Highlight invalid and missing versions in Dependency List

Problem to solve

During SBOM ingestion, the backend ingests SBOM components even when they have invalid versions or no version at all. However, these components are excluded from scans.

Components with invalid versions (i.e. that cannot be parsed by semver_dialects) are ignored by Continuous Vulnerability Scanning (CVS).
Components without versions are excluded by both License Scanning and CVS.

User might not be aware of that.

Proposal

In the Dependency List, highlight components that don't have an valid version, and say that these are excluded from scans.

We could add a new boolean column to the sbom_occurrences table to identify ingested components whose version can't be parsed by semver_dialects. In a later step we would change CVS to leverage that column, and excluded these components from scans instead of trying to parse their versions. Invalid versions should not be tracked in the sbom_component_versions table. This is related to Improve DB schema to better support CVS and the... (#438378).

Edited May 28, 2024 by Fabien Catteau