feat(csaf-visualizer): add ECharts dependency and CSAF 2.0 types

[carlosthe19916]

Summary

• Add echarts and echarts-for-react dependencies for interactive tree visualizations
• Create CSAF 2.0 TypeScript type definitions covering the complete document structure (document metadata, product tree, vulnerabilities, relationships, scores, remediations)
• Add utility functions: collectProducts() flattens recursive branch tree to product ID→name map, collectRelationshipProducts() resolves relationship references to product names
• Add unit tests (7 tests) for all utility functions including edge cases

Test plan

• npm run lint -w client passes
• npm run format -w client passes
• npm run build -w client succeeds
• Unit tests pass (7/7)

Implements TC-4598

🤖 Generated with Claude Code

Summary by Sourcery

Introduce CSAF 2.0 data model and utilities to support CSAF visualizer functionality.

New Features:

• Add CSAF 2.0 TypeScript type definitions for documents, product trees, vulnerabilities, scores, and related entities.
• Export CSAF visualizer types and helper utilities via a dedicated index module for reuse.
• Add utility functions to flatten product trees and resolve product relationships to names for visualization.

Enhancements:

• Introduce ECharts and React ECharts dependencies to enable interactive CSAF visualizations.

Tests:

• Add unit tests covering CSAF visualizer utility functions, including edge cases.

[sourcery-ai]

Reviewer's Guide

Adds ECharts client dependencies and introduces CSAF 2.0 TypeScript models plus tree/relationship helper utilities and tests to support CSAF visualizations.

Flow diagram for collectRelationshipProducts utility

flowchart TD
  A["Input relationships: Relationship[]"] --> B["Input productMap: Map(product_id, name)"]
  B --> C[Iterate relationships with map]
  C --> D[Lookup product_reference in productMap]
  C --> E[Lookup relates_to_product_reference in productMap]
  D --> F[Build result item with productReferenceName]
  E --> F[Build result item with relatesToProductReferenceName]
  F --> G[Output array of resolved relationship objects]

Loading

File-Level Changes

Change	Details	Files
Add charting dependencies required for CSAF visualizer UI components.	Declare echarts and echarts-for-react runtime dependencies in the client workspace package.json Lock dependency versions and transitive tree in package-lock.json	client/package.json package-lock.json
Introduce CSAF 2.0 TypeScript model layer for documents, products, vulnerabilities, and related entities.	Define top-level CsafDocument and document metadata types (publisher, tracking, notes, references) Model product tree structures, relationships, and product nodes with typed helpers Model vulnerabilities, statuses, remediations, scores (including CvssV3), and threats according to CSAF 2.0 structure	client/src/app/pages/csaf-visualizer/types.ts
Add reusable utilities for flattening CSAF product trees and resolving relationship references for visualization.	Implement collectProducts to traverse branch hierarchy and build a product_id to name map Implement collectProductNodes to collect all leaf Product nodes from a recursive branch tree Implement collectRelationshipProducts to map relationship references to resolved product names using a product map and return a visualization-friendly structure	client/src/app/pages/csaf-visualizer/utils.ts
Expose CSAF types and utilities via a local csaf-visualizer barrel module and cover them with tests.	Create index.ts barrel to export CSAF types and utility functions for use by visualizer components and other modules Add unit tests to validate collectProducts, collectProductNodes, and collectRelationshipProducts behavior including undefined/empty inputs and name resolution fallbacks	client/src/app/pages/csaf-visualizer/index.ts client/src/app/pages/csaf-visualizer/utils.test.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The recursive tree traversal logic in collectProducts and collectProductNodes is duplicated; consider extracting a shared internal walkBranches helper or parameterizing the collector function to reduce repetition and keep behavior changes in one place.
• Some CSAF fields that are modeled as required (e.g., product_tree.branches, vulnerabilities) may be optional or absent in real-world CSAF 2.0 documents; it might be safer to align the type definitions more closely with the spec and mark such fields optional where appropriate to avoid runtime parsing issues.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The recursive tree traversal logic in `collectProducts` and `collectProductNodes` is duplicated; consider extracting a shared internal `walkBranches` helper or parameterizing the collector function to reduce repetition and keep behavior changes in one place.
- Some CSAF fields that are modeled as required (e.g., `product_tree.branches`, `vulnerabilities`) may be optional or absent in real-world CSAF 2.0 documents; it might be safer to align the type definitions more closely with the spec and mark such fields optional where appropriate to avoid runtime parsing issues.

## Individual Comments

### Comment 1
<location path="client/src/app/pages/csaf-visualizer/types.ts" line_range="69-73" />
<code_context>
+}
+
+/** Product tree containing branch hierarchy and product relationships. */
+export interface ProductTree {
+  branches: Branch[];
+  relationships?: Relationship[];
+}
+
</code_context>
<issue_to_address>
**suggestion:** Align `ProductTree.branches` optionality with the helpers that accept `Branch[] | undefined`.

The helpers in `utils.ts` take `branches: Branch[] | undefined`, implying callers may legitimately pass `undefined` (e.g. `collectProducts(productTree.branches)` when `branches` is missing). To keep types self-consistent, either declare `branches?: Branch[];` on `ProductTree` if CSAF data can omit it, or narrow the helper signatures to `Branch[]` so incorrect usage is caught at compile time.

```suggestion
/** Product tree containing branch hierarchy and product relationships. */
export interface ProductTree {
  branches?: Branch[];
  relationships?: Relationship[];
}
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Align ProductTree.branches optionality with the helpers that accept Branch[] | undefined.

The helpers in utils.ts take branches: Branch[] | undefined, implying callers may legitimately pass undefined (e.g. collectProducts(productTree.branches) when branches is missing). To keep types self-consistent, either declare branches?: Branch[]; on ProductTree if CSAF data can omit it, or narrow the helper signatures to Branch[] so incorrect usage is caught at compile time.

Suggested change

	/** Product tree containing branch hierarchy and product relationships. */
	export interface ProductTree {
	branches: Branch[];
	relationships?: Relationship[];
	}
	/** Product tree containing branch hierarchy and product relationships. */
	export interface ProductTree {
	branches?: Branch[];
	relationships?: Relationship[];
	}

[codecov]

Codecov Report

❌ Patch coverage is 62.06897% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.22%. Comparing base (5bf86c6) to head (1dc4f01).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
client/src/app/pages/csaf-visualizer/utils.ts	62.06%	11 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1061      +/-   ##
==========================================
+ Coverage   49.15%   49.22%   +0.06%     
==========================================
  Files         253      254       +1     
  Lines        5499     5528      +29     
  Branches     1660     1670      +10     
==========================================
+ Hits         2703     2721      +18     
- Misses       2521     2532      +11     
  Partials      275      275              

Flag	Coverage Δ
e2e	66.84% <ø> (ø)
unit	2.33% <62.06%> (+0.32%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.