DependencyTrack
External References are removed when uploading SBOM (from both UI and/or API)
Current Behavior
External References are removed from the project when sbom is uploaded to that project. The external references are removed no matter if one uploads the sbom through UI or with API.
When uploading the sbom by calling the API, I am calling the /v1/bom endpoint with PUT so I am surprised that it edits the properties of the project itself.
Steps to Reproduce
- Create a project in Dependency Track
- Add external references by calling the API endpoint with
PATCH/v1/project/{uuid}. Add the external references in the payload e.g.
"externalReferences": [
{
"type": "vcs",
"url": "<source code url>",
"comment": "<This is the link to the source code>"
}
- Verify the external references by visiting project -> view details -> external references
- Upload SBOM (UI) project -> components -> Upload BOM
- Confirm that external references are removed by visiting again project -> view details -> external references
Expected Behavior
The external references persist when SBOM is uploaded.
Dependency-Track Version
4.12.6
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this defect was already reported
I tried to follow and understand the code, but I can't see any error (but please don't rely on me, I'm not that familiar with the code yet). This is a moonshot, but does a restart of DT suddenly show up the references? If that's the case, setting the ALPINE_DATANUCLEUS_CACHE_LEVEL2_TYPE=none env var will resolve your issue. That would be a temporary resolution, since this will become the default with 4.13.
@stohrendorf we run DT in Kubernetes. I restarted the frontend and backend workloads but the external references did not show up.
Then this is a valid bug, but it's beyond my area of expertise within this project. It needs to be triaged by the maintainers.
It seems external references are not persisted at all. So this is not really a bug, but rather a missing feature, although I understand how this can be seen as a bug from the outside.
what does it mean that they are not persisted at all? Is that so that any change to the project will remove the external references?
Basically yes, but they're not saved at all, they're lost as soon as you put them into DT. Currently, not all CycloneDX features are supported, and references are part of the unsupported features.
Maybe this helps: References can't be created when using the ui and adding components manually without using sbom
@stohrendorf I run a sync job which updates external references for every project in DT using the DT api. As long as I don't upload new sbom the external reference stays. I can update the projects details for example and the referance stays as well. So the external references must be saved somewhere.
I’m experiencing the same issue during our CI/CD pipelines. Every time we import an SBOM for the same project, the externalRefs field gets reset. This is problematic for us because we rely on this field to store the SCM link of the project.
Ideally, externalRefs should be preserved if it's already set, or there should be an option to prevent it from being overwritten during SBOM re-imports. Hoping @stohrendorf 's fix will do it!
The fix implemented simply overwrites all existing references. Preserving existing references would open a can of worms (and effectively lead to a mixed SBOM state from different imported SBOMs, which is at least confusing).
Ran into the same issue with my CICD pipeline. Importing sboms overriding external references. Still think this is a bug :(
I want to add a reference to the git project ( URL ) when my pipeline creates the project. Is there a better place to put that information for the project ?
Same issue for swidTagId ? That seems to be overridden also when importing sbom