dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Uploading same SBOM to a different project in Dependency Track fails

Open alternaivan opened this issue 1 year ago • 2 comments

Current Behavior

Hello,

This is the setup we are currently using.

We have an application SBOM that we're trying to upload to two different projects on Dependency Track, with the same version e.g. SNAPSHOT. Publishing SBOMs of application:SNAPSHOT is working as expected on PROJECT1:SNAPSHOT, but when we try to upload the same application:SNAPSHOT to PROJECT2:SNAPSHOT, the setup doesn't fail, but the application that gets updated is on the PROJECT1:SNAPSHOT directory.

We are using curl to upload same SBOM to two different projects with the same version.

Regards, Marjan

Steps to Reproduce

  1. Generate application SBOM with version SNAPSHOT
  2. Create a project1 with version SNAPSHOT on dependency track
  3. Create a project 2 with version SNAPSHOT on DT
  4. Upload application SBOM to project1 SNAPSHOT
  5. Check the changes
  6. Upload application SBOM to project2 SNAPSHOT
  7. Check the changes

Expected Behavior

Both project1 and project2 should contain application SNAPSHOT.

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

alternaivan avatar Jan 22 '24 12:01 alternaivan

Can you share the CURL commands you're using? This is a very basic use case of DT and I am not able to reproduce the defect you're describing. I suspect there's something off with how the BOMs are being uploaded.

nscuro avatar Feb 04 '24 16:02 nscuro

Hi @nscuro,

Thanks for the reply! Sorry for not posting the curl I've been using. Here is the example:

curl -v -X "POST" "${DT_API_URL}/api/v1/bom" \
    -H "Content-Type: multipart/form-data" \
    -H "X-Api-Key: ${DT_API_KEY}" \
    -F "autoCreate=true" \
    -F "projectName=test-project-name" \
    -F "projectVersion=SNAPSHOT" \
    -F "parentName=root-project" \
    -F "parentVersion=SNAPSHOT" \
    -F "bom=@${file_path}"

I hope this helps. Let me know if you need more information.

Regards, Marjan

alternaivan avatar Feb 05 '24 07:02 alternaivan