From 07117ecb132f1d92f835baad5deb344c6bb182ca Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 10 Jul 2025 17:00:50 +0400
Subject: [PATCH 1/4] Enhance the dependency tree view in a more dynamic
 rendering

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst                                 |   3 +
 .../iamkate-tree-views/expand-collapse.svg    |   7 +
 scancodeio/static/iamkate-tree-views/tree.css |  75 +++++++
 .../static/iamkate-tree-views/tree.css.ABOUT  |  10 +
 scanpipe/models.py                            |   7 +
 .../scanpipe/includes/project_list_table.html |   5 +
 .../includes/project_summary_level.html       |   5 +
 .../scanpipe/project_dependency_tree.html     | 189 +++++++++++++-----
 .../scanpipe/tree/dependency_children.html    |  19 ++
 .../scanpipe/tree/dependency_node.html        |  23 +++
 scanpipe/tests/test_models.py                 |  35 ++--
 scanpipe/views.py                             |  33 ++-
 12 files changed, 340 insertions(+), 71 deletions(-)
 create mode 100644 scancodeio/static/iamkate-tree-views/expand-collapse.svg
 create mode 100644 scancodeio/static/iamkate-tree-views/tree.css
 create mode 100644 scancodeio/static/iamkate-tree-views/tree.css.ABOUT
 create mode 100644 scanpipe/templates/scanpipe/tree/dependency_children.html
 create mode 100644 scanpipe/templates/scanpipe/tree/dependency_node.html

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 50ea051c03..2aa8ad16e4 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -18,6 +18,9 @@ v35.2.0 (unreleased)
   ``policies.yml`` file.
   https://github.com/aboutcode-org/scancode.io/issues/1348
 
+- Enhance the dependency tree view in a more dynamic rendering.
+  Vulnerabilities and compliance alert are displayed along the dependency entries.
+
 v35.1.0 (2025-07-02)
 --------------------
 
diff --git a/scancodeio/static/iamkate-tree-views/expand-collapse.svg b/scancodeio/static/iamkate-tree-views/expand-collapse.svg
new file mode 100644
index 0000000000..a52ccd22f7
--- /dev/null
+++ b/scancodeio/static/iamkate-tree-views/expand-collapse.svg
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<svg xmlns="http://www.w3.org/2000/svg" width="40" height="20">
+  <g fill="#fff">
+    <path d="m5 9h4v-4h2v4h4v2h-4v4h-2v-4h-4z"/>
+    <path d="m25 9h10v2h-10z"/>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/scancodeio/static/iamkate-tree-views/tree.css b/scancodeio/static/iamkate-tree-views/tree.css
new file mode 100644
index 0000000000..b140236154
--- /dev/null
+++ b/scancodeio/static/iamkate-tree-views/tree.css
@@ -0,0 +1,75 @@
+.tree{
+  --spacing : 1.5rem;
+  --radius  : 10px;
+}
+
+.tree li{
+  display      : block;
+  position     : relative;
+  padding-left : calc(2 * var(--spacing) - var(--radius) - 2px);
+}
+
+.tree ul{
+  margin-left  : calc(var(--radius) - var(--spacing));
+  padding-left : 0;
+}
+
+.tree ul li{
+  border-left : 2px solid #ddd;
+}
+
+.tree ul li:last-child{
+  border-color : transparent;
+}
+
+.tree ul li::before{
+  content      : '';
+  display      : block;
+  position     : absolute;
+  top          : calc(var(--spacing) / -2);
+  left         : -2px;
+  width        : calc(var(--spacing) + 2px);
+  height       : calc(var(--spacing) + 1px);
+  border       : solid #ddd;
+  border-width : 0 0 2px 2px;
+}
+
+.tree summary{
+  display : block;
+  cursor  : pointer;
+}
+
+.tree summary::marker,
+.tree summary::-webkit-details-marker{
+  display : none;
+}
+
+.tree summary:focus{
+  outline : none;
+}
+
+.tree summary:focus-visible{
+  outline : 1px dotted #000;
+}
+
+.tree li::after,
+.tree summary::before{
+  content       : '';
+  display       : block;
+  position      : absolute;
+  top           : calc(var(--spacing) / 2 - var(--radius));
+  left          : calc(var(--spacing) - var(--radius) - 1px);
+  width         : calc(2 * var(--radius));
+  height        : calc(2 * var(--radius));
+  border-radius : 50%;
+  background    : #ddd;
+}
+
+.tree summary::before{
+  z-index    : 1;
+  background : #696 url('expand-collapse.svg') 0 0;
+}
+
+.tree details[open] > summary::before{
+  background-position : calc(-2 * var(--radius)) 0;
+}
diff --git a/scancodeio/static/iamkate-tree-views/tree.css.ABOUT b/scancodeio/static/iamkate-tree-views/tree.css.ABOUT
new file mode 100644
index 0000000000..13316e5265
--- /dev/null
+++ b/scancodeio/static/iamkate-tree-views/tree.css.ABOUT
@@ -0,0 +1,10 @@
+about_resource: tree.css
+name: css-tree-views
+homepage_url: https://iamkate.com/code/tree-views/
+description: A tree view (collapsible list) can be created using only html and css, without
+  the need for JavaScript. Accessibility software will see the tree view as lists nested inside
+  disclosure widgets, and the standard keyboard interaction is supported automatically.
+license_expression: cc0-1.0
+licenses:
+  - key: cc0-1.0
+    name: cc0-1.0
diff --git a/scanpipe/models.py b/scanpipe/models.py
index 82c73e4f07..7bc6d12072 100644
--- a/scanpipe/models.py
+++ b/scanpipe/models.py
@@ -2568,6 +2568,13 @@ def from_db(cls, db, field_names, values):
 
         return new
 
+    @property
+    def has_compliance_issue(self):
+        """Return True if the compliance status is not OK or not set."""
+        if not self.compliance_alert or self.compliance_alert == self.Compliance.OK:
+            return False
+        return True
+
     @property
     def license_policy_index(self):
         return self.project.license_policy_index
diff --git a/scanpipe/templates/scanpipe/includes/project_list_table.html b/scanpipe/templates/scanpipe/includes/project_list_table.html
index c02e0a4668..1b4d0171a7 100644
--- a/scanpipe/templates/scanpipe/includes/project_list_table.html
+++ b/scanpipe/templates/scanpipe/includes/project_list_table.html
@@ -39,6 +39,11 @@
           <a href="{% url 'project_dependencies' project.slug %}">
             {{ project.discovereddependencies_count|intcomma }}
           </a>
+          <a href="{% url 'project_dependency_tree' project.slug %}">
+            <span class="icon">
+              <i class="fa-solid fa-sitemap fa-sm"></i>
+            </span>
+          </a>
         {% else %}
           <span>0</span>
         {% endif %}
diff --git a/scanpipe/templates/scanpipe/includes/project_summary_level.html b/scanpipe/templates/scanpipe/includes/project_summary_level.html
index bc75d3d543..e2f0e25451 100644
--- a/scanpipe/templates/scanpipe/includes/project_summary_level.html
+++ b/scanpipe/templates/scanpipe/includes/project_summary_level.html
@@ -44,6 +44,11 @@
               {{ project.vulnerable_dependency_count|intcomma }}
             </a>
           {% endif %}
+          <a href="{% url 'project_dependency_tree' project.slug %}" class="ml-2">
+            <span class="icon">
+              <i class="fa-solid fa-sitemap is-size-6"></i>
+            </span>
+          </a>
         {% else %}
           <span class="has-text-grey">0</span>
         {% endif %}
diff --git a/scanpipe/templates/scanpipe/project_dependency_tree.html b/scanpipe/templates/scanpipe/project_dependency_tree.html
index ff368c05e6..c81318e7c7 100644
--- a/scanpipe/templates/scanpipe/project_dependency_tree.html
+++ b/scanpipe/templates/scanpipe/project_dependency_tree.html
@@ -1,7 +1,25 @@
 {% extends "scanpipe/base.html" %}
+{% load static %}
 
 {% block title %}ScanCode.io: {{ project.name }} - Dependency tree{% endblock %}
 
+{% block extrahead %}
+<link rel="stylesheet" href="{% static 'iamkate-tree-views/tree.css' %}" crossorigin="anonymous">
+<style>
+  .tree {
+    line-height: 1.8rem;
+    --spacing : 2rem;
+  }
+  .tree summary {
+    display: inline-block;
+  }
+  .tree summary::before{
+    background-color: rgb(72, 199, 142);
+    background-image: url('{% static "iamkate-tree-views/expand-collapse.svg" %}');
+  }
+</style>
+{% endblock %}
+
 {% block content %}
   <div id="content-header" class="container is-max-widescreen mb-3">
     {% include 'scanpipe/includes/navbar_header.html' %}
@@ -13,64 +31,127 @@
   </div>
 
   <div class="container is-max-widescreen mb-3">
-    {% if recursion_error %}
-      <article class="message is-danger">
-        <div class="message-body">
-          The dependency tree cannot be rendered as it contains circular references.
-          {{ message|linebreaksbr }}
-        </div>
-      </article>
-    {% endif %}
-    <div id="tree"></div>
+    <section class="mx-5">
+      {% if recursion_error %}
+        <article class="message is-danger">
+          <div class="message-body">
+            The dependency tree cannot be rendered as it contains circular references.
+            {{ message|linebreaksbr }}
+          </div>
+        </article>
+      {% endif %}
+
+      <div class="mb-4">
+        <button id="collapseAll" class="button is-small">
+          <span>Collapse All</span>
+          <span class="icon is-small">
+            <i class="fas fa-minus"></i>
+          </span>
+        </button>
+        <button id="expendAll" class="button is-small">
+          <span>Expend All</span>
+          <span class="icon is-small">
+            <i class="fas fa-plus"></i>
+          </span>
+        </button>
+        <button id="showVulnerableOnlyButton" class="button is-small">
+          <span>Show Vulnerable only</span>
+          <span class="icon is-small">
+            <i class="fa-solid fa-bug"></i>
+          </span>
+        </button>
+        <button id="showComplianceAlertOnlyButton" class="button is-small">
+          <span>Show Compliance Alert only</span>
+          <span class="icon is-small ">
+            <i class="fa-solid fa-scale-balanced"></i>
+          </span>
+        </button>
+      </div>
+
+      <ul id="tree" class="tree">
+        <li>
+          <details open>
+            <summary class="has-text-weight-semibold">
+              {{ dependency_tree.name }}
+            </summary>
+            {% include 'scanpipe/tree/dependency_children.html' with children=dependency_tree.children %}
+          </details>
+        </li>
+      </ul>
+    </section>
   </div>
 {% endblock %}
 
 {% block scripts %}
-  <script src="https://d3js.org/d3.v7.min.js"></script>
-  <script src="https://cdn.jsdelivr.net/npm/@observablehq/plot@0.6"></script>
-  {{ dependency_tree|json_script:"dependency_tree" }}
-  {{ row_count|json_script:"row_count" }}
-  {{ max_depth|json_script:"max_depth" }}
-  <script>
-    const data = JSON.parse(document.getElementById("dependency_tree").textContent);
-    const hierarchyData = d3.hierarchy(data);
-    const columnWidth = 110;
-    const rowWidth = 25;
-    const columnCount = hierarchyData.height;
-    const rowCount = hierarchyData.links().length;
-    const width = columnWidth * (columnCount + 1);
-    const height = rowWidth * (rowCount + 1);
-
-    function indent() {
-      return (root) => {
-        root.eachBefore((node, i) => {
-          node.y = node.depth;
-          node.x = i;
-        });
-      };
+<script>
+  document.addEventListener('DOMContentLoaded', () => {
+    const treeContainer = document.getElementById('tree');
+    const collapseAllButton = document.getElementById('collapseAll');
+    const expendAllButton = document.getElementById('expendAll');
+
+    function collapseAllDetails() {
+      document.querySelectorAll('details').forEach(details => {
+        details.removeAttribute('open');
+      });
+      showAllListItems();
+    }
+
+    function expendAllDetails() {
+      document.querySelectorAll('details').forEach(details => {
+        details.setAttribute('open', ''); // Adding 'open' attribute to open the details
+      });
+      showAllListItems();
+    }
+
+    collapseAllButton.addEventListener('click', collapseAllDetails);
+    expendAllButton.addEventListener('click', expendAllDetails);
+
+    // Following function are use to limit the display to specific elements.
+
+    function expandAncestors(detailsElement) {
+      let parent = detailsElement.parentElement.closest('details');
+      while (parent) {
+        parent.setAttribute('open', '');
+        parent.parentElement.style.display = '';
+        parent = parent.parentElement.closest('details');
+      }
+    }
+
+    function showAllListItems() {
+      const listItems = treeContainer.querySelectorAll('li');
+      listItems.forEach(item => {
+          item.style.display = '';
+      });
+    }
+
+    function hideAllListItems() {
+      const listItems = treeContainer.querySelectorAll('li');
+      listItems.forEach(item => {
+          item.style.display = 'none';
+      });
+    }
+
+    function handleItems(attribute, value) {
+      collapseAllDetails();
+      hideAllListItems();
+
+      const items = document.querySelectorAll(`li[${attribute}="${value}"]`);
+      items.forEach(item => {
+          item.style.display = 'block';
+          expandAncestors(item);
+      });
+    }
+
+    function handleVulnerableItems() {
+      handleItems('data-is-vulnerable', 'true');
+    }
+
+    function handleComplianceAlertItems() {
+      handleItems('data-compliance-alert', 'true');
     }
 
-    // https://observablehq.com/plot/marks/tree
-    const plot = Plot.plot({
-      axis: null,
-      margin: 10,
-      marginLeft: 40,
-      marginRight: 160,
-      width: width,
-      height: height,
-      marks: [
-        Plot.tree(hierarchyData.leaves(), {
-          path: (node) => node.ancestors().reverse().map(({ data: { name } }) => name).join("|"),
-          delimiter: "|",
-          treeLayout: indent,
-          strokeWidth: 1,
-          curve: "step-before",
-          fontSize: 14,
-          textStroke: "none"
-        })
-      ]
-    });
-
-    document.getElementById("tree").appendChild(plot);
-  </script>
+    showVulnerableOnlyButton.addEventListener('click', handleVulnerableItems);
+    showComplianceAlertOnlyButton.addEventListener('click', handleComplianceAlertItems);
+  });
+</script>
 {% endblock %}
\ No newline at end of file
diff --git a/scanpipe/templates/scanpipe/tree/dependency_children.html b/scanpipe/templates/scanpipe/tree/dependency_children.html
new file mode 100644
index 0000000000..f7401a9a53
--- /dev/null
+++ b/scanpipe/templates/scanpipe/tree/dependency_children.html
@@ -0,0 +1,19 @@
+<ul>
+  {% for node in children %}
+    <li
+        {% if node.is_vulnerable %} data-is-vulnerable="true"{% endif %}
+        {% if node.has_compliance_issue %} data-compliance-alert="true"{% endif %}
+    >
+      {% if node.children %}
+        <details class="my-1" open>
+          <summary>
+            {% include 'scanpipe/tree/dependency_node.html' with node=node only %}
+          </summary>
+          {% include 'scanpipe/tree/dependency_children.html' with children=node.children only %}
+        </details>
+      {% else %}
+        {% include 'scanpipe/tree/dependency_node.html' with node=node only %}
+      {% endif %}
+    </li>
+  {% endfor %}
+</ul>
\ No newline at end of file
diff --git a/scanpipe/templates/scanpipe/tree/dependency_node.html b/scanpipe/templates/scanpipe/tree/dependency_node.html
new file mode 100644
index 0000000000..d13e9014e1
--- /dev/null
+++ b/scanpipe/templates/scanpipe/tree/dependency_node.html
@@ -0,0 +1,23 @@
+{% if node.name %}
+  {{ node.name }}
+{% else %}
+  Missing data
+{% endif %}
+
+<span class="ml-1">
+  {% if node.url %}
+    <a href="{{ node.url }}" target="_blank">
+      <i class="fa-solid fa-square-arrow-up-right fa-sm" title="View details"></i>
+    </a>
+  {% endif %}
+  {% if node.has_compliance_issue %}
+    <a href="{{ node.url }}#terms" target="_blank" class="{% if node.compliance_alert == 'error' %}has-text-danger{% else %}has-text-warning{% endif %}">
+      <i class="fa-solid fa-scale-balanced fa-sm" title="Compliance alert: {{ node.compliance_alert }}"></i>
+    </a>
+  {% endif %}
+  {% if node.is_vulnerable %}
+    <a href="{{ node.url }}#vulnerabilities" target="_blank">
+      <i class="fa-solid fa-bug fa-sm has-text-danger" title="Vulnerabilities"></i>
+    </a>
+  {% endif %}
+</span>
\ No newline at end of file
diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py
index c589cccf53..67601d6014 100644
--- a/scanpipe/tests/test_models.py
+++ b/scanpipe/tests/test_models.py
@@ -2703,19 +2703,13 @@ def test_scanpipe_codebase_resource_queryset_elfs(self):
 
     def test_scanpipe_model_codebase_resource_compliance_alert_queryset_mixin(self):
         severities = CodebaseResource.Compliance
-        make_resource_file(self.project1, path="none")
-        make_resource_file(self.project1, path="ok", compliance_alert=severities.OK)
-        warning = make_resource_file(
-            self.project1, path="warning", compliance_alert=severities.WARNING
-        )
-        error = make_resource_file(
-            self.project1, path="error", compliance_alert=severities.ERROR
-        )
-        missing = make_resource_file(
-            self.project1, path="missing", compliance_alert=severities.MISSING
-        )
+        make_resource_file(self.project1)
+        make_resource_file(self.project1, compliance_alert=severities.OK)
+        warning = make_resource_file(self.project1, compliance_alert=severities.WARNING)
+        error = make_resource_file(self.project1, compliance_alert=severities.ERROR)
+        missing = make_resource_file(self.project1, compliance_alert=severities.MISSING)
 
-        qs = CodebaseResource.objects.order_by("path")
+        qs = CodebaseResource.objects.order_by("compliance_alert")
         self.assertQuerySetEqual(qs.compliance_issues(severities.ERROR), [error])
         self.assertQuerySetEqual(
             qs.compliance_issues(severities.WARNING), [error, warning]
@@ -2724,6 +2718,23 @@ def test_scanpipe_model_codebase_resource_compliance_alert_queryset_mixin(self):
             qs.compliance_issues(severities.MISSING), [error, missing, warning]
         )
 
+    def test_scanpipe_model_codebase_resource_has_compliance_issue(self):
+        severities = CodebaseResource.Compliance
+        none = make_resource_file(self.project1)
+        self.assertFalse(none.has_compliance_issue)
+
+        ok = make_resource_file(self.project1, compliance_alert=severities.OK)
+        self.assertFalse(ok.has_compliance_issue)
+
+        warning = make_resource_file(self.project1, compliance_alert=severities.WARNING)
+        self.assertTrue(warning.has_compliance_issue)
+
+        error = make_resource_file(self.project1, compliance_alert=severities.ERROR)
+        self.assertTrue(error.has_compliance_issue)
+
+        missing = make_resource_file(self.project1, compliance_alert=severities.MISSING)
+        self.assertTrue(missing.has_compliance_issue)
+
 
 class ScanPipeModelsTransactionTest(TransactionTestCase):
     """
diff --git a/scanpipe/views.py b/scanpipe/views.py
index d630628fbe..3fd07c6363 100644
--- a/scanpipe/views.py
+++ b/scanpipe/views.py
@@ -2175,6 +2175,7 @@ class DiscoveredPackageDetailsView(
                     "field_name": "other_license_expression_spdx",
                     "label": "Other license expression (SPDX)",
                 },
+                "compliance_alert",
                 "extracted_license_statement",
                 "copyright",
                 "holder",
@@ -2537,20 +2538,22 @@ class ProjectDependencyTreeView(ConditionalLoginRequired, generic.DetailView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-
         try:
-            dependency_tree = self.get_dependency_tree(project=self.object)
+            context["dependency_tree"] = self.get_dependency_tree(project=self.object)
         except RecursionError:
             context["recursion_error"] = True
-            return context
 
-        context["dependency_tree"] = dependency_tree
         return context
 
     def get_dependency_tree(self, project):
         root_packages = project.discoveredpackages.root_packages().order_by("name")
         project_children = [self.get_node(package) for package in root_packages]
 
+        # Dependencies with no assigned `for_packages`.
+        project_dependencies = project.discovereddependencies.project_dependencies()
+        for dependency in project_dependencies:
+            project_children.append({"name": dependency.package_url})
+
         project_tree = {
             "name": project.name,
             "children": project_children,
@@ -2559,11 +2562,31 @@ def get_dependency_tree(self, project):
         return project_tree
 
     def get_node(self, package):
-        node = {"name": str(package)}
+        node = {
+            "name": str(package),
+            "url": package.get_absolute_url(),
+            "compliance_alert": package.compliance_alert,
+            "has_compliance_issue": package.has_compliance_issue,
+            "is_vulnerable": package.is_vulnerable,
+        }
+
+        # Resolved dependencies
         children = [
             self.get_node(child_package)
             for child_package in package.children_packages.all()
         ]
+
+        # Un-resolved dependencies
+        unresolved_dependencies = package.declared_dependencies.unresolved()
+        for dependency in unresolved_dependencies:
+            children.append(
+                {
+                    "name": dependency.package_url,
+                    "is_vulnerable": dependency.is_vulnerable,
+                }
+            )
+
         if children:
             node["children"] = children
+
         return node

From 43592e9562a8af0d464bf6f4fb8da19abf7445c5 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 10 Jul 2025 17:11:56 +0400
Subject: [PATCH 2/4] Fix and improve unit test #1742

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst                |  1 +
 scanpipe/tests/test_views.py | 36 +++++++++++++++++++++++++++++++-----
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2aa8ad16e4..133158b4ca 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,7 @@ v35.2.0 (unreleased)
 
 - Enhance the dependency tree view in a more dynamic rendering.
   Vulnerabilities and compliance alert are displayed along the dependency entries.
+  https://github.com/aboutcode-org/scancode.io/pull/1742
 
 v35.1.0 (2025-07-02)
 --------------------
diff --git a/scanpipe/tests/test_views.py b/scanpipe/tests/test_views.py
index 4c06995b16..8b55e7c383 100644
--- a/scanpipe/tests/test_views.py
+++ b/scanpipe/tests/test_views.py
@@ -1297,14 +1297,16 @@ def test_scanpipe_views_license_details_view(self):
         response = self.client.get(xss_url)
         self.assertEqual(response.status_code, 404)
 
-    def test_scanpipe_views_project_dependency_tree(self):
+    @mock.patch("scanpipe.models.DiscoveredPackage.get_absolute_url")
+    def test_scanpipe_views_project_dependency_tree(self, mock_get_url):
+        mock_get_url.return_value = "mocked-url"
         url = reverse("project_dependency_tree", args=[self.project1.slug])
         response = self.client.get(url)
         expected_tree = {"name": "Analysis", "children": []}
         self.assertEqual(expected_tree, response.context["dependency_tree"])
 
         project = Project.objects.create(name="project")
-        a = make_package(project, "pkg:type/a")
+        a = make_package(project, "pkg:type/a", compliance_alert="error")
         b = make_package(project, "pkg:type/b")
         c = make_package(project, "pkg:type/c")
         make_package(project, "pkg:type/z")
@@ -1319,15 +1321,39 @@ def test_scanpipe_views_project_dependency_tree(self):
             "children": [
                 {
                     "name": "pkg:type/a",
+                    "url": "mocked-url",
+                    "compliance_alert": "error",
+                    "has_compliance_issue": True,
+                    "is_vulnerable": False,
                     "children": [
-                        {"name": "pkg:type/b", "children": [{"name": "pkg:type/c"}]}
+                        {
+                            "name": "pkg:type/b",
+                            "url": "mocked-url",
+                            "compliance_alert": "",
+                            "has_compliance_issue": False,
+                            "is_vulnerable": False,
+                            "children": [
+                                {
+                                    "name": "pkg:type/c",
+                                    "url": "mocked-url",
+                                    "compliance_alert": "",
+                                    "has_compliance_issue": False,
+                                    "is_vulnerable": False,
+                                }
+                            ],
+                        }
                     ],
                 },
-                {"name": "pkg:type/z"},
+                {
+                    "name": "pkg:type/z",
+                    "url": "mocked-url",
+                    "compliance_alert": "",
+                    "has_compliance_issue": False,
+                    "is_vulnerable": False,
+                },
             ],
         }
         self.assertEqual(expected_tree, response.context["dependency_tree"])
-        self.assertContains(response, '<script id="dependency_tree"')
 
         # Adding a circular reference such as: Project -> A -> B -> C -> B -> C -> ...
         make_dependency(project, for_package=c, resolved_to_package=b)

From f303b100dd14aba30b081ae7a771a841a099f271 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 10 Jul 2025 17:31:35 +0400
Subject: [PATCH 3/4] Refine the ProjectDependencyTreeView implementation #1742

Signed-off-by: tdruez <tdruez@nexb.com>
---
 scanpipe/tests/test_views.py |  2 ++
 scanpipe/views.py            | 34 ++++++++++++++++++----------------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/scanpipe/tests/test_views.py b/scanpipe/tests/test_views.py
index 8b55e7c383..207d8453d9 100644
--- a/scanpipe/tests/test_views.py
+++ b/scanpipe/tests/test_views.py
@@ -1339,6 +1339,7 @@ def test_scanpipe_views_project_dependency_tree(self, mock_get_url):
                                     "compliance_alert": "",
                                     "has_compliance_issue": False,
                                     "is_vulnerable": False,
+                                    "children": [],
                                 }
                             ],
                         }
@@ -1350,6 +1351,7 @@ def test_scanpipe_views_project_dependency_tree(self, mock_get_url):
                     "compliance_alert": "",
                     "has_compliance_issue": False,
                     "is_vulnerable": False,
+                    "children": [],
                 },
             ],
         }
diff --git a/scanpipe/views.py b/scanpipe/views.py
index 3fd07c6363..8b0aaeeedb 100644
--- a/scanpipe/views.py
+++ b/scanpipe/views.py
@@ -2546,7 +2546,13 @@ def get_context_data(self, **kwargs):
         return context
 
     def get_dependency_tree(self, project):
-        root_packages = project.discoveredpackages.root_packages().order_by("name")
+        root_packages = (
+            project.discoveredpackages.root_packages()
+            .order_by("name")
+            .only_package_url_fields(
+                extra=["project_id", "compliance_alert", "affected_by_vulnerabilities"]
+            )
+        )
         project_children = [self.get_node(package) for package in root_packages]
 
         # Dependencies with no assigned `for_packages`.
@@ -2554,26 +2560,17 @@ def get_dependency_tree(self, project):
         for dependency in project_dependencies:
             project_children.append({"name": dependency.package_url})
 
-        project_tree = {
+        dependency_tree = {
             "name": project.name,
             "children": project_children,
         }
-
-        return project_tree
+        return dependency_tree
 
     def get_node(self, package):
-        node = {
-            "name": str(package),
-            "url": package.get_absolute_url(),
-            "compliance_alert": package.compliance_alert,
-            "has_compliance_issue": package.has_compliance_issue,
-            "is_vulnerable": package.is_vulnerable,
-        }
-
         # Resolved dependencies
         children = [
             self.get_node(child_package)
-            for child_package in package.children_packages.all()
+            for child_package in package.children_packages.all().order_by("name")
         ]
 
         # Un-resolved dependencies
@@ -2586,7 +2583,12 @@ def get_node(self, package):
                 }
             )
 
-        if children:
-            node["children"] = children
-
+        node = {
+            "name": str(package),
+            "url": package.get_absolute_url(),
+            "compliance_alert": package.compliance_alert,
+            "has_compliance_issue": package.has_compliance_issue,
+            "is_vulnerable": package.is_vulnerable,
+            "children": children,
+        }
         return node

From e1b7698524d2194d6db2f25e4125bf12a7026996 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 10 Jul 2025 17:32:45 +0400
Subject: [PATCH 4/4] Add notice file #1742

Signed-off-by: tdruez <tdruez@nexb.com>
---
 .../static/iamkate-tree-views/tree.css.NOTICE | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 scancodeio/static/iamkate-tree-views/tree.css.NOTICE

diff --git a/scancodeio/static/iamkate-tree-views/tree.css.NOTICE b/scancodeio/static/iamkate-tree-views/tree.css.NOTICE
new file mode 100644
index 0000000000..319755b97f
--- /dev/null
+++ b/scancodeio/static/iamkate-tree-views/tree.css.NOTICE
@@ -0,0 +1,29 @@
+Free content on iamkate.com
+The web was still young when I first went online in 1998. It felt like a utopian dream of free culture and free knowledge. Anyone could contribute, and within weeks I had learnt html and created my first site, hosted in the 10mb of webspace my isp included as standard.
+
+I’ve watched as the dream has become a nightmare of surveillance and monetisation. Companies such as Google and Facebook offer their services for free to the public because their real products are their advertising networks powered by the personal data of their visitors.
+
+The only concern of these companies and their shareholders is to maximise their income from advertising, regardless of the costs to society. They use dubious schemes to avoid paying tax. They encourage addiction and risk the mental health of their visitors. They threaten democratic institutions.
+
+I have little influence over the wider web, but I can control my small part of it, creating a haven that remains true to the original dream. This page describes my approach to copyright, my promise to protect the privacy of my visitors, and my commitment to transparency.
+
+Copyright
+Copyright limits creativity and holds back progress by restricting our rights to build upon the works of others. Copyleft licences attempt to use copyright against itself, but “the master’s tools will never dismantle the master’s house”, as Audre Lorde remarked in a different context.
+
+All content on my site is released under the terms of the Creative Commons CC0 1.0 Universal Legal Code. This means I have waived all copyright and related rights to the extent possible under law, with the intention of dedicating the content to the public domain. You can use and adapt it without attribution.
+
+Privacy
+Every site is hosted on a server, which is usually operated by a third party due to the expertise needed to manage servers securely. Most sites are accessed indirectly through the servers of a content delivery network, which protects the original server from attacks that could disable the site.
+
+My site is hosted on Cloudflare Pages. Cloudflare is both the host and the content delivery network, avoiding the need to trust two separate third parties. Cloudflare have a strong commitment to privacy and data protection, and frequently write about developing systems to protect visitor privacy.
+
+Almost every site today includes code that tracks visitors for statistical and advertising purposes. Often the site owner includes code with the deliberate aim of tracking their visitors, but sometimes they just want to include a feature provided by a third party, and that provider includes their own tracking code.
+
+My site doesn’t include any tracking code, and doesn’t load any code from third parties. It doesn’t have a cookie banner because it doesn’t use cookies. Instead of an invasive analytics system, Cloudflare Web Analytics gives me the most important statistics without tracking individual visitors.
+
+Transparency
+You probably don’t know me, and shouldn’t have to trust me. Instead, you should be able to check security and privacy claims for yourself. Unfortunately most sites today use a process called code minification, which makes them faster but also makes it harder for other people to understand their code.
+
+The Mozilla Observatory report for my site confirms the presence of various security and privacy features, resulting in a perfect A+ rating. One of these features, the content security policy, prevents browsers from loading code and other resources from third parties.
+
+My site doesn’t need to use code minification in order to load quickly due to its simple design, efficient implementation, and absence of resources loaded from third parties. As a result, other software developers can easily understand how the layout, styling, and interactive features are created.