Add direct dependency flag to component for efficient direct/transitive dependency filtering

[sahibamittal]

Description

Add direct dependency flag to component for efficient direct/transitive dependency filtering.

Addressed Issue

Ports PR from Hyades Apiserver

#6183
DependencyTrack/hyades-apiserver#2168

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
• This PR is a substantial change (per the ADR criteria), and I have added an ADR under docs/adr/

[owasp-dt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 1 duplication

Metric	Results
Complexity	0
Duplication	1

View in Codacy

🟢 Coverage 100.00% diff coverage · -0.08% coverage variation

Metric	Results
Coverage variation	✅ -0.08% coverage variation (-1.00%)
Diff coverage	✅ 100.00% diff coverage (70.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (073d435)	41636	35833	86.06%
Head commit (0310c52)	41646 (+10)	35807 (-26)	85.98% (-0.08%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#6206)	10	10	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[Copilot]

Pull request overview

This PR adds a denormalized direct dependency flag to components so direct/transitive dependency filtering can use a boolean column instead of JSONB containment checks.

Changes:

• Adds COMPONENT.DIRECT persistence, migration, model accessors, and BOM-import population logic.
• Updates project component listing, v1 filtering, CEL policy mapping/proto support, and response schemas.
• Adjusts tests and JSON assertions for the new direct flag.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
proto/src/main/proto/org/dependencytrack/policy/v1/policy.proto	Adds is_direct to policy component proto.
migration/src/main/resources/org/dependencytrack/migration/V202605291156__add_direct_column_to_component.sql	Adds the DIRECT column and index.
apiserver/src/main/java/org/dependencytrack/model/Component.java	Adds persisted direct field and accessors.
apiserver/src/main/java/org/dependencytrack/tasks/ImportBomActivity.java	Recomputes direct flags after dependency graph import.
apiserver/src/main/java/org/dependencytrack/persistence/jdbi/ComponentDao.java	Uses and maintains DIRECT in project component queries.
apiserver/src/main/java/org/dependencytrack/persistence/ComponentQueryManager.java	Switches legacy direct filtering to DIRECT.
apiserver/src/main/java/org/dependencytrack/resources/v2/ProjectsResource.java	Includes direct in v2 project component responses.
api/src/main/openapi/resources/projects/schemas/list-project-components-response-item.yaml	Documents direct in the v2 response schema.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyFieldMappingRegistry.java	Exposes is_direct to CEL field selection.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyDao.java	Reads direct dependency status from COMPONENT.DIRECT.
apiserver/src/main/java/org/dependencytrack/policy/cel/persistence/CelPolicyComponentRowMapper.java	Maps is_direct into CEL policy component protos.
apiserver/src/main/java/org/dependencytrack/model/mapping/PolicyProtoMapper.java	Maps model component direct status into policy proto.
apiserver/src/test/java/org/dependencytrack/resources/v2/ProjectsResourceTest.java	Updates v2 project component response expectations.
apiserver/src/test/java/org/dependencytrack/resources/v2/ComponentsResourceTest.java	Updates component creation response expectations.
apiserver/src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java	Updates nested component JSON expectations.
apiserver/src/test/java/org/dependencytrack/resources/v1/ComponentResourceTest.java	Updates component JSON expectations and setup.
apiserver/src/test/java/org/dependencytrack/policy/cel/persistence/CelPolicyDaoTest.java	Updates CEL field-loading JSON expectations.
apiserver/src/test/java/org/dependencytrack/policy/cel/compat/VersionDistanceCelPolicyEvaluatorTest.java	Updates direct-dependency setup for version-distance policies.
apiserver/src/test/java/org/dependencytrack/policy/cel/CelPolicyEngineTest.java	Updates CEL policy direct-dependency setup.
apiserver/src/test/java/org/dependencytrack/persistence/jdbi/ComponentDaoTest.java	Adds coverage for recomputing DIRECT.
apiserver/src/test/java/org/dependencytrack/persistence/ComponentQueryManangerPostgresTest.java	Updates legacy component-query tests to use DIRECT.

[nscuro]

Whether a component is a direct dependency could be determined here as well:

dependency-track/apiserver/src/main/java/org/dependencytrack/tasks/ImportBomActivity.java

Lines 657 to 701 in 85f86f8

	private void processDependencyGraph(
	final QueryManager qm,
	final Project project,
	final MultiValuedMap<String, String> dependencyGraph,
	final Map<ComponentIdentity, Component> componentsByIdentity,
	final Map<String, ComponentIdentity> identitiesByBomRef,
	final MultiValuedMap<ComponentIdentity, String> bomRefsByIdentity
	) {
	assertPersistent(project, "Project must be persistent");
	if (project.getBomRef() != null) {
	final Collection<String> directDependencyBomRefs = dependencyGraph.get(project.getBomRef());
	if (directDependencyBomRefs == null || directDependencyBomRefs.isEmpty()) {
	LOGGER.warn("""
	The dependency graph has %d entries, but the project (metadata.component node of the BOM) \
	is not one of them; Graph will be incomplete because it is not possible to determine its root\
	""".formatted(dependencyGraph.size()));
	}
	final String directDependenciesJson = resolveDependenciesJson(
	List.of(project.getBomRef()),
	sourceBomRef -> sourceBomRef.equals(project.getBomRef()) ? directDependencyBomRefs : null,
	identitiesByBomRef);
	if (!Objects.equals(directDependenciesJson, project.getDirectDependencies())) {
	project.setDirectDependencies(directDependenciesJson);
	qm.getPersistenceManager().flush();
	}
	} else {
	// Make sure we don't retain stale data from previous BOM uploads.
	if (project.getDirectDependencies() != null) {
	project.setDirectDependencies(null);
	qm.getPersistenceManager().flush();
	}
	}
	for (final Component component : componentsByIdentity.values()) {
	assertPersistent(component, "Component must be persistent");
	final String mergedDirectDependenciesJson = resolveMergedDirectDependenciesJson(
	component, dependencyGraph, identitiesByBomRef, bomRefsByIdentity);
	if (!Objects.equals(mergedDirectDependenciesJson, component.getDirectDependencies())) {
	component.setDirectDependencies(mergedDirectDependenciesJson);
	}
	}
	qm.getPersistenceManager().flush();
	}

[nscuro]

Can we disambiguate the name? e.g. call it directDependency / isDirectDependency.

[nscuro]

Let's also add the new field to the "all fields" test:

dependency-track/apiserver/src/test/java/org/dependencytrack/policy/cel/CelPolicyEngineTest.java

Lines 72 to 396 in 85f86f8

	/**
	* (Regression-)Test for ensuring that all data available in the policy expression context
	* can be accessed in the expression at runtime.
	* <p>
	* Data being available means:
	* <ul>
	* <li>Expression requirements were analyzed correctly</li>
	* <li>Data was retrieved from the database correctly</li>
	* <li>The mapping from DB data to CEL Protobuf models worked as expected</li>
	* </ul>
	*/
	@Test
	void testEvaluateProjectWithAllFields() throws Exception {
	final var project = new Project();
	project.setUuid(UUID.fromString("d7173786-60aa-4a4f-a950-c92fe6422307"));
	project.setGroup("projectGroup");
	project.setName("projectName");
	project.setVersion("projectVersion");
	project.setClassifier(Classifier.APPLICATION);
	project.setInactiveSince(new java.util.Date(777));
	project.setCpe("projectCpe");
	project.setPurl("projectPurl");
	project.setSwidTagId("projectSwidTagId");
	project.setLastBomImport(new java.util.Date());
	qm.persist(project);
	final var bom = new Bom();
	bom.setProject(project);
	bom.setGenerated(new java.util.Date(999));
	bom.setImported(new Date());
	qm.persist(bom);
	final var toolComponentLicense = new License();
	toolComponentLicense.setUuid(UUID.randomUUID());
	toolComponentLicense.setLicenseId("toolComponentLicenseId");
	final var toolComponent = new Component();
	toolComponent.setGroup("toolComponentGroup");
	toolComponent.setName("toolComponentName");
	toolComponent.setVersion("toolComponentVersion");
	toolComponent.setClassifier(Classifier.APPLICATION);
	toolComponent.setCpe("toolComponentCpe");
	toolComponent.setPurl("pkg:maven/toolComponentGroup/toolComponentName@toolComponentVersion"); // NB: Must be valid PURL, otherwise it's being JSON serialized as null
	toolComponent.setSwidTagId("toolComponentSwidTagId");
	toolComponent.setInternal(true); // NB: Currently ignored for tool components.
	toolComponent.setMd5("toolComponentMd5");
	toolComponent.setSha1("toolComponentSha1");
	toolComponent.setSha256("toolComponentSha256");
	toolComponent.setSha384("toolComponentSha384");
	toolComponent.setSha512("toolComponentSha512");
	toolComponent.setSha3_256("toolComponentSha3_256");
	toolComponent.setSha3_384("toolComponentSha3_384");
	toolComponent.setSha3_512("toolComponentSha3_512");
	toolComponent.setBlake2b_256("toolComponentBlake2b_256");
	toolComponent.setBlake2b_384("toolComponentBlake2b_384");
	toolComponent.setBlake2b_512("toolComponentBlake2b_512");
	toolComponent.setBlake3("toolComponentBlake3");
	// NB: License data is currently ignored for tool components.
	// Including it in the test for documentation purposes.
	toolComponent.setLicense("toolComponentLicense");
	toolComponent.setLicenseExpression("toolComponentLicenseExpression");
	toolComponent.setLicenseUrl("toolComponentLicenseUrl");
	toolComponent.setResolvedLicense(toolComponentLicense);
	final var projectMetadata = new ProjectMetadata();
	projectMetadata.setProject(project);
	projectMetadata.setTools(new Tools(List.of(toolComponent), null));
	qm.persist(projectMetadata);
	qm.createProjectProperty(project, "propertyGroup", "propertyName", "propertyValue", IConfigProperty.PropertyType.STRING, null);
	qm.bind(project, List.of(
	qm.createTag("projectTagA"),
	qm.createTag("projectTagB")
	));
	final var licenseGroup = new LicenseGroup();
	licenseGroup.setUuid(UUID.fromString("bbdb62f8-d854-4e43-a9ed-36481545c201"));
	licenseGroup.setName("licenseGroupName");
	qm.persist(licenseGroup);
	final var license = new License();
	license.setUuid(UUID.fromString("dc9876c2-0adc-422b-9f71-3ca78285f138"));
	license.setLicenseId("resolvedLicenseId");
	license.setName("resolvedLicenseName");
	license.setOsiApproved(true);
	license.setFsfLibre(true);
	license.setDeprecatedLicenseId(true);
	license.setCustomLicense(true);
	license.setLicenseGroups(List.of(licenseGroup));
	qm.persist(license);
	final var component = new Component();
	component.setProject(project);
	component.setUuid(UUID.fromString("7e5f6465-d2f2-424f-b1a4-68d186fa2b46"));
	component.setGroup("componentGroup");
	component.setName("componentName");
	component.setVersion("componentVersion");
	component.setClassifier(Classifier.LIBRARY);
	component.setCpe("componentCpe");
	component.setPurl("pkg:maven/componentGroup/componentName@componentVersion");
	component.setSwidTagId("componentSwidTagId");
	component.setInternal(true);
	component.setMd5("componentMd5");
	component.setSha1("componentSha1");
	component.setSha256("componentSha256");
	component.setSha384("componentSha384");
	component.setSha512("componentSha512");
	component.setSha3_256("componentSha3_256");
	component.setSha3_384("componentSha3_384");
	component.setSha3_512("componentSha3_512");
	component.setBlake2b_256("componentBlake2b_256");
	component.setBlake2b_384("componentBlake2b_384");
	component.setBlake2b_512("componentBlake2b_512");
	component.setBlake3("componentBlake3");
	component.setLicense("componentLicenseName");
	component.setLicenseExpression("componentLicenseExpression");
	component.setResolvedLicense(license);
	qm.persist(component);
	qm.createComponentProperty(
	component,
	"componentPropertyGroup",
	"componentPropertyName",
	"componentPropertyValue",
	IConfigProperty.PropertyType.STRING,
	null);
	useJdbiHandle(handle -> {
	new PackageMetadataDao(handle).upsertAll(List.of(
	new PackageMetadata(
	new PackageURL("pkg:maven/componentGroup/componentName"),
	"1.0.0",
	null,
	Instant.now(),
	null,
	null)));
	new PackageArtifactMetadataDao(handle).upsertAll(List.of(
	new PackageArtifactMetadata(
	new PackageURL("pkg:maven/componentGroup/componentName@componentVersion"),
	new PackageURL("pkg:maven/componentGroup/componentName"),
	null,
	null,
	null,
	null,
	new java.util.Date(222).toInstant(),
	null,
	null,
	Instant.now())));
	});
	final var vuln = new Vulnerability();
	vuln.setUuid(UUID.fromString("ffe9743f-b916-431e-8a68-9b3ac56db72c"));
	vuln.setVulnId("CVE-001");
	vuln.setSource(Vulnerability.Source.NVD);
	vuln.setCwes(List.of(666, 777));
	vuln.setCreated(new java.util.Date(666));
	vuln.setPublished(new java.util.Date(777));
	vuln.setUpdated(new java.util.Date(888));
	vuln.setSeverity(Severity.INFO);
	vuln.setCvssV2BaseScore(BigDecimal.valueOf(6.0));
	vuln.setCvssV2ImpactSubScore(BigDecimal.valueOf(6.4));
	vuln.setCvssV2ExploitabilitySubScore(BigDecimal.valueOf(6.8));
	vuln.setCvssV2Vector("(AV:N/AC:M/Au:S/C:P/I:P/A:P)");
	vuln.setCvssV3BaseScore(BigDecimal.valueOf(9.1));
	vuln.setCvssV3ImpactSubScore(BigDecimal.valueOf(5.3));
	vuln.setCvssV3ExploitabilitySubScore(BigDecimal.valueOf(3.1));
	vuln.setCvssV3Vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L");
	vuln.setOwaspRRLikelihoodScore(BigDecimal.valueOf(4.5));
	vuln.setOwaspRRTechnicalImpactScore(BigDecimal.valueOf(5.0));
	vuln.setOwaspRRBusinessImpactScore(BigDecimal.valueOf(3.75));
	vuln.setOwaspRRVector("(SL:5/M:5/O:2/S:9/ED:4/EE:2/A:7/ID:2/LC:2/LI:2/LAV:7/LAC:9/FD:3/RD:5/NC:0/PV:7)");
	qm.persist(vuln);
	qm.addVulnerability(vuln, component, "internal");
	useJdbiTransaction(handle -> new VulnerabilityAliasDao(handle)
	.syncAssertions(
	"TEST",
	new VulnerabilityKey("CVE-001", Vulnerability.Source.NVD),
	Set.of(
	new VulnerabilityKey("GHSA-001", Vulnerability.Source.GITHUB),
	new VulnerabilityKey("INT-001", Vulnerability.Source.INTERNAL),
	new VulnerabilityKey("OSV-001", Vulnerability.Source.OSV),
	new VulnerabilityKey("SNYK-001", Vulnerability.Source.SNYK),
	new VulnerabilityKey("SONATYPE-001", Vulnerability.Source.OSSINDEX),
	new VulnerabilityKey("VULNDB-001", Vulnerability.Source.VULNDB))));
	useJdbiHandle(handle -> handle.attach(EpssDao.class)
	.createOrUpdateAll(List.of(new Epss(
	"CVE-001", BigDecimal.valueOf(0.6), BigDecimal.valueOf(0.2)))));
	final Policy policy = qm.createPolicy("policy", Policy.Operator.ALL, Policy.ViolationState.INFO);
	qm.createPolicyCondition(policy, PolicyCondition.Subject.EXPRESSION, PolicyCondition.Operator.MATCHES, """
	component.uuid == "__COMPONENT_UUID__"
	&& component.group == "componentGroup"
	&& component.name == "componentName"
	&& component.version == "componentVersion"
	&& component.classifier == "LIBRARY"
	&& component.cpe == "componentCpe"
	&& component.purl == "pkg:maven/componentGroup/componentName@componentVersion"
	&& component.swid_tag_id == "componentSwidTagId"
	&& component.is_internal
	&& component.md5 == "componentmd5"
	&& component.sha1 == "componentsha1"
	&& component.sha256 == "componentsha256"
	&& component.sha384 == "componentsha384"
	&& component.sha512 == "componentsha512"
	&& component.sha3_256 == "componentsha3_256"
	&& component.sha3_384 == "componentsha3_384"
	&& component.sha3_512 == "componentsha3_512"
	&& component.blake2b_256 == "componentBlake2b_256"
	&& component.blake2b_384 == "componentBlake2b_384"
	&& component.blake2b_512 == "componentBlake2b_512"
	&& component.blake3 == "componentBlake3"
	&& component.license_name == "componentLicenseName"
	&& component.license_expression == "componentLicenseExpression"
	&& component.resolved_license.uuid == "__RESOLVED_LICENSE_UUID__"
	&& component.resolved_license.id == "resolvedLicenseId"
	&& component.resolved_license.name == "resolvedLicenseName"
	&& component.resolved_license.is_osi_approved
	&& component.resolved_license.is_fsf_libre
	&& component.resolved_license.is_deprecated_id
	&& component.resolved_license.is_custom
	&& component.resolved_license.groups.all(licenseGroup,
	licenseGroup.uuid == "__LICENSE_GROUP_UUID__"
	&& licenseGroup.name == "licenseGroupName"
	)
	&& component.published_at == timestamp("1970-01-01T00:00:00.222Z")
	&& component.properties.all(property,
	property.group == "componentPropertyGroup"
	&& property.name == "componentPropertyName"
	&& property.value == "componentPropertyValue"
	&& property.type == "STRING"
	)
	&& project.uuid == "__PROJECT_UUID__"
	&& project.group == "projectGroup"
	&& project.name == "projectName"
	&& project.version == "projectVersion"
	&& project.classifier == "APPLICATION"
	&& !project.is_active
	&& project.cpe == "projectCpe"
	&& project.purl == "projectPurl"
	&& project.swid_tag_id == "projectSwidTagId"
	&& has(project.last_bom_import)
	&& project.metadata.bom_generated == timestamp("1970-01-01T00:00:00.999Z")
	&& project.metadata.tools.components.all(tool,
	tool.group == "toolComponentGroup"
	&& tool.name == "toolComponentName"
	&& tool.version == "toolComponentVersion"
	&& tool.classifier == "APPLICATION"
	&& tool.cpe == "toolComponentCpe"
	&& tool.purl == "pkg:maven/toolComponentGroup/toolComponentName@toolComponentVersion"
	&& tool.swid_tag_id == "toolComponentSwidTagId"
	&& !tool.is_internal
	&& tool.md5 == "toolcomponentmd5"
	&& tool.sha1 == "toolcomponentsha1"
	&& tool.sha256 == "toolcomponentsha256"
	&& tool.sha384 == "toolcomponentsha384"
	&& tool.sha512 == "toolcomponentsha512"
	&& tool.sha3_256 == "toolcomponentsha3_256"
	&& tool.sha3_384 == "toolcomponentsha3_384"
	&& tool.sha3_512 == "toolcomponentsha3_512"
	&& tool.blake2b_256 == "toolComponentBlake2b_256"
	&& tool.blake2b_384 == "toolComponentBlake2b_384"
	&& tool.blake2b_512 == "toolComponentBlake2b_512"
	&& tool.blake3 == "toolComponentBlake3"
	&& !has(tool.license_name)
	&& !has(tool.license_expression)
	&& !has(tool.resolved_license)
	)
	&& "projecttaga" in project.tags
	&& project.properties.all(property,
	property.group == "propertyGroup"
	&& property.name == "propertyName"
	&& property.value == "propertyValue"
	&& property.type == "STRING"
	)
	&& vulns.all(vuln,
	vuln.uuid == "__VULN_UUID__"
	&& vuln.id == "CVE-001"
	&& vuln.source == "NVD"
	&& 666 in vuln.cwes
	&& vuln.aliases
	.map(alias, alias.source + ":" + alias.id)
	.all(alias, alias in [
	"NVD:CVE-001",
	"GITHUB:GHSA-001",
	"GSD:GSD-001",
	"INTERNAL:INT-001",
	"OSV:OSV-001",
	"SNYK:SNYK-001",
	"OSSINDEX:SONATYPE-001",
	"VULNDB:VULNDB-001"
	])
	&& vuln.created == timestamp("1970-01-01T00:00:00.666Z")
	&& vuln.published == timestamp("1970-01-01T00:00:00.777Z")
	&& vuln.updated == timestamp("1970-01-01T00:00:00.888Z")
	&& vuln.severity == "INFO"
	&& vuln.cvssv2_base_score == 6.0
	&& vuln.cvssv2_impact_subscore == 6.4
	&& vuln.cvssv2_exploitability_subscore == 6.8
	&& vuln.cvssv2_vector == "(AV:N/AC:M/Au:S/C:P/I:P/A:P)"
	&& vuln.cvssv3_base_score == 9.1
	&& vuln.cvssv3_impact_subscore == 5.3
	&& vuln.cvssv3_exploitability_subscore == 3.1
	&& vuln.cvssv3_vector == "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L"
	&& vuln.owasp_rr_likelihood_score == 4.5
	&& vuln.owasp_rr_technical_impact_score == 5.0
	&& vuln.owasp_rr_business_impact_score == 3.75
	&& vuln.owasp_rr_vector == "(SL:5/M:5/O:2/S:9/ED:4/EE:2/A:7/ID:2/LC:2/LI:2/LAV:7/LAC:9/FD:3/RD:5/NC:0/PV:7)"
	&& vuln.epss_score == 0.6
	&& vuln.epss_percentile == 0.2
	)
	"""
	.replace("__COMPONENT_UUID__", component.getUuid().toString())
	.replace("__PROJECT_UUID__", project.getUuid().toString())
	.replace("__RESOLVED_LICENSE_UUID__", license.getUuid().toString())
	.replace("__LICENSE_GROUP_UUID__", licenseGroup.getUuid().toString())
	.replace("__VULN_UUID__", vuln.getUuid().toString()), PolicyViolation.Type.OPERATIONAL);
	new CelPolicyEngine().evaluateProject(project.getUuid());
	assertThat(qm.getAllPolicyViolations(project)).hasSize(1);
	}

[nscuro]

Might want to think about backfilling the new column. Otherwise existing deployments will be in an awkward state where the new column is NULL, but the "is direct dependency" information is technically known based on the project's DIRECT_DEPENDENCIES column.

That would lead to the new column being unreliable until new BOMs are uploaded to all projects.

[sahibamittal]

Yes plan was to make it nullable to avoid heavy migration for existing components (number can be in millions for deployed components) and can be populated upon next bom upload/publish.