dependency-track
dependency-track copied to clipboard
DependencyTrack
Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl.
Current Behavior
When importing an SBOM that defines a CPE and/or PURL for the metadata.component, these fields are not populated for the project created. Other properties of the metadata.component have been fixed in the past, see e.g. https://github.com/DependencyTrack/dependency-track/pull/3179
Steps to Reproduce
- Import an SBOM with a metadata.component.cpe entry
- Review the project information - it's missing the data for the CPE field.
Expected Behavior
Imported project also populates CPE and PURL fields if present in the metadata.component.cpe/purl
Dependency-Track Version
4.10.0
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
Already addressed in BomUploadProcessingTaskV2 which ships with DT v4.11:
https://github.com/DependencyTrack/dependency-track/blob/3efdd24570f16fc6bfb168795e66227cb8fece78/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L339-L355
But not in the legacy BomUploadProcessingTask:
https://github.com/DependencyTrack/dependency-track/blob/3efdd24570f16fc6bfb168795e66227cb8fece78/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java#L115-L155
Legacy BomUploadprocessingTask was dropped for v4.12. No further change necessary.