|
| 1 | +# 00007. Sbom dashboard. |
| 2 | + |
| 3 | +Date: 2025-04-27 |
| 4 | + |
| 5 | +## Status |
| 6 | + |
| 7 | +DRAFT |
| 8 | + |
| 9 | +## Context |
| 10 | +This ADR document is intended to define and implement the backend logic for the heard of SBOM dashboard in the UI. |
| 11 | + |
| 12 | +Its mockup design document is as follows. |
| 13 | + |
| 14 | +### This dashboard's header can be divided into three parts: |
| 15 | +- sbom state |
| 16 | + |
| 17 | + The information includes two components: the total sum of the Packages and the total sum of individual licenses (with Policy Violations removed). |
| 18 | +- Vulnerabilities state |
| 19 | + |
| 20 | + It also contains the total number of Vulnerabilities, as well as the count for each severity level. |
| 21 | +- License info |
| 22 | + |
| 23 | + It consists of two parts: |
| 24 | + - SBOM information (name, version, published date). |
| 25 | + - License grouping - aggregating all unique licenses and visualizing them in a pie chart. |
| 26 | + |
| 27 | +## Decision |
| 28 | +### Why is it divided into three endpoints? |
| 29 | +Because these three features each require substantial computation, combining them into a single endpoint would result in excessively long page response times and negatively impact the user experience. |
| 30 | + |
| 31 | +### Design an endpoint for each of these parts. |
| 32 | +- sbom state |
| 33 | + - **HTTP GET api/v2/sbom/{id}/sbom-status** |
| 34 | + - Reponse playload |
| 35 | + ```json |
| 36 | + { |
| 37 | + "total_packages": "0", |
| 38 | + "total_licenses": "0" |
| 39 | + } |
| 40 | + ``` |
| 41 | + - **total_packages** indicates the number of packages contained in the SBOM, which can be obtained from the sbom_package model. |
| 42 | + - **total_licenses** indicates the number of distinct license IDs contained in the SBOM, including only standard SPDX IDs. This value can be obtained by counting the spdx_licenses field in the license model. |
| 43 | +- Vulnerabilities state |
| 44 | + - **HTTP GET api/v2/sbom/{id}/vulnerabilities-status** |
| 45 | + - - Reponse playload |
| 46 | + ```json |
| 47 | + { |
| 48 | + "total_vulnerabilities": "0", |
| 49 | + "total_critical": "0", |
| 50 | + "total_high": "0", |
| 51 | + "total_medium": "0", |
| 52 | + "total_low": "0" |
| 53 | + } |
| 54 | + ``` |
| 55 | + - **total_vulnerabilities** represents the total number of vulnerabilities across all packages in the SBOM. You can calculate this by retrieving each package’s purl, fetching its PurlAdvisory via PurlDetails, then obtaining the PurlStatus from that advisory, and finally counting all vulnerabilities and grouping them by severity level. |
| 56 | + |
| 57 | + |
| 58 | +- license state |
| 59 | + - **HTTP GET api/v2/sbom/{id}/license-status* |
| 60 | + - Reponse playload |
| 61 | + ```json |
| 62 | + { |
| 63 | + "name": "Sbom-name", |
| 64 | + "version": "0", |
| 65 | + "published_date": "", |
| 66 | + "licenses": [ |
| 67 | + { "name:": "Apache-2.0", "count": "10"}, |
| 68 | + { "name:": "MIT", "count": "10"}, |
| 69 | + ... |
| 70 | + ] |
| 71 | + } |
| 72 | + ``` |
| 73 | + - **licenses** represents all license IDs appearing in this SBOM (custom licenses are collectively labeled as “other”), and counts their occurrences. |
0 commit comments