BomUploadProcessingTask - Error while processing bom (Dependency-Track 4.6.3)

[javaface]

Current Behavior

After uploading sbom, Last BOM Import and Risk Score are not updating on the projects page. Bom files are approx. 3 to 5 MB in size.

Error in API server (backend) log:

2023-11-30 21:02:02,960 ERROR [BomUploadProcessingTask] dt.trace_sampled: true, dt.trace_id: XXXXXX, dt.span_id: XXXXXX Error while processing bom javax.jdo.JDOUserException: One or more instances could not be deleted at org.datanucleus.api.jdo.JDOPersistenceManager.deletePersistentAll(JDOPersistenceManager.java:819) at org.datanucleus.api.jdo.JDOPersistenceManager.deletePersistentAll(JDOPersistenceManager.java:798) at alpine.persistence.AbstractAlpineQueryManager.delete(AbstractAlpineQueryManager.java:473) at org.dependencytrack.persistence.ComponentQueryManager.recursivelyDelete(ComponentQueryManager.java:422) at org.dependencytrack.persistence.ComponentQueryManager.reconcileComponents(ComponentQueryManager.java:517) at org.dependencytrack.persistence.QueryManager.reconcileComponents(QueryManager.java:771) at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:138) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) Caused by: java.lang.NullPointerException: null 2023-11-30 21:02:02,961 WARN [General] dt.trace_sampled: true, dt.trace_id: XXXXXX, dt.span_id: XXXXXX ExecutionContext closed with active transaction, so rolling back the active transaction 2023-11-30 21:02:04,126 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread javax.jdo.JDOObjectNotFoundException: Object with id "org.dependencytrack.model.Component:0" not found ! at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:634) at org.datanucleus.api.jdo.JDOPersistenceManager.getObjectById(JDOPersistenceManager.java:1726) at alpine.persistence.AbstractAlpineQueryManager.getObjectById(AbstractAlpineQueryManager.java:535) at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.inform(RepositoryMetaAnalyzerTask.java:51) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)

Steps to Reproduce

1. Create bom file. cyclonedx-npm --output-format=XML --output-file sbom.xml --ignore-npm-errors --no-validate package.json

2. Upload bom file. curl -v "XXXXXX"
-H "Content-Type: multipart/form-data"
-H "X-Api-Key: $1"
-F "project=XXXXXX"
-F "bom=@$WORKSPACE/$APP_DIR/sbom/sbom.xml"

3. Upload is successful.

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying XX.XXX.XX.XX:443...

• Connected to XXXXXX.com (XX.XXX.XX.XX) port 443 (#0)
• ALPN: offers h2,http/1.1 } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data]
• CAfile: /etc/ssl/certs/XXXXXX.crt
• CApath: /etc/ssl/certs { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data]
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [19 bytes data]
• TLSv1.3 (IN), TLS handshake, Certificate (11): { [3994 bytes data]
• TLSv1.3 (IN), TLS handshake, CERT verify (15): { [264 bytes data]
• TLSv1.3 (IN), TLS handshake, Finished (20): { [36 bytes data]
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data]
• TLSv1.3 (OUT), TLS handshake, Finished (20): } [36 bytes data]
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
• ALPN: server accepted h2
• Server certificate:
• subject: XXXXXX
• start date: Dec 12 00:00:00 2022 GMT
• expire date: Dec 11 23:59:59 2023 GMT
• subjectAltName: host "XXXXXX"
• issuer: XXXXXX
• SSL certificate verify ok. } [5 bytes data]
• using HTTP/2
• h2h3 [:method: POST]
• h2h3 [:path: /api/v1/bom]
• h2h3 [:scheme: https]
• h2h3 [:authority: XXXXXX]
• h2h3 [user-agent: curl/7.88.1]
• h2h3 [accept: /]
• h2h3 [x-api-key: ****]
• h2h3 [content-length: 5375155]
• h2h3 [content-type: multipart/form-data; boundary=------------------------2a451afa4abaadb6]
• Using Stream ID: 1 (easy handle 0x55dd6a8eac90) } [5 bytes data]

POST /api/v1/bom HTTP/2 Host: XXXXXX.com user-agent: curl/7.88.1 accept: / x-api-key: **** content-length: 5375155 content-type: multipart/form-data; boundary=------------------------2a451afa4abaadb6

} [5 bytes data]

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [297 bytes data]
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): { [297 bytes data]
• old SSL session ID is stale, removing { [5 bytes data]

19 5249k 0 0 19 1039k 0 1496k 0:00:03 --:--:-- 0:00:03 1496k 59 5249k 0 0 59 3135k 0 1850k 0:00:02 0:00:01 0:00:01 1850k* We are completely uploaded and fine { [5 bytes data]

100 5249k 0 0 100 5249k 0 1942k 0:00:02 0:00:02 --:--:-- 1941k< HTTP/2 200 < date: Mon, 04 Dec 2023 18:48:52 GMT < content-type: application/json < x-powered-by: Dependency-Track v4.6.3 < cache-control: private, max-age=0, must-revalidate, no-cache < access-control-allow-origin: * < access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS < access-control-allow-headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, * < access-control-expose-headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count < access-control-allow-credentials: true < access-control-max-age: 3600 < content-length: 48 < set-cookie: XXXXXX; path=/; HttpOnly; Secure; SameSite=None < { [48 bytes data]

100 5249k 100 48 100 5249k 17 1918k 0:00:02 0:00:02 --:--:-- 1918k

• Connection #0 to host XXXXXX left intact {"token":"XXXXXX"}

Expected Behavior

Project details in Dependency-Track update and no errors in log.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

I am optimistic that https://github.com/DependencyTrack/dependency-track/pull/3357 will resolve this, but without reproducer I have no way to verify. The instructions are helpful, but I am unable to reproduce this issue with the NPM projects I have at hand.

Can you share a BOM that triggers the issue?

[javaface]

As a work around I changed my BOM upload script to create a fresh Dependency-Track project (new project id) with the same name value. So I'm technically creating a new project with each upload vs. updating an existing project. I'm thinking this is not good?