Add "last analysis" timestamp to project responses

[stohrendorf]

Current Behavior

There is no information anywhere when the last analysis cycle was done on a project.

Proposed Behavior

Add a field like "lastAnalysis" that contains the timestamp of the last vulnerability analysis of a project, similar to "lastBomImport". Apart for an optimization opportunity for automation leveraging DT, this could also help answer questions like "why is vulnerability X not associated with project Y" by comparing the vulnerability publication/update timestamp to the analysis timestamp within the UI.

NOTE: This is rather-low priority for me, it's not inhibiting anything. It would just be nice to have.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[stohrendorf]

I'm thinking about trying to implement this myself. I had a look at the code, and I think I know how to expand the DB model, but I don't know where to actually add saving the timestamp, or where to add it to the response. If you could point me to what to do, or show me a PR where something similar was done, I'd be thankful.

[nscuro]

I just refactored the relevant location. Updating the "last analyzed" timestamp for a project could happen here:

dependency-track/src/main/java/org/dependencytrack/tasks/VulnerabilityAnalysisTask.java

Lines 136 to 184 in 873d5f5

	private void analyzeProject(
	final QueryManager qm,
	final Project project,
	final VulnerabilityAnalysisLevel analysisLevel) {
	final ReentrantLock projectLock = getLockForProjectAndNamespace(project, getClass().getSimpleName());
	try {
	try {
	final boolean lockAcquired = projectLock.tryLock(5, TimeUnit.MINUTES);
	if (!lockAcquired) {
	LOGGER.warn("Failed to acquire lock after 5min; Skipping analysis");
	return;
	}
	} catch (InterruptedException e) {
	LOGGER.warn("Interrupted while waiting for lock; Not performing analysis", e);
	Thread.currentThread().interrupt();
	return;
	}
	List<Component> components = fetchNextComponentBatch(qm, project, null);
	if (components.isEmpty()) {
	LOGGER.info("Project does not have any components; Nothing to analyze");
	return;
	}
	while (!components.isEmpty()) {
	if (Thread.currentThread().isInterrupted()) {
	LOGGER.info("Interrupted before all components could be analyzed");
	break;
	}
	analyzeComponents(qm, components, analysisLevel);
	if (analysisLevel == VulnerabilityAnalysisLevel.PERIODIC_ANALYSIS) {
	try {
	performPolicyEvaluation(project, components);
	} catch (RuntimeException e) {
	LOGGER.warn("Policy evaluation against %d components failed".formatted(
	components.size()), e);
	}
	}
	qm.getPersistenceManager().evictAll(false, Component.class);
	components = fetchNextComponentBatch(qm, project, components.getLast().getId());
	}
	} finally {
	projectLock.unlock();
	}
	}

Note that vulnerability analysis is only one type of analysis, so we need to be explicit about that when it comes to naming fields / columns.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.