dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

DT resets some (but not all) of my updated components

Open malice00 opened this issue 1 year ago • 4 comments

Current Behavior

Some of the components in our projects don't have their license set, so we set those manually to fulfill our companies policies. However, after running another import, the licenses in some of our components get reset, whereas others are not. We are not sure if this happens to other fields as well, since we only set the license. We do see that if it happens, it always happens to the same components! We can also say this happens with licenses from the 'official' SPDX list (so no manual licenses, but I can't say this might not also be affected by this issue) --> in our case it's a couple of MITs and Apache-2.0s. Screenshot 2024-07-05 at 13-01-13 Dependency-Track - is

Steps to Reproduce

I hope the problem is actually reproducible and not happening (partially) random:

  1. Upload this SBOM
  2. Edit the licenses for (in our case):
  • is-invalid-path 0.1.0
  • is-valid-path 0.1.1
  • requireg 0.2.2
  • valid-url 1.0.9
  1. We wait for DT to actually show these changes in the policies (we need to wait till the next day, can this be somehow forced?)
  2. Check that the licenses are still there
  3. Upload a the SBOM again
  4. Check that the licenses are not set anymore (this runs during the night, so we are not sure if this is instantly or not -- haven't been able to test this 'live')

Expected Behavior

Our components keep the changes that are made and our policies are therefore not violated.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist

malice00 avatar Jul 05 '24 11:07 malice00

We face a similar issue in our case, as I described on the closed (duplicate) issue #3950.

kmoens avatar Jul 09 '24 06:07 kmoens

Some more testing shows that it happens to all components. Checking our update logs, I feel this might have started happening after the update to 4.11.x...

malice00 avatar Jul 16 '24 18:07 malice00

I thought I noticed a difference after updating to 4.11.6 (spoiler: nothing changed), so I did some more digging into this. I found some very weird things -- maybe they are 'correct' and known by the devs, but I just found them strange and confusing...

In the project I used for testing, I generate an SBOM (with @cyclonedx/cdxgen for Gradle -- not sure if that matters, but I thought I mention it to be safe) which contains a block like this:

      "licenses" : [
        {
          "expression" : "Android Software Development Kit License"
        }
      ]

When I change this license in DT to our own mapping for this license, the expression gets deleted and in the exported SBOM it is transformed to this:

      "licenses" : [
        {
          "license" : {
            "name" : "Android Software Development Kit License"
          }
        }
      ]

Now, a new import of the original SBOM adds the expression, and in the UI the license is still actually there (aka both the license and expression fields are filled). When I export the SBOM again however, only the expression is now exported, therefore an import on another DT instance doesn't get the license set...

Now, I found that all components that have an expression in their SBOM that where updated in DT, remain correct after a new import. Components that had NO license information or the license-block (ID / name) are reset to what is in the SBOM.

I would like to mention that I only tested the changing of license information, since this is the only thing that we would like to change in our components.

malice00 avatar Aug 13 '24 16:08 malice00

Experiencing the same issue. Notes added remain correctly but if you specify a different license then the next evaluation overwrites this information

DanOrsborne avatar Oct 11 '24 14:10 DanOrsborne

I'm also struggling with this issue, every consecutive BOM upload overrides the license data. If this behavior is somehow intended by the devs I think this might be resolved by adding a parameter/switch to the API endpoint: /v1/bom (PUT and POST), let's say: OverrideLicenseData (boolean) that would default to FALSE (which is expected behavior by me and the author of this issue) and if needed someone can set it to TRUE, and have a "clean" BOM upload each time.

ryhoo2 avatar Jan 09 '25 09:01 ryhoo2

I think I am also experiencing a similar/identical behaviour. (v4.9.1)

In my case I have SBOM containing no license for one module. So I amend the data via the API to license.name holding for instance "(BSD-2-clause AND BSD-3-clause AND BSD-4-clause AND GPL-2 AND GPL-2+ AND GPL-3+ AND LGPL AND LGPL-2+ AND LGPL-2.1+ AND LGPL-3+ AND MIT)".

I can do an upload via the UI of the original SBOM and the license.name does not change.

However if I run the Jenkins plugin the above is interpreted and I end up with only license.id = "MIT".

For another module I have license.name="(Artistic-2.0 AND GPL-2+ AND ISC AND Paul-Vixie's-license)" until I run the Jenlins plugin uploading no new license information but as a result I get license.name="(Artistic-2.0"

It seems quite random and not very useful.

flemminglau avatar Jan 29 '25 12:01 flemminglau