dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Schema validation error when importing SBOMs that were exported by DT itself

Open malice00 opened this issue 1 year ago • 5 comments

Current Behavior

When exporting an SBOM for a project and then trying to import it again, DT gives an exception that the Schema validation failed.

Steps to Reproduce

  1. Select a project
  2. Go to the components tab
  3. Click 'Download BOM' -- both 'Inventory' and 'Inventory with Vulnerabilities' trigger the problem
  4. Click 'Upload BOM' and select the just saved JSON

Expected Behavior

The BOM should be imported without problems.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist

malice00 avatar Jun 30 '24 09:06 malice00

Can you share the error messages you're getting for the upload requests? The response body will list the things it found to be wrong.

Our tests of the export functionality do validate the generated BOMs, but of course it all comes down to the data being exported. Knowing what failed would help to reproduce and fix.

nscuro avatar Jun 30 '24 10:06 nscuro

There is nothing in the logs (at least not the ones I have access to), but I was able to get the response by manually executing a POST. Hope this helps...

response_1719748385096.json

malice00 avatar Jun 30 '24 11:06 malice00

That does help, it all seems to be license related. Thanks for providing the sample!

nscuro avatar Jun 30 '24 11:06 nscuro

I figured it out! We have added some licenses and set those on components. The export does add these in the SBOM, but the import apparently only validates against the official licenses, which causes this exception!

malice00 avatar Jun 30 '24 12:06 malice00

Yeah I think we need to populate the license.name field rather than license.id for custom licenses. Since the CycloneDX schema strictly requires valid SPDX license IDs in the license.id field.

We already match license.name against custom licenses when importing BOMs, so everything should just continue to work if we make this small change.

nscuro avatar Jun 30 '24 12:06 nscuro

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Aug 08 '24 10:08 github-actions[bot]