Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Schema validation error when importing SBOMs that were exported by DT itself #3897

Closed
2 tasks done
malice00 opened this issue Jun 30, 2024 · 6 comments
Closed
2 tasks done

Schema validation error when importing SBOMs that were exported by DT itself #3897

malice00 opened this issue Jun 30, 2024 · 6 comments
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.11.5

Comments

@malice00
Copy link
Contributor

Current Behavior

When exporting an SBOM for a project and then trying to import it again, DT gives an exception that the Schema validation failed.

Steps to Reproduce

  1. Select a project
  2. Go to the components tab
  3. Click 'Download BOM' -- both 'Inventory' and 'Inventory with Vulnerabilities' trigger the problem
  4. Click 'Upload BOM' and select the just saved JSON

Expected Behavior

The BOM should be imported without problems.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist
@malice00 malice00 added defect Something isn't working in triage labels Jun 30, 2024
@nscuro
Copy link
Member

nscuro commented Jun 30, 2024

Can you share the error messages you're getting for the upload requests? The response body will list the things it found to be wrong.

Our tests of the export functionality do validate the generated BOMs, but of course it all comes down to the data being exported. Knowing what failed would help to reproduce and fix.

@malice00
Copy link
Contributor Author

There is nothing in the logs (at least not the ones I have access to), but I was able to get the response by manually executing a POST. Hope this helps...

response_1719748385096.json

@nscuro
Copy link
Member

nscuro commented Jun 30, 2024

That does help, it all seems to be license related. Thanks for providing the sample!

@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed pending more information labels Jun 30, 2024
@nscuro nscuro added this to the 4.12 milestone Jun 30, 2024
@malice00
Copy link
Contributor Author

I figured it out! We have added some licenses and set those on components. The export does add these in the SBOM, but the import apparently only validates against the official licenses, which causes this exception!

@nscuro
Copy link
Member

nscuro commented Jun 30, 2024

Yeah I think we need to populate the license.name field rather than license.id for custom licenses. Since the CycloneDX schema strictly requires valid SPDX license IDs in the license.id field.

We already match license.name against custom licenses when importing BOMs, so everything should just continue to work if we make this small change.

@2000rosser 2000rosser mentioned this issue Jul 3, 2024
Merged
5 tasks
@nscuro nscuro closed this as completed in a9baa82 Jul 3, 2024
@nscuro nscuro modified the milestones: 4.12, 4.11.5 Jul 8, 2024
@nscuro nscuro mentioned this issue Jul 8, 2024
Merged
2 tasks
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.11.5
Development

No branches or pull requests
2 participants
@nscuro @malice00