cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

component pkg:nuget/[email protected] causes erreur in Dependency track

Open redaabdellah21 opened this issue 2 years ago • 2 comments

here is the component info generated by CycloneDx for the component: { "type": "library", "bom-ref": "pkg:nuget/[email protected]", "publisher": "Frank Hommers and others (Burhan Irmikci (barhun), Zachary Sims(zsims), kgamecarter, Stafford Williams (staff0rd), briangweber, Viktor Svyatokha (ahydrax), Christopher Dresel (Dresel), Vytautas Kasparavi\u010Dius (vytautask), Vincent Vrijburg, David Roth (davidroth).", "name": "Hangfire.PostgreSql", "version": "1.8.6", "description": "PostgreSql storage implementation for Hangfire (background job system for ASP.NET and aspnet core applications).", "scope": "required", "hashes": [ { "alg": "SHA-512", "content": "5830F65FF7073A794CA1AEC26193CE6709FFD4340D6E2EDD77D3B4F1C8A96DD1799FCEDF101C4349C8D3016321ACE63DC2ED6ABA16559EDC0B937006C8DA0B02" } ], "licenses": [ { "license": { "url": "https://aka.ms/deprecateLicenseUrl" } } ], "copyright": "Copyright \u00A9 2014-2021 Frank Hommers and others", "purl": "pkg:nuget/[email protected]", "externalReferences": [ { "url": "http://hmm.rs/Hangfire.PostgreSql", "type": "website" }, { "url": "https://github.com/frankhommers/Hangfire.PostgreSql", "type": "vcs" } ] },

The publisher field value is too long to be inserted in the database (we tried h2 and postgresql), we were able to make things work by reducing its length, but maybe it should be handled by CycloneDX, it should take in consideration Dependency track's conditions so problems like this won't occur in the future.

redaabdellah21 avatar Jul 06 '22 08:07 redaabdellah21

Is there an issue for this in the Dependency-Track issue tracker? I don't think we should be handling this limitation here. There is no length limit on that field in the spec.

coderpatros avatar Jul 21 '22 22:07 coderpatros

Yes, i created an issue on dependency Track githup repo, and it was referenced by another issue (#1665 he gave even more details). i checked my docker logs and it said that the field had a length limit. it only worked when i shortened it. maybe try to add this component to a bom and upload it to DT to reproduce, i didn't take a screen of the error. i am with you on that, it should be handeled on DT's side. or on your side by limiting the field to 255 character.

redaabdellah21 avatar Jul 22 '22 12:07 redaabdellah21

I don't think we should be handling this limitation here. There is no length limit on that field in the spec.

mtsfoni avatar Dec 13 '23 16:12 mtsfoni