refactor: remove ancestorPath, use nested parent structure only

- Remove ancestorPath and AncestorPathElement from Project model
- Replace with nested parent (parent.parent...) for hierarchy
- Add ProjectParentInfo for AffectedProject parent chain
- Update AffectedProject to use parent instead of ancestorPath
- Rename buildAncestorPathFromMap to buildParentChainFromMap
- Update tests to assert parent chain only

Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com>

Author: valentijnscholten

src/main/java/org/dependencytrack/model/Project.java

@@ -343,14 +343,6 @@ public enum FetchGroup {
     private transient ProjectMetrics metrics;
     private transient List<ProjectVersion> versions;
     private transient List<Component> dependencyGraph;
-    private transient List<AncestorPathElement> ancestorPath;
-
-    /**
-     * Represents an element in the ancestor path of a project.
-     * Used to display the full hierarchy path without requiring nested parent objects.
-     */
-    public record AncestorPathElement(UUID uuid, String name, String version) {
-    }
 
     public long getId() {
         return id;
@@ -636,14 +628,6 @@ public void setVersions(List<ProjectVersion> versions) {
         this.versions = versions;
     }
 
-    public List<AncestorPathElement> getAncestorPath() {
-        return ancestorPath;
-    }
-
-    public void setAncestorPath(List<AncestorPathElement> ancestorPath) {
-        this.ancestorPath = ancestorPath;
-    }
-
     @JsonIgnore
     public List<Team> getAccessTeams() {
         return accessTeams;

src/main/java/org/dependencytrack/persistence/QueryManager.java

@@ -1722,35 +1722,25 @@ protected void populateAncestorPaths(List<Project> projects) {
             depth++;
         }
 
-        // Build the ancestor path and wire the parent chain for each project
+        // Wire the parent chain for each project so serialization produces nested parent structure
         projects.forEach(project -> {
-            final List<Project.AncestorPathElement> path = buildAncestorPathFromMap(project, projectMap);
-            project.setAncestorPath(path);
-            wireParentChain(project, path, projectMap);
+            final List<Project> path = buildParentChainFromMap(project, projectMap);
+            wireParentChain(path);
         });
     }
 
     /**
      * Wires the parent chain on the Project entities so that serialization produces a nested
-     * parent structure (parent containing parent containing ...) rather than a flat list.
-     * Path is ordered from root to immediate parent.
+     * parent structure (parent containing parent containing ...). Path is ordered from root to immediate parent.
      */
-    protected static void wireParentChain(Project project, List<Project.AncestorPathElement> path,
-                                         Map<UUID, Project> projectMap) {
+    protected static void wireParentChain(List<Project> path) {
         if (path == null || path.size() < 2) {
             return;
         }
-        for (int i = path.size() - 1; i >= 1; i--) {
-            final Project ancestor = projectMap.get(path.get(i).uuid());
-            final Project ancestorParent = projectMap.get(path.get(i - 1).uuid());
-            if (ancestor != null && ancestorParent != null) {
-                ancestor.setParent(ancestorParent);
-            }
-        }
-        final Project root = projectMap.get(path.get(0).uuid());
-        if (root != null) {
-            root.setParent(null);
+        for (int i = 1; i < path.size(); i++) {
+            path.get(i).setParent(path.get(i - 1));
         }
+        path.get(0).setParent(null);
     }
 
     /**
@@ -1771,18 +1761,19 @@ protected List<Project> fetchProjectsByUuids(Set<UUID> uuids) {
     }
 
     /**
-     * Builds the ancestor path for a project using a pre-populated map of projects.
+     * Builds the parent chain for a project using a pre-populated map of projects.
      * The path is ordered from root to immediate parent (not including the project itself).
      */
-    protected static List<Project.AncestorPathElement> buildAncestorPathFromMap(Project project, Map<UUID, Project> projectMap) {
-        final List<Project.AncestorPathElement> path = new ArrayList<>();
+    protected static List<Project> buildParentChainFromMap(Project project, Map<UUID, Project> projectMap) {
+        final List<Project> path = new ArrayList<>();
         Project current = project.getParent();
         int depth = 0;
 
         while (current != null && depth < MAX_ANCESTOR_DEPTH) {
-            // Insert at the beginning to maintain root-to-parent order
-            path.addFirst(new Project.AncestorPathElement(current.getUuid(), current.getName(), current.getVersion()));
-            // Look up the parent in our map to continue traversal
+            final Project resolved = projectMap.get(current.getUuid());
+            if (resolved != null) {
+                path.addFirst(resolved);
+            }
             current = current.getParent() != null ? projectMap.get(current.getParent().getUuid()) : null;
             depth++;
         }

src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java

@@ -533,11 +533,11 @@ public List<AffectedProject> getAffectedProjects(Vulnerability vulnerability) {
             }
         }
 
-        // Populate ancestor paths for all affected projects
+        // Wire parent chains for all affected projects
         final List<Project> projects = new ArrayList<>(projectMap.values());
         populateAncestorPaths(projects);
 
-        // Create AffectedProject objects with ancestor paths
+        // Create AffectedProject objects with nested parent structure
         return projects.stream()
                 .map(project -> new AffectedProject(
                         project.getUuid(),
@@ -546,7 +546,7 @@ public List<AffectedProject> getAffectedProjects(Vulnerability vulnerability) {
                         project.getVersion(),
                         project.isActive(),
                         affectedComponentUuidsMap.get(project.getUuid()),
-                        project.getAncestorPath()))
+                        AffectedProject.buildParentInfo(project.getParent())))
                 .toList();
     }
 

src/main/java/org/dependencytrack/resources/v1/vo/AffectedProject.java

@@ -18,12 +18,12 @@
  */
 package org.dependencytrack.resources.v1.vo;
 
-import org.dependencytrack.model.Project.AncestorPathElement;
-
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
 
+import org.dependencytrack.model.Project;
+
 /**
  * Describes a project that is affected by a specific vulnerability, including a list of UUIDs of the components
  * affected by the vulnerability within this project.
@@ -44,16 +44,17 @@ public class AffectedProject {
 
     private final List<UUID> affectedComponentUuids;
 
-    private final List<AncestorPathElement> ancestorPath;
+    private final ProjectParentInfo parent;
 
-    public AffectedProject(UUID uuid, boolean dependencyGraphAvailable, String name, String version, boolean active, List<UUID> affectedComponentUuids, List<AncestorPathElement> ancestorPath) {
+    public AffectedProject(UUID uuid, boolean dependencyGraphAvailable, String name, String version, boolean active,
+                          List<UUID> affectedComponentUuids, ProjectParentInfo parent) {
         this.uuid = uuid;
         this.dependencyGraphAvailable = dependencyGraphAvailable;
         this.name = name;
         this.version = version;
         this.active = active;
         this.affectedComponentUuids = affectedComponentUuids == null ? new ArrayList<>() : affectedComponentUuids;
-        this.ancestorPath = ancestorPath;
+        this.parent = parent;
     }
 
     public UUID getUuid() {
@@ -63,6 +64,7 @@ public UUID getUuid() {
     public boolean isDependencyGraphAvailable() {
         return dependencyGraphAvailable;
     }
+
     public String getName() {
         return name;
     }
@@ -79,7 +81,21 @@ public List<UUID> getAffectedComponentUuids() {
         return affectedComponentUuids;
     }
 
-    public List<AncestorPathElement> getAncestorPath() {
-        return ancestorPath;
+    public ProjectParentInfo getParent() {
+        return parent;
+    }
+
+    /**
+     * Builds a nested ProjectParentInfo from a Project's parent chain (after it has been wired).
+     */
+    public static ProjectParentInfo buildParentInfo(Project project) {
+        if (project == null) {
+            return null;
+        }
+        return new ProjectParentInfo(
+                project.getUuid(),
+                project.getName(),
+                project.getVersion(),
+                buildParentInfo(project.getParent()));
     }
 }

src/main/java/org/dependencytrack/resources/v1/vo/ProjectParentInfo.java

@@ -0,0 +1,28 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.resources.v1.vo;
+
+import java.util.UUID;
+
+/**
+ * Represents a project's parent in a nested structure (parent containing parent containing ...).
+ * Used for hierarchy display in API responses.
+ */
+public record ProjectParentInfo(UUID uuid, String name, String version, ProjectParentInfo parent) {
+}

src/test/java/org/dependencytrack/persistence/ProjectQueryManagerTest.java

@@ -133,7 +133,7 @@ public void testCloneProjectMetricUpdate() throws Exception {
     }
 
     @Test
-    void testGetProjectPopulatesAncestorPathAndNestedParentChain() {
+    void testGetProjectPopulatesNestedParentChain() {
         final Project grandparent = qm.createProject("grandparent", null, "1.0", null, null, null, true, false);
         final Project parent = new Project();
         parent.setName("parent");
@@ -149,15 +149,6 @@ void testGetProjectPopulatesAncestorPathAndNestedParentChain() {
         final Project fetched = qm.getProject(project.getUuid().toString());
         Assertions.assertNotNull(fetched);
 
-        // Ancestor path is populated (root to immediate parent)
-        final List<Project.AncestorPathElement> ancestorPath = fetched.getAncestorPath();
-        Assertions.assertNotNull(ancestorPath);
-        Assertions.assertEquals(2, ancestorPath.size());
-        Assertions.assertEquals("grandparent", ancestorPath.get(0).name());
-        Assertions.assertEquals("1.0", ancestorPath.get(0).version());
-        Assertions.assertEquals("parent", ancestorPath.get(1).name());
-        Assertions.assertEquals("1.0", ancestorPath.get(1).version());
-
         // Nested parent chain is wired
         Assertions.assertNotNull(fetched.getParent());
         Assertions.assertEquals("parent", fetched.getParent().getName());

src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java

@@ -458,15 +458,6 @@ void getProjectByUuidWithNestedParentChainTest() {
 
         // Root has no parent (key omitted with NON_NULL or null)
         assertThat(grandparent.containsKey("parent")).isFalse();
-
-        // Assert ancestorPath is also populated (flat list for backwards compatibility)
-        JsonArray ancestorPath = json.getJsonArray("ancestorPath");
-        assertThat(ancestorPath).isNotNull();
-        assertThat(ancestorPath.size()).isEqualTo(2); // grandparent, parent (root to immediate)
-        assertThat(ancestorPath.getJsonObject(0).getString("name")).isEqualTo("acme-org");
-        assertThat(ancestorPath.getJsonObject(0).getString("version")).isEqualTo("1.0");
-        assertThat(ancestorPath.getJsonObject(1).getString("name")).isEqualTo("acme-app-parent");
-        assertThat(ancestorPath.getJsonObject(1).getString("version")).isEqualTo("1.0.0");
     }
 
     @Test