Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bom-ref, Description, PURL (and maybe also other information) is not taken from BOM #2373

Open
2 tasks done
stefanCCS opened this issue Jan 12, 2023 · 7 comments
Open
2 tasks done

bom-ref, Description, PURL (and maybe also other information) is not taken from BOM #2373

stefanCCS opened this issue Jan 12, 2023 · 7 comments
Labels
cdx-1.4 Related to CycloneDX specification v1.4 enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk

Comments

@stefanCCS
Copy link

Current Behavior

I put a BOM to Dependency Track using the REST-API like this (Windows-Curl):

curl "http://dockerhost02:8081/api/v1/bom" -H "Content-Type: multipart/form-data" -H "X-API-Key: MYAPIKeY" -F "autoCreate=true" -F "projectName=JustATestClassLibrary" -F "projectVersion=1.0.0"  -F "bom=@SBOM\bom-postprocessed.xml" --request POST

In general, the Project is created including a vulnerable library (intended), which is also found.

BUT, neither the BOM-REF and PURL nor the DESCRIPTION is taken.
See here:
image
image

My CycloneDX-File looks like this:

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns="http://cyclonedx.org/schema/bom/1.4"
     version="1">
   <metadata>
      <tools>
         <tool>
            <vendor>CycloneDX</vendor>
            <name>CycloneDX module for .NET</name>
            <version>2.7.0.0</version>
         </tool>
      </tools>
      <component bom-ref="pkg:nuget/JustATestClassLibrary@1.0.0" type="library">
         <name>JustATestClassLibrary</name>
         <version>1.0.0</version>
         <purl>pkg:nuget/JustATestClassLibrary@1.0.0</purl>
        <description>JustATestClassLibrary Description</description>
      </component>
   </metadata>
   <components>
      <component type="library" bom-ref="pkg:nuget/Newtonsoft.Json@4.0.1">
         <publisher>James Newton-King</publisher>
         <name>Newtonsoft.Json</name>
         <version>4.0.1</version>
         <description>Json.NET is a popular high-performance JSON framework for .NET</description>
         <scope>required</scope>
         <hashes>
            <hash alg="SHA-512">C7A076A8455F603C1F216AE85AD4BAF7647C5592D0783BB7D1EF93ADCA03E795AEFB497245255BE15586E84258B268D97E2A8CFCC33732B454C193D0EB002027</hash>
         </hashes>
         <licenses>
            <license/>
         </licenses>
         <purl>pkg:nuget/Newtonsoft.Json@4.0.1</purl>
         <externalReferences>
            <reference type="website">
               <url>http://james.newtonking.com/projects/json-net.aspx</url>
            </reference>
         </externalReferences>
      </component>
   </components>
   <dependencies>
      <dependency ref="JustATestClassLibrary@1.0.0">
         <dependency ref="pkg:nuget/Newtonsoft.Json@4.0.1"/>
      </dependency>
      <dependency ref="pkg:nuget/Newtonsoft.Json@4.0.1"/>
   </dependencies>
</bom>

And even the bom-ref looks like not to be taken over.
If I do a download of the bom from this project/version I get:
image

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "serialNumber" : "urn:uuid:66782919-4674-42d2-a13e-ef2f23d5c68f",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2023-01-12T15:08:24Z",
    "tools" : [
      {
        "vendor" : "OWASP",
        "name" : "Dependency-Track",
        "version" : "4.7.0"
      }
    ],
    "component" : {
      "name" : "JustATestClassLibrary",
      "version" : "1.0.0",
      "type" : "library",
      "bom-ref" : "9bcfcc86-768a-406f-ba84-55ee28d9a983"
    }
  },
  "components" : [
    {
      "name" : "Newtonsoft.Json",
      "version" : "4.0.1",
      "description" : "Json.NET is a popular high-performance JSON framework for .NET",
      "hashes" : [
        {
          "alg" : "SHA-512",
          "content" : "c7a076a8455f603c1f216ae85ad4baf7647c5592d0783bb7d1ef93adca03e795aefb497245255be15586e84258b268d97e2a8cfcc33732b454c193d0eb002027"
        }
      ],
      "purl" : "pkg:nuget/Newtonsoft.Json@4.0.1",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "http://james.newtonking.com/projects/json-net.aspx"
        }
      ],
      "type" : "library",
      "bom-ref" : "71b170f5-40e4-48d3-ae3c-93ad455043bd"
    }
  ]
}

==> please clarify.

Steps to Reproduce

See above.

Expected Behavior

Data is taken over from BOM.

Dependency-Track Version

4.7.0

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

Google Chrome

Checklist
@stefanCCS stefanCCS added defect Something isn't working in triage labels Jan 12, 2023
@stevespringett
Copy link
Member

Not currently supported.

@stevespringett stevespringett added enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk and removed defect Something isn't working labels Jan 12, 2023
@stevespringett
Copy link
Member

@nscuro we will need a way to add support for this if asserted in BOM or if the project metadata is edited, but we will also need a way to lock the fields so that they cannot be overwritten.

@stevespringett
Copy link
Member

This will likely tie into support for bom.metadata.supplier, bom.metadata.manufacture, and bom.metadata.author as well. These things could also be asserted in a BOM and we should likely store them somewhere related to the project, but also lock them so that they cannot be modified. In addition, we may want to think about a global config option for these three fields that would apply to all projects (possibly restricted to internal projects), with the ability to overwrite them at the project level.

@stevespringett stevespringett mentioned this issue Jan 12, 2023
Open
2 tasks
@stefanCCS
Copy link
Author

@stevespringett : Many thanks for you explanations.

As I have understood this is more a feature request than a bug, please feel free to close this issue, or keep it open, transfer to discussion, or whatever you would like to do with it.

@msymons
Copy link
Member

msymons commented Jan 13, 2023

@stefanCCS: as you can see, the issue was converted from defect to enhancement. And assigned priority p2 (which you can take as a compliment 😄 )

@stevespringett, how about adding support for an additional project-level comment field? This should allow "Description" to be locked down AND allow for users to record notes.

@stevespringett
Copy link
Member

Good idea @msymons

@nscuro nscuro mentioned this issue Mar 4, 2023
Closed
2 tasks
@stevespringett stevespringett mentioned this issue May 11, 2023
Closed
2 tasks
@msymons msymons added the cdx-1.4 Related to CycloneDX specification v1.4 label May 12, 2023
@Yaytay
Copy link

Yaytay commented Jun 24, 2023

I'd like to see this feature supported too.

It would also be nice if the project name and version were taken from the SBOM rather than having to be specified on the POST.

In fact, it would be convenient for me if I could just POST the SBOM with a Content-Type of 'appplication/json' and have everything driven from the SBOM contents.
But that does sound like a different feature request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cdx-1.4 Related to CycloneDX specification v1.4 enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stevespringett @Yaytay @msymons @stefanCCS