dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

SBOM import does not perform License Resolution like it is done when updates are done via the API

Open flemminglau opened this issue 1 year ago • 1 comments

Current Behavior

When uploading an SBOM containing an SPDX compliant license id in the name field (like):

license: [
  name: "GPL-3.0-or-later"
]

DT does not recognize and resolve the license. It remains an unrecognized text value.

If I instead perform an update of the license via the API and submit an identical value as the "licenseid:" in the call DT will resolve the license and treat it as a known SPDX Id license value capable of triggering Policy Violations.

Steps to Reproduce

Upload an SBOM file containing a license section for one of the components like:

license: [
  name: "GPL-3.0-or-later"
]

Go to the UI and see that the value "GPL-3.0-or-later" is shown in white indicating that it is not recognized.

Perform an API call updating the same component record in DT setting the value to what it already was.

Check the UI and see that DT now recognized the license as being one of the known SPDX licenses.

Expected Behavior

DT should recognize known SPDX license IDs provided in the name: field of the SBOM component.license[]. Preferably it should even be able to match a set of common synonyms (like "GPLv3+")

Dependency-Track Version

4.9.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

flemminglau avatar Feb 02 '24 16:02 flemminglau

I probably have the same issue right now:

jq '.components[] | select(.name=="wheel")' < sbom
{
  "bom-ref": "pkg:pypi/[email protected]?file_path=usr%2Flocal%2Flib%2Fpython3.10%2Fsite-packages%2Fwheel-0.42.0.dist-info%2FMETADATA",
  "type": "library",
  "name": "wheel",
  "version": "0.42.0",
  "licenses": [
    {
      "license": {
        "name": "MIT License"
      }
    }
  ],
  "purl": "pkg:pypi/[email protected]",
  "properties": [
    {
      "name": "aquasecurity:trivy:FilePath",
      "value": "usr/local/lib/python3.10/site-packages/wheel-0.42.0.dist-info/METADATA"
    },
    {
      "name": "aquasecurity:trivy:LayerDiffID",
      "value": "sha256:958f0e58cf396e432f859cdc02efe1b08fa059cd660b38f425b89213c7e06608"
    },
    {
      "name": "aquasecurity:trivy:PkgType",
      "value": "python-pkg"
    }
  ]
}

The component gets imported with no license information at all.

DT v4.10.1 + postgres 16

black-snow avatar Feb 09 '24 20:02 black-snow

Hi! I have created a PR addressing this issue: https://github.com/DependencyTrack/dependency-track/pull/3555

aravindparappil46 avatar Mar 16 '24 05:03 aravindparappil46

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Apr 16 '24 10:04 github-actions[bot]