feat(UI/REST): Package Portlet

[akapti]

Please provide a summary of your changes here.

$\textcolor{blue}{\text{What is Package Portlet:}}$

• A Package portlet is a new feature in SW360.
• Package portlet is the third hierarchy level in SW360 after Components and Releases.
• This is a dedicated portlet in SW360 where Package information is stored.
• Users can search for specific Packages and link it to Releases or Projects.

$\textcolor{green}{\text{Task Completed:}}$

• CycloneDX BOM Importer at Project homepage & Project details page (supports JSON & XML format).
  • If VCS is available in SBOM then import by grouping VCS, and create Component, Release & Package.
  • If VCS is not available in SBOM then import without grouping and create only Package without linked Release.
  • Upload SBOM used for import as an attachment in Project.
• Package portlet homepage UI (listing of all packages).
  • Show Linked Release information (like Release name with version and Release Clearing State ).
  • Edit Package and Delete Package buttons (Deletion is possible if Package is not used in any Project).
  • Advanced Search feature.
• Add new Package page from Package portlet homepage.
• Package Edit page.
  • Linking / Unlinking Release to / from the Package.
  • Delete Package (if not used in any Project).
• Package Details page.
  • Summary tab.
  • Using Projects Table in Package Summary tab.
  • Change Log tab.
• Release Details page.
  • Linked Packages tab.
  • Buttons to Edit & Delete the Packages (Deletion is possible if Package is not used in any Project).
  • Header level Search and Filter for Linked Packages table.
• Release Edit page.
  • Search & Add Linked Packages (only Orphan Packages can be searched & Linked to a Release).
  • Unlink an existing Linked Packages.
• Restrict deletion of Release if there are Linked Packages in it.
• Project Details page.
  • Linked Packages tab.
  • Show Linked Release information in Linked Packages tab.
  • Button to Edit the Packages.
  • Header level Search and Filter for Linked Packages table.
  • Button to update missing linked Releases in License Clearing tab.
• Project Edit page.
  • Search & Add Linked Packages.
  • Unlink an existing Linked Packages.
  • Automatically remove linked Release when it's only linked Package is removed from Project (when Project is updated).
  • Automatically link a Release (if not already linked) when one of it's linked Packages is linked to the Project (when Project is updated).
• Making Package portlet feature configurable. (via sw360.properties: package.portlet.enabled=true -> default is false)
• Feature to upload the SBOM import status in JSON form as attachment in Project.
• Feature to see the detailed view of SBOM import status from an ImportStatus.json attachment in Project.
• Feature to Copy the information from the SBOM import modal pop-up.
• Feature to Search for Packages in Search portlet.
• No Moderation Requests for Packages, Hence restrict Package Edit / Update functionality to Creator of Package or user with minimum role of Clearing Admin, User role should be configurable
  (via sw360.properties: package.portlet.write.access.usergroup=USER -> default role is USER).
• CycloneDX SBOM Exporter at Project details page (supports JSON & XML format).
• REST API:
  • POST endpoint to Create a single Package.
  • PATCH endpoint to Update a Package.
  • DELETE endpoint to delete a Package (Deletion is possible if Package is not used in any Project).
  • GET endpoint to Get a single Package with all details.
  • PATCH endpoint to link / unlink Package to / from Project.
  • POST endpoint to Import CycloneDX SBOM at Project level.
  • PATCH endpoint to link / unlink Package to / from Release.
  • GET endpoint to list all Packages with minimal details.
  • GET endpoint to list all Packages with all details.
  • GET endpoint to list all Packages by name & package manager type.

$\textcolor{orange}{\text{Known Issues:}}$

• CycloneDx importer works well with GitHub VCS URL's only.
• non-GitHub VCS URL's may create inappropriate component grouping and name.

$\textcolor{purple}{\text{Package Managers in Scope:}}$

• Import will ${\color{red}Fail}$, if any SBOM contains Package Manager other than the list mentioned below.
• Very minimal code changes are needed in SW360 to support any other SBOM than the one listed below.
• Package Manager type are picked from: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
• ALPINE
• ALPM
• APK
• BITBUCKET
• CARGO
• COCOAPODS
• COMPOSER
• CONAN
• CONDA
• CPAN
• CRAN
• DEB
• DOCKER
• DRUPAL
• GEM
• GENERIC
• GITHUB
• GITLAB
• GOLANG
• GRADLE
• HACKAGE
• HEX
• HUGGINGFACE
• MAVEN
• MLFLOW
• NPM
• NUGET
• OCI
• PUB
• PYPI
• RPM
• SWID
• SWIFT
• YARN
• YOCTO
• ....

$\textcolor{cyan}{\text{Use Case:}}$

• A Package cannot be deleted if it's already linked to any Project.
• A Release cannot be deleted if it contains linked Packages.
• Only orphan packages can be linked to a Release from Release edit page.
• Linking Package to Project should also link it's Release to project (if Release is not already linked).
• Un-linking the only Package from the Project should also unlink it's Release from the Project (if Package is linked to a Release).
• Whenever an SBOM is imported from Project homepage, a new Project (if not already present) will be created with name and version as that of the component present in metadata tag of SBOM being imported by user.
• Importing SBOM from Project details page will not validate the component present in metadata tag of SBOM and import all it's components based on logic mentioned above.

$\textcolor{violet}{\text{Link to development branch:}}$

• https://github.com/Siemens-Healthineers/sw360/tree/feat/PackagePortlet-1374-1146

$\textcolor{yellow}{\text{Contributor:}}$

UI & Backend: @akapti
REST API: @afsahsyeda

Issue: #1146 #1374

Suggest Reviewer

@smrutis1

How To Test?

Will share a detailed description on how to test the PR with all use cases.

Checklist

Must:

• All related issues are referenced in commit messages and in PR

[heliocastro]

@akapti Is Work in Progress or is in review state ?
Please don't forget to sign

[ag4ums]

@akapti, thanks for creating this PR ,
I see that two different features are combined here in a single PR,
my suggestion is to split this into two separate PRs for easy readability and better code review.
maybe one for CycloneDx SBOM Importer and the other for Package Protlet.

[akapti]

Hi All,

• I have marked the PR as ready for testing, as the feature is pretty stable and can be tested by anyone.
• Meanwhile I will work on splitting the PR based on CycloneDX BOM importer / exporter and Package portlet.
• If you find any bugs with the feature, Please post a comment in the PR with error logs and screenshots.
• I will update the How to Test description soon.

CC: @ag4ums @heliocastro @smrutis1 @afsahsyeda @KoukiHama @arunazhakesan

[KoukiHama]

aah... I totally missed that part. currently component visibility is not being checked and all components are fetched irrespective of component is visible or not.

we need to deal with these results, but I will review the latest one tomorrow as codes review and general test with some options in sw360 properties.

[KoukiHama]

I tried basic functions, it works fine.
But I added a new package page by myself from the admin menu.

How about making new Private_Pages_7_4_3_18_GA18.lar ?

link to release

Make new package

[tienlee]

I have some comments, please take a look.

[akapti]

I have some comments, please take a look.

@tienlee
incorporated review comments by @afsahsyeda and I have resolved the merge conflicts.

[afsahsyeda]

Hi @smrutis1 ,

Your review comments have been incorporated. Please have a look