-
-
Notifications
You must be signed in to change notification settings - Fork 518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BOM upload fails without feedback due to field max length #1665
Comments
Any updates on this one? - also the PURL field/column is affected:
|
No progress until now. If you're using the |
Similar problem if the metadata.component.name field is long.
Here is an SBOM that triggers the problem:
The D-T API returns a 500 when I attempt an upload using github.com/DependencyTrack/client-go. A 40x might be better. The D-T UI didn't complain at all. |
We just ran into this issue with a node purl including repository names in the purl-string. Is there an actual upper bound for the length of a purl? Crashing and only handling an incomplete SBOM on SBOM import doesn't seem like the best strategy. (There is no way for a product to notice that the BOM import was incomplete because the failing insert-into-db isn't handled gracefully - but just truncates the handled BOM) |
jup, just crashed into this issue. PURL is too long... |
We have a Customer required RPM that is installed on our RHEL 8 hosts with a very long name (81 characters). The generated PURL in the SBOM is more than 255 characters (276 characters), so ingestion into Dependency Track breaks for all of our systems. We would be happy with truncating the PURL at 255 characters on ingest or allowing the longer fields. We also have now enabled an alert for BOM consumption and failures so that we have visibility into the fact that the ingest fails. |
A BOM file that contains a component with a "publisher" field with more than 255 character fails due to the constraints of the field. However, there is no feedback or way to know that the BOM upload failed other than figuring it out from the log file.
Current Behavior:
When uploading a broken BOM file (see bom-broken.xml in bom-broken.zip), no components will be loaded, and there is no way to see that the BOM processing failed outside the log file. See "Additional Details" section for the stacktrace.
I manually created the BOM file to only include the broken component, however, this is how https://github.com/CycloneDX/cyclonedx-dotnet would generate the component for Hangfire.PostgreSql@1.9.6.
Steps to Reproduce:
-- Or use the bom-broken.xml in bom-broken.zip
To test that the issue is with the publisher field, simply truncate the field in the XML file and reupload it to Dependency Track. The component should appear correctly in the Components tab.
Expected Behavior:
I expect one of 2 behaviors:
I think option 1 is better than option 2. The restriction makes it a problem for using automation as there is no way to predict if a component will break Dependency Track. Since the specification does not contain restrictions on field lengths, Dependency Track should not enforce arbitrary ones.
Environment:
Additional Details:
DT stacktrace
The text was updated successfully, but these errors were encountered: