Dependency Graph weirdness for root component when using processing v2

[malice00]

Current Behavior

After activating v2 processing, the root component in a dependency graph is inconsistently rendered either as the name and version of the project (as it was in 4.11.x) or as a PURL. I'm not quite sure when/why it chooses to do one or the other, but I'd prefer it to use the previous way as to keep in line with all projects that were created before 4.12.

Steps to Reproduce

1. Not sure, will do some more testing to try and figure out if this is random or reproducible

Expected Behavior

I expect the displayed name in the graph to be consistent between projects and prefer it to be the 'name version'-variant as it was before 4.12.

Dependency-Track Frontend Version

4.12.0

Browser

Mozilla Firefox

Browser Version

130.0.1

Operating System

macOS

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[malice00]

So, further testing seems to point at the fact that the projects that show 'name version' have sub-components defined in the SBOM (so metadata > component > components), whereas the projects that show the PURL have only a root component...

Maybe this is actually an issue for the DT repo? I started posting it here because I had this behavior in the UI, but now I'm not so sure if this is the right place...

[nscuro]

Same cause as DependencyTrack/dependency-track#3978 (comment).

Processing V1 did not import metadata.component.purl into the project but V2 does. The code of the dependency graph prefers PURL over name+version:

frontend/src/views/portfolio/projects/ProjectDependencyGraph.vue

Lines 531 to 550 in 4ccfd8b

	createNodeLabel: function (identity) {
	// could be a project or a component
	if (identity.purlCoordinates) {
	return identity.purlCoordinates;
	} else if (identity.purl) {
	return identity.purl;
	} else {
	let label = '';
	if (identity.groupId) {
	label += identity.groupId + ' ';
	}
	if (identity.name) {
	label += identity.name;
	}
	if (identity.version) {
	label += ' ' + identity.version;
	}
	return label;
	}
	},

Given that projects are otherwise referred to by name and version throughout the application, I do agree that the dependency graph should follow that, and consistently use name and version for the root node.

[malice00]

@nscuro I hate to say it, but this fix is not working for me...

[nscuro]

How are you testing? Is it still showing the PURL for the project node?

It could be that the old version is still cached in your browser.

[malice00]

You are right, resetting my cache fixed it! Should've thought of that myself...

[nscuro]

You shouldn't have to do it. #1050 should void the need to clear caches manually.

[malice00]

Great update, but that wasn't in the other branch I tested yet, so... 😉

[nscuro]

Oh, yeah, I meant to say I took your experience as a reason to implement #1050. Since asking you to clear your cache made me realize how off that is. 😅