6; i++) {
+            var component = new Component();
+            component.setProject(project);
+            component.setName("Acme Component " + i);
+            component.setVersion("1.0");
+            component = qm.createComponent(component, false);
 
             var violation = new PolicyViolation();
             violation.setType(PolicyViolation.Type.OPERATIONAL);
-            violation.setComponent(componentFilter ? component0 : component1);
-            violation.setPolicyCondition(conditionFilter ? condition0 : condition1);
+            violation.setComponent(component);
+            violation.setPolicyCondition(condition1);
             violation.setTimestamp(new Date());
-            violation = qm.persist(violation);
-
-            if (conditionFilter || componentFilter) {
-                filteredPolicyViolations.add(violation);
-            }
+            qm.persist(violation);
         }
 
         final Response response = jersey.target(V1_POLICY_VIOLATION)
@@ -409,9 +425,9 @@ public void getViolationsWithAclEnabledTest() {
 
         var componentD = new Component();
         componentD.setProject(projectA);
-        componentD.setName("Acme Component");
+        componentD.setName("Acme Component D");
         componentD.setVersion("1.0");
-        componentD = qm.createComponent(componentA, false);
+        componentD = qm.createComponent(componentD, false);
 
         final Policy policy = qm.createPolicy("Blacklisted Version", Policy.Operator.ALL, Policy.ViolationState.FAIL);
         final PolicyCondition condition = qm.createPolicyCondition(policy, PolicyCondition.Subject.VERSION, PolicyCondition.Operator.NUMERIC_EQUAL, "1.0");

migration/src/main/resources/migration/changelog-v5.7.0.xml

@@ -1293,4 +1293,37 @@
             );
         </sql>
     </changeSet>
+    
+    <changeSet id="v5.7.0-60" author="nscuro">
+        <!--
+            Delete any duplicate policy violations.
+            Note that this doesn't do any fancy reconciliation, it just keeps the latest.
+            Users upgrading from v4 should already not have duplicates anymore, as of v4.12.1.
+            https://github.com/DependencyTrack/dependency-track/pull/4234
+        -->
+        <sql>
+            WITH duplicate AS (
+              SELECT "ID"
+                   , ROW_NUMBER() OVER(
+                       PARTITION BY "COMPONENT_ID", "PROJECT_ID", "POLICYCONDITION_ID"
+                       ORDER BY "TIMESTAMP" DESC
+                     ) AS rn
+                FROM "POLICYVIOLATION"
+            )
+            DELETE FROM "POLICYVIOLATION"
+             USING duplicate
+             WHERE "POLICYVIOLATION"."ID" = duplicate."ID"
+               AND duplicate.rn > 1
+        </sql>
+
+        <!-- Create unique index to prevent new dupes from being created. -->
+        <createIndex tableName="POLICYVIOLATION" indexName="POLICYVIOLATION_IDENTITY_IDX" unique="true">
+            <column name="COMPONENT_ID"/>
+            <column name="PROJECT_ID"/>
+            <column name="POLICYCONDITION_ID"/>
+        </createIndex>
+
+        <!-- Drop redundant index that is covered by the new unique index. -->
+        <dropIndex tableName="POLICYVIOLATION" indexName="POLICYVIOLATION_COMPONENT_IDX"/>
+    </changeSet>
 </databaseChangeLog>