dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

SBOM not imported if it was generated by new syft v0.101.0

Open securityguru opened this issue 1 year ago • 3 comments

Current Behavior

file generated by syft v0.60.1 can be uploaded and successfully processed by DT file generated by latest syft can be uploaded but DT ignores it.

Steps to Reproduce

  1. install syft v.0.101.0, generate SBOM for any docker image, upload it to DT. last bom import for project will stay intact.
  2. install syft v0.60.1, enerate SBOM for the same image, upload it to DT. last bom will be updated.

Expected Behavior

both syft generates correct CycloneDX bom. both files should be processed.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

securityguru avatar Jan 19 '24 11:01 securityguru

Can you provide an example that fails to process?

stevespringett avatar Jan 20 '24 03:01 stevespringett

And can you try to reproduce in 4.10.1?

valentijnscholten avatar Jan 20 '24 08:01 valentijnscholten

It might be that newer Syft versions generate BOMs using the CycloneDX v1.5 schema per default. Support for CycloneDX v1.5 was introduced in Dependency-Track v4.9.

nscuro avatar Jan 24 '24 18:01 nscuro