Fail to upload SBOM after 4.12.0 upgrade

[canon-cmi-taylor-jakobson]

Current Behavior

When uploading an SBOM to one of our projects the SBOM will fail to upload with the below logs. Nothing is reported to the UI. 2024-10-16 16:36:53,276 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTask] Consuming uploaded BOM [bomSerialNumber=3aee0b40-098c-4c70-bbbb-93bb7d684259, bomFormat=CycloneDX, bomUploadToken=4aeb18b3-f86e-4e85-8bad-e89e6973e32a, projectName=Testing, bomSpecVersion=1.4, projectUuid=0c114618-e0c8-4bec-81c3-e66088bfabcb, projectVersion=null, bomVersion=1] 2024-10-16 16:36:53,302 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTask] Consumed 2137 components (2137 before de-duplication), 0 services (0 before de-duplication), and 385 dependency graph entries [bomSerialNumber=3aee0b40-098c-4c70-bbbb-93bb7d684259, bomFormat=CycloneDX, bomUploadToken=4aeb18b3-f86e-4e85-8bad-e89e6973e32a, projectName=Testing, bomSpecVersion=1.4, projectUuid=0c114618-e0c8-4bec-81c3-e66088bfabcb, projectVersion=null, bomVersion=1] 2024-10-16 16:36:53,308 [] INFO [org.dependencytrack.tasks.BomUploadProcessingTask] Processing 2137 components [bomSerialNumber=3aee0b40-098c-4c70-bbbb-93bb7d684259, bomFormat=CycloneDX, bomUploadToken=4aeb18b3-f86e-4e85-8bad-e89e6973e32a, projectName=Testing, bomSpecVersion=1.4, projectUuid=0c114618-e0c8-4bec-81c3-e66088bfabcb, projectVersion=null, bomVersion=1] 2024-10-16 16:36:54,876 [] ERROR [org.dependencytrack.tasks.BomUploadProcessingTask] Failed to process BOM [bomUploadToken=4aeb18b3-f86e-4e85-8bad-e89e6973e32a, projectName=Testing, projectUuid=0c114618-e0c8-4bec-81c3-e66088bfabcb, projectVersion=null] javax.jdo.JDOUserException: Cannot read fields from a deleted object at org.datanucleus.api.jdo.state.PersistentDeleted.transitionReadField(PersistentDeleted.java:91) at org.datanucleus.state.StateManagerImpl.transitionReadField(StateManagerImpl.java:1114) at org.datanucleus.state.StateManagerImpl.isLoaded(StateManagerImpl.java:4139) at org.dependencytrack.model.ComponentProperty.dnGetgroupName(ComponentProperty.java) at org.dependencytrack.model.ComponentProperty.getGroupName(ComponentProperty.java:134) at org.dependencytrack.model.ComponentProperty$Identity.<init>(ComponentProperty.java:55) at org.dependencytrack.persistence.ComponentQueryManager.lambda$synchronizeComponentProperties$1(ComponentQueryManager.java:875) at java.base/java.util.stream.ReferencePipeline$2$1.accept(Unknown Source) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source) at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source) at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source) at org.dependencytrack.persistence.ComponentQueryManager.synchronizeComponentProperties(ComponentQueryManager.java:883) at org.dependencytrack.persistence.QueryManager.synchronizeComponentProperties(QueryManager.java:633) at org.dependencytrack.tasks.BomUploadProcessingTask.processComponents(BomUploadProcessingTask.java:440) at org.dependencytrack.tasks.BomUploadProcessingTask.lambda$processBom$0(BomUploadProcessingTask.java:282) at alpine.persistence.AbstractAlpineQueryManager.lambda$runInTransaction$6(AbstractAlpineQueryManager.java:564) at alpine.persistence.Transaction.call(Transaction.java:139) at alpine.persistence.AbstractAlpineQueryManager.callInTransaction(AbstractAlpineQueryManager.java:542) at alpine.persistence.AbstractAlpineQueryManager.runInTransaction(AbstractAlpineQueryManager.java:563) at alpine.persistence.AbstractAlpineQueryManager.runInTransaction(AbstractAlpineQueryManager.java:575) at org.dependencytrack.tasks.BomUploadProcessingTask.processBom(BomUploadProcessingTask.java:277) at org.dependencytrack.tasks.BomUploadProcessingTask.processEvent(BomUploadProcessingTask.java:176) at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:151) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source)

Steps to Reproduce

1. Create new project
2. Upload SBOM
3. Upload newer version of SBOM (with minimal changes, just internal component version updates)
4. Notice that the SBOM fails to upload in logs

Expected Behavior

The SBOM gets uploaded without errors.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Google Chrome

Checklist

• [x] I have read and understand the contributing guidelines
• [x] I have checked the existing issues for whether this defect was already reported

[nscuro]

Is this reproducible when creating a new project and (potentially repeatedly) uploading the BOM to it? Based on the code I'm unsure what could be causing this. Except perhaps concurrent BOM uploads to the same project, but I don't see that happening in the log snippet you shared.

If it is reproducible in a new project, are you able to share the BOM?

[canon-cmi-taylor-jakobson]

@nscuro I am able to reproduce it with a new project within the same Dependency Track instance. Using the same SBOMs I am not able to reproduce in a new instance of Dependency Track.

There is no concurrent uploads. After the upload (step 2), I wait until I see the Bom processing complete log message before trying step 3.

There is a lot of internal components (out of the 2100+), I'll see if I can strip those out and continue to reproduce.

[canon-cmi-taylor-jakobson]

I'm still working on removing the sensitive information and getting approval to upload it, but I was able to get the SBOM uploaded after removing all properties from every component.