Hello,

I have a scenario where there are several projects (p1.uuid, p2.uuid) with the same vulnerability (vuln.uuid), where p1.uuid yields a filled analysis result and p2.uuid yields an empty result. The affected component in p1 is comp1.uuid, and for p2 comp2.uuid.

Now I realized that an analysis were also set in dtrack for p2, even though OPA would return an empty result for this project/vulnerability.

While debugging this, I noticed that dtapac is querying both
p1.uuid, comp2.uuid, vuln.uuid and
p2.uuid, comp2.uuid, vuln.uuid
from OPA, event tho the combination p1.uuid, comp2.uuid, vuln.uuid does not make sense since comp2.project is p2.

This yields an empty result for the second query, and a filled analysis for the first, whereupon dtapac submits a

PUT api/v1/analysis with p1.uuid, comp2.uuid, vuln.uuid

to dtrack. This api call verifies that p1.uuid exists, but sets the analysis on comp2.project instead of using the p1.uuid from the request, which is the correct behavior, although it can be argued it should probably reject the request when the given project uuid does not match component.project.

Anyway, this leads to the unwanted behavior of p2 having an Analysis set while OPA did not return a result for p2.