Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Import of CycloneDX 1.5 BOMs #2850

Closed
2 tasks done
msymons opened this issue Jun 23, 2023 · 6 comments · Fixed by #3071
Closed
2 tasks done

Support Import of CycloneDX 1.5 BOMs #2850

msymons opened this issue Jun 23, 2023 · 6 comments · Fixed by #3071
Labels
blocked cdx-1.5 Related to CycloneDX specification v1.5 enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP
Milestone
4.9

Comments

@msymons
Copy link
Member

msymons commented Jun 23, 2023

Current Behavior

Dependency-Track v4.8.2 supports the import of BOMs that are CycloneDX 1.4 or below.

CycloneDX 1.5 will be released before the end of June 2023. We will start to see tooling producing 1.5 BOMs shortly thereafter. An attempt to import any such BOM to DT would throw an error,

Proposed Behavior

Dependency-Track must be updated so that CycloneDX v1.5 BOMs can be imported without error.

The implementation of support for new functionality offered by 1,5 (commercial licensing and much more besides) is expected to be covered by other issues. This enhancement is to ensure that existing CycloneDX functionality is preserved... no errors and dependency graphs (etc) still work.

Checklist
@msymons msymons added enhancement New feature or request cdx-1.5 Related to CycloneDX specification v1.5 p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP labels Jun 23, 2023
@msymons
Copy link
Member Author

msymons commented Jun 27, 2023

Now that the first CycloneDX v1.5 BOMs are being produced (not bad... 24 hours after release of the specification), here is the exception:

ERROR [BomUploadProcessingTask] Error while processing bom
org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array
at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70)
at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:93)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type java.util.ArrayList<org.cyclonedx.model.Tool> from Object value (token JsonToken.START_OBJECT)
at [Source: (byte[])"{"bomFormat":"CycloneDX","specVersion":"1.5","tools":{"components":[{"group":"https://github.com/CycloneDX","name":"cdxgen","version":"9.0.1","purl":"pkg:npm/%40cyclonedx/cdxgen@9.0.1","type":"application","bom-ref":"pkg:npm/%40cyclonedx/cdxgen@9.0.1"}]}, column: 180] (through reference chain: org.cyclonedx.model.Bom["metadata"]->org.cyclonedx.model.Metadata["tools"])
at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:59)
at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1741)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1515)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1462)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.handleNonArray(CollectionDeserializer.java:392)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:252)
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4674)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3690)
at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:68)
... 5 common frames omitted

@nscuro
Copy link
Member

nscuro commented Jun 27, 2023

Note: We have a dependency on cyclonedx-core-java which was not updated for spec v1.5 yet.

@nscuro nscuro added the blocked label Jun 27, 2023
@ChrisMcKee
Copy link

For anyone hitting this using cdxgen, 8.6.0 is the last version to use 1.4

@migmartri migmartri mentioned this issue Jul 5, 2023
Closed
@BoBeR182 BoBeR182 mentioned this issue Jul 13, 2023
Closed
@thaarbach
Copy link

For anyone hitting this using latest cdxgen
Specify the CycloneDx Version with:
cdxgen -r -o bom.json --spec-version 1.4

@nscuro nscuro mentioned this issue Aug 20, 2023
Merged
2 tasks
@BetOffice
Copy link

How do I solve this if I am using the server version, how can I specify the spec-version from the url, is it even possible?

@nscuro nscuro mentioned this issue Sep 5, 2023
Merged
2 tasks
@nscuro nscuro mentioned this issue Sep 14, 2023
Closed
2 tasks
@nscuro nscuro added this to the 4.9 milestone Oct 3, 2023
nscuro added a commit to nscuro/dependency-track that referenced this issue Oct 3, 2023
@nscuro
Bump cyclonedx-core-java to 8.0.0
52db6ce 
Closes DependencyTrack#2850

Signed-off-by: nscuro <nscuro@protonmail.com>
@msymons msymons mentioned this issue Oct 3, 2023
Merged
2 tasks
@nscuro nscuro mentioned this issue Oct 3, 2023
Closed
1 task
@nscuro nscuro mentioned this issue Oct 13, 2023
Closed
2 tasks
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 2, 2023

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
blocked cdx-1.5 Related to CycloneDX specification v1.5 enhancement New feature or request p1 Critical bugs that prevent DT from being used, or features that must be implemented ASAP
Projects
None yet
Milestone
4.9
5 participants
@ChrisMcKee @thaarbach @msymons @BetOffice @nscuro