dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Affected project in mail-notification doesn't show name

Open malice00 opened this issue 1 year ago • 3 comments

Current Behavior

When DT sends a mail about vulnerable dependencies or new vulnerabilities, all references to this project use the purl of the root component instead of the actual project name. This is especially frustrating when this component is not unique -- in our react native apps, the gradle configuration is generated and does not contain a version, so every upload uses the 'same' component even if in DT they are configured as different projects. The annoying thing is that the list of other affected projects actually do show the project name!

Steps to Reproduce

  1. Create a project
  2. Setup a mail notifcation
  3. Upload an SBOM
  4. Wait for the mail

Expected Behavior

We expect the mail to contain the actual name configured in DT to show in both the subject and the mail body.

Dependency-Track Version

4.11.5

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist

malice00 avatar Jul 15 '24 11:07 malice00

Update: it seems this does not happen to all projects... It seems like it happens on projects where a new BOM is uploaded -- older projects seem to work correctly. Might be a regression in 4.11.4/5? The older projects where created with at least 4.11.3, not sure if we were already on 4.11.4 though...

malice00 avatar Jul 16 '24 18:07 malice00

Found it! It's caused by the BOM Processing V2! When I turn it off, the mails correctly contain the actual name of the project again. All projects imported with V2 on however, are still broken -- I guess something is saved differently in the database? Unfortunately I currently have no direct access to the db to verify.

malice00 avatar Jul 16 '24 18:07 malice00

@malice00, thanks for reporting the problem and then digging deeper to identify the culprit.

I have assigned this to the 4.12 milestone because it is important that such defects be addressed before BOM Processing V2 makes the switch from being "Experimental"

As an FYI, #3880 was another notification issue that only occurred when BOM Processing V2 was enabled... a defect now fixed in v4.11.5

msymons avatar Jul 17 '24 12:07 msymons

The issue seems to be that BOM Processing V2 populates the purl field of a project during BOM import, based on metadata.component.purl in the BOM. Which is something that should have been done since forever, but the legacy BOM processing implementation didn't do it.

Now, with that in mind, looking at the toString implementation of the Project class:

https://github.com/DependencyTrack/dependency-track/blob/caaeb53ddf62af2dea6c7e2096ee54e291c14c30/src/main/java/org/dependencytrack/model/Project.java#L573-L588

... shows that it will be shown as its PURL, if purl is set. Which in your case it is.

Following this trail, the affected projects in the email template end up calling the above toString implementation:

https://github.com/DependencyTrack/dependency-track/blob/caaeb53ddf62af2dea6c7e2096ee54e291c14c30/src/main/resources/templates/notification/publisher/email.peb#L23

So, this is not really a bug, since it would have happened (I assume intentionally) before, if your projects had the purl field populated.

That said, this should be an easy fix. And I agree, showing a PURL here makes no sense.

nscuro avatar Aug 31 '24 21:08 nscuro

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Oct 01 '24 10:10 github-actions[bot]