dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Documentation: how to do SBOM autoCreate with a child project

Open robertlagrant opened this issue 2 years ago • 2 comments

Current Behavior

It's possible to auto-create a project based on an SBOM upload API call using autoCreate=true. This is useful, as it means various projects across an org don't have to all maintain a DT project UUID, and can just push with a consistent name and it Just Works™.

However, if we would like to have a project that has children, so we can group different versions of the same project, we can no longer use this method, and there appears to be no simple combination of API calls that would allow it.

Currently, I think this is the only way it could work:

# Get all projects, filter them by name client-side,
# and get the UUID of the relevant parent project, if it exists, else create it
# and then populate the child project's `parent` field with its UUID
curl https://dt.example.com/v1/project
# <! snip search for a match and parse out UUID into PARENT_UUID >

if [ -n "$PARENT_UUID" ]; then
  curl -X PUT https://dt.example.com/v1/project -d '{"core": "data" }'
  # <! snip parse out UUID into PARENT_UUID >
fi

curl -X PUT https://dt.example.com/v1/project -d ':"parent": "${PARENT_UUID}", "core": "data"}'

Proposed Behavior

Three examples of how it could work:

# Project autoCreate option on BOM creation can also autocreate a parent based on name, if it doesn't exist
# Otherwise it will add a new child to the existing project
curl -X POST https://dt.example.com/v1/bom -d '{"autoCreateAsChild": true}'

# When creating a project, have an option to autocreate a parent if it doesn't exist, matching on name
curl -X PUT https://dt.example.com/v1/project?autoCreateParent=true -d '{"core": "data" }'

# Add an option to project lookup that ignores version
# So we can get a parent project and, create a new one if necessary, then attach a new child project to it
curl https://dt.example.com/v1/project/lookup?name=My+First+Project
# <! snip parse out UUID into PARENT_UUID >

if [ -n "$PARENT_UUID" ]; then
  curl -X PUT https://dt.example.com/v1/project -d '{"core": "data" }'
  # <! snip parse out UUID into PARENT_UUID >
fi

curl -X PUT https://dt.example.com/v1/project -d ':"parent": "${PARENT_UUID}", "core": "data"}'

Checklist

robertlagrant avatar Feb 24 '23 17:02 robertlagrant

Just found 2545, which is a PR to partially fix this! Hopefully it goes through.

robertlagrant avatar Mar 16 '23 09:03 robertlagrant

Using autoCreate=true I would have expected parent project to be created if not found, currently it fails with 404

amergey avatar Mar 18 '24 13:03 amergey