dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Invalid SWID tag when downloading BOM from DependencyTrack

Open savek-cc opened this issue 1 year ago • 1 comments

Current Behavior

Generate an SBOM of a docker image using syft: syft packages mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v.1.1.0 -o cyclonedx-json > test.json This will result in an SBOM with the following component part: syft.sbom.json { "type": "operating-system", "name": "debian", "version": "9", "description": "Distroless", "swid": { "tagId": "debian", "name": "debian", "version": "9" }, ... } When importing this SBOM into DependencyTrack, all is fine. When then exporting the list of components as BOM, this section gets reduced to 6c94b437-6286-4b0e-b665-fafaa2927fb3-inventory.cdx.json { "type" : "operating-system", "bom-ref" : "f517364f-b269-489f-8c8b-369b9638f2c1", "name" : "debian", "version" : "9", "description" : "Distroless", "swid" : { "tagId" : "debian" }, ... } Note the missing "name" and "version" in the SWID entry. This is also violating the CycloneDX specification as checked using https://cyclonedx.github.io/cyclonedx-web-tool/validate which reports: Validation failed: Required properties ["name"] were not present #/properties/components/items/$ref/properties/swid/$ref/required On instance: #/components/1/swid: { "tagId" : "debian" }

Steps to Reproduce

Expected Behavior

DependencyTrack should not remove required information from SWID tags and not create invalid CycloneDX SBOMs.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

savek-cc avatar Jul 01 '24 13:07 savek-cc

Hmmm... DT has historically only stored the SWID Tag ID, but not the name.

It does seem like name has been a required property since forever, so not sure why DT doesn't retain it. We'll need to start storing the tag name in order to fix this.

nscuro avatar Jul 02 '24 10:07 nscuro

I had to add manually the name. It is a workaround! Do you plan to fix it ? According to the specification, the name is mandatory.

rsareth avatar Feb 27 '25 16:02 rsareth