dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Proper feedback on BOM upload

Open savek-cc opened this issue 1 year ago • 4 comments

Current Behavior

When uploading a BOM via the v1/bom endpoint, the user is given a "#/definitions/BomUploadResponse" containing a token as response. This token can then be used in order to query the current processing status via the v1/bom/token/{uuid} endpoint. It only gives a boolean result though - either the BOM is currently being processed - or it isn't.

When uploading a BOM, a lot of stuff can go wrong though - leading to either no project being created - or even incomplete projects within DependencyTrack without any feedback to the user about any of those error states. The only possibility to see that (and what) something went wrong is to look at the server logs - which aren't accessible to the user. See issues for examples: https://github.com/DependencyTrack/dependency-track/issues/3371 https://github.com/DependencyTrack/dependency-track/issues/3324 https://github.com/DependencyTrack/dependency-track/issues/3274 https://github.com/DependencyTrack/dependency-track/issues/3081 https://github.com/DependencyTrack/dependency-track/issues/2821 ... and more.

Proposed Behavior

The v1/bom/token/{uuid} endpoint shall include information about any errors encountered during the processing of a BOM. This includes stuff like "wrong format" - but also any exception that happened during processing.

Checklist

savek-cc avatar Jan 15 '24 09:01 savek-cc

Related:

  • v4.11 will validate BOMs synchronously (#3218), which will catch format issues while the client is still present
  • In hyades this functionality was implemented using a concept of workflow steps, the status of which can be requested via REST API, and additionally carry failure details (https://github.com/DependencyTrack/hyades/issues/664)
    • It is a precondition to enable HA deployments, but given this issue it may make sense to backport it to DT v4.x

nscuro avatar Jan 15 '24 12:01 nscuro

That looks a lot like what we're currently trying to integrate...

savek-cc avatar Jan 15 '24 12:01 savek-cc

Looking forward to https://github.com/DependencyTrack/dependency-track/issues/3218 as this will help me understand formatting issues of SBOMs 🚀

cmboling avatar Jan 19 '24 17:01 cmboling

@cmboling for SBOM formatting issues maybe check/validate your SBOM using https://cyclonedx.github.io/cyclonedx-web-tool/

savek-cc avatar Jan 19 '24 18:01 savek-cc