dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

publisher field length in DB causes a problem

Open redaabdellah21 opened this issue 2 years ago • 2 comments

Current Behavior:

DT stopped reading the bom because it couldn't put the publisher fieald value in the DB because of its length. as a consequence, DT stopped reading the bom and detected only 8 out of 275 components. it was also unable to detect vulnerabilities for the 8 components detected.

here is the component that caused the problem: { "type": "library", "bom-ref": "pkg:nuget/[email protected]", "publisher": "Frank Hommers and others (Burhan Irmikci (barhun), Zachary Sims(zsims), kgamecarter, Stafford Williams (staff0rd), briangweber, Viktor Svyatokha (ahydrax), Christopher Dresel (Dresel), Vytautas Kasparavi\u010Dius (vytautask), Vincent Vrijburg, David Roth (davidroth).", "name": "Hangfire.PostgreSql", "version": "1.8.6", "description": "PostgreSql storage implementation for Hangfire (background job system for ASP.NET and aspnet core applications).", "scope": "required", "hashes": [ { "alg": "SHA-512", "content": "5830F65FF7073A794CA1AEC26193CE6709FFD4340D6E2EDD77D3B4F1C8A96DD1799FCEDF101C4349C8D3016321ACE63DC2ED6ABA16559EDC0B937006C8DA0B02" } ], "licenses": [ { "license": { "url": "https://aka.ms/deprecateLicenseUrl" } } ], "copyright": "Copyright \u00A9 2014-2021 Frank Hommers and others", "purl": "pkg:nuget/[email protected]", "externalReferences": [ { "url": "http://hmm.rs/Hangfire.PostgreSql", "type": "website" }, { "url": "https://github.com/frankhommers/Hangfire.PostgreSql", "type": "vcs" } ] },

Steps to Reproduce:

produce and inject a bom for an application that uses the next component: pkg:nuget/[email protected]

i was able to encounter this by reducind the publisher field value's length.

Expected Behavior:

DT should try to populate the max of the field, not stop reading the BOM.

Environment:

  • Dependency-Track Version: 4.5.0
  • Distribution: [ Docker | Executable WAR | Traditional WAR ] docker
  • BOM Format & Version: CycloneDX 1.3
  • Database Server: [ H2 | MSSQL | MySQL | PostgreSQL ] h2 & postgresql
  • Browser: edge

Additional Details:

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

redaabdellah21 avatar Jul 05 '22 15:07 redaabdellah21

This issue duplicates #1665.

ecaisse avatar Jul 07 '22 11:07 ecaisse

Hi @nscuro, Can you please check this issue if you have any time; i opened an issue in the CycloneDX dotnet github page and a member said that they don't know of a field limit in the spec. i think this should be handled by DT maintainers No?

https://github.com/CycloneDX/cyclonedx-dotnet/issues/564

redaabdellah21 avatar Aug 08 '22 11:08 redaabdellah21