DependencyTrack
Missing graph in 4.7.1
Current Behavior
I have an environment that contains multiple projects ( around 50) the project are built using SBOM import with maven plugin and they were showing a graph for each project.
After the upgrade to dependencytrack 4.7.1 I cannot see anymore graph , there is only the main graph node without any other node
Steps to Reproduce
- start with a 4.7.0 projects with graph
- upgrade from 4.7.0 to 4.7.1
- check graph tab in projects -> empty
Expected Behavior
Graph should be present
Dependency-Track Version
4.7.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
@andresghelarducci, when you click on the component tab on the project page there will be a new icon (introduced in 4.7) to the right of the component name in component name column. This should give you a dependency graph that is filtered for the individual component. How does that work for you?
Also.. 793 components in a maven project? That sure is a lot :smile:
Hi,
I know about the graph button neae each component
unfortunately if I click on it the result is
But I understood the cause: it seems that dependency track when I update from 4.7.0. to 4.7.1 deleted graph information(while keeping components & vulnerabilities), infact now I forced the SBOM import of project and graph return visible again
In my case I have 50 projects so I lost a relevant info until I reimport them
Maybe not keeping graph information during an update shall be considered a bug?
I wonder how this happened, since no change in 4.7.1 should be related to this graph from what I see. there were changes towards 4.7.0, but those should be fine and not be lost from own experience, also you said you were on 4.7.0 before... Anyone else saw this?
@andresghelarducci check issue that I open, maybe this could be the cause. https://github.com/DependencyTrack/dependency-track/issues/2494
Hi , my situation is a bit different given that, for a project not having a graph, I called a SBOM import via API and the graph was successfully added.
Andres
As @rkg-mm said there were no related changes in the version you upgraded to. So I am a bit baffled as to how this could have happened.
Is this behavior consistent for all your projects or is it just this one?
Just an upgrade : today the problem happened again, all projects lost its graph and it appears again after on next build, I found the following errors . Can you check if this is a bug ?
Andres
2023-04-17 07:18:44,940 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: c1b26cc9-da2e-4ed2-92bf-f8cf13f167c0
2023-04-17 07:18:46,621 INFO [BomUploadProcessingTask] Identified 7 new components
2023-04-17 07:18:46,621 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: c1b26cc9-da2e-4ed2-92bf-f8cf13f167c0
2023-04-17 07:18:46,727 INFO [BomUploadProcessingTask] Processed 327 components and 0 services uploaded to project c1b26cc9-da2e-4ed2-92bf-f8cf13f167c0
2023-04-17 07:18:46,727 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 327 components
2023-04-17 07:18:46,743 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread
org.apache.lucene.store.AlreadyClosedException: Underlying file changed by an external force at 2023-04-14T16:03:35.010807589Z, (lock=NativeFSLock(path=/data/.dependency-track/index/servicecomponent/write.lock,impl=sun.nio.ch.FileLockImpl[0:9223372036854775807 exclusive valid],creationTime=2023-02-04T10:01:48.59299314Z))
at org.apache.lucene.store.NativeFSLockFactory$NativeFSLock.ensureValid(NativeFSLockFactory.java:191)
at org.apache.lucene.store.LockValidatingDirectoryWrapper.syncMetaData(LockValidatingDirectoryWrapper.java:61)
at org.apache.lucene.index.SegmentInfos.prepareCommit(SegmentInfos.java:802)
at org.apache.lucene.index.IndexWriter.startCommit(IndexWriter.java:5084)
at org.apache.lucene.index.IndexWriter.prepareCommitInternal(IndexWriter.java:3460)
at org.apache.lucene.index.IndexWriter.commitInternal(IndexWriter.java:3770)
at org.apache.lucene.index.IndexWriter.commit(IndexWriter.java:3728)
at org.dependencytrack.search.IndexManager.commit(IndexManager.java:249)
at org.dependencytrack.tasks.IndexTask.inform(IndexTask.java:65)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
2023-04-17 07:18:50,847 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 1780711b-7663-435c-91d9-984cb834645a
2023-04-17 07:18:50,856 INFO [BomUploadProcessingTask] Processed 735 components and 0 services uploaded to project 1780711b-7663-435c-91d9-984cb834645a
2023-04-17 07:18:50,857 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 735 components
2023-04-17 07:18:50,869 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread
org.apache.lucene.store.AlreadyClosedException: Underlying file changed by an external force at 2023-04-14T16:03:35.010807589Z, (lock=NativeFSLock(path=/data/.dependency-track/index/servicecomponent/write.lock,impl=sun.nio.ch.FileLockImpl[0:9223372036854775807 exclusive valid],creationTime=2023-02-04T10:01:48.59299314Z))
at org.apache.lucene.store.NativeFSLockFactory$NativeFSLock.ensureValid(NativeFSLockFactory.java:191)
at org.apache.lucene.store.LockValidatingDirectoryWrapper.syncMetaData(LockValidatingDirectoryWrapper.java:61)
at org.apache.lucene.index.SegmentInfos.prepareCommit(SegmentInfos.java:802)
at org.apache.lucene.index.IndexWriter.startCommit(IndexWriter.java:5084)
at org.apache.lucene.index.IndexWriter.prepareCommitInternal(IndexWriter.java:3460)
at org.apache.lucene.index.IndexWriter.commitInternal(IndexWriter.java:3770)
at org.apache.lucene.index.IndexWriter.commit(IndexWriter.java:3728)
at org.dependencytrack.search.IndexManager.commit(IndexManager.java:249)
at org.dependencytrack.tasks.IndexTask.inform(IndexTask.java:65)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
The problem occured during normal operation ( service was not restarted) and that were the only error messages present in logs today (except some missing synch with defectdojo) , if you want I can provide you the logs
@andresghelarducci Sharing your logs may help. If you're not comfortable with sharing them here, you can DM me in the OWASP Slack (invite here if you're not on it already). My username is nscur0.
I'm missing Dependency graphs too in 4.7.1. I don't see new project versions that were created today. I can't tell for sure if I've seen them ever since getting started with DT back in version 4.4.2. Though not remembering seeing them at all could mean they weren't ever there. As to why I noticed only now: a coworker specificaly asked about that feature.
As a background how our BOMs are imported:
- we first create a raw project via API
- assign it to a team via ACL API
- set the project's component type via API
- upload the BOM via API
I'm having the same issue with version 4.10.1...
Uploaded various sboms (from cyclonedx, syft, grype) and various projects (custom java, keycloak, etc.) and none of them show the dependency graph.
