You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently trying to make the dependency graph feature to work. The BOM I want to analyse will be a little complex but I apparently cannot make the dependency graph to work even with a really simple container image BOM.
I'm using syft in its latest version (0.98 when I created the issue) to generate container images BOMs (cyclonedx 1.4, I've tried with every version from 1.2 to1.5).
Dependency Track (4.10) correctly detects the components and the BOM does include a dependencies field but it seems to be ignored.
E.g with alpine:3.19.0
import logs:
2023-12-17 10:09:39,019 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,467 INFO [BomUploadProcessingTask] Identified 16 new components
2023-12-17 10:09:39,467 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,475 INFO [BomUploadProcessingTask] Processed 16 components and 0 services uploaded to project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,488 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 16 components
2023-12-17 10:09:39,505 INFO [InternalAnalysisTask] Starting internal analysis task
2023-12-17 10:09:39,505 INFO [InternalAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:09:39,523 INFO [RepositoryMetaAnalyzerTask] Completed component repository metadata analysis against 16 components
2023-12-17 10:09:39,523 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:09:39,547 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:09:39,548 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:53,406 INFO [InternalAnalysisTask] Internal analysis complete
2023-12-17 10:09:53,407 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
2023-12-17 10:09:53,407 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
2023-12-17 10:09:54,054 INFO [OssIndexAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:09:54,054 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-12-17 10:09:54,063 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:09:54,087 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:09:54,087 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,177 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,279 INFO [BomUploadProcessingTask] Identified 0 new components
2023-12-17 10:15:07,279 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,291 INFO [BomUploadProcessingTask] Processed 16 components and 0 services uploaded to project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,292 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 16 components
2023-12-17 10:15:07,294 INFO [InternalAnalysisTask] Starting internal analysis task
2023-12-17 10:15:07,303 INFO [InternalAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:15:07,305 INFO [RepositoryMetaAnalyzerTask] Completed component repository metadata analysis against 16 components
2023-12-17 10:15:07,306 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:15:07,346 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:15:07,346 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:20,748 INFO [InternalAnalysisTask] Internal analysis complete
2023-12-17 10:15:20,749 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
2023-12-17 10:15:20,749 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
2023-12-17 10:15:20,751 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-12-17 10:15:20,752 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:15:20,770 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:15:20,771 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
The dependency graph in alpine.json is missing a root node. There should be an entry in dependencies referring to metadata.component ("bom-ref": "0569ac1ef202d3b3"), but there is none. Without a root node, Dependency-Track cannot correctly interpret the graph. Refer to https://cyclonedx.org/use-cases/#dependency-graph for an example of a complete graph.
Current Behavior
Hello,
I'm currently trying to make the dependency graph feature to work. The BOM I want to analyse will be a little complex but I apparently cannot make the dependency graph to work even with a really simple container image BOM.
I'm using syft in its latest version (0.98 when I created the issue) to generate container images BOMs (cyclonedx 1.4, I've tried with every version from 1.2 to1.5).
Dependency Track (4.10) correctly detects the components and the BOM does include a
dependencies
field but it seems to be ignored.E.g with
alpine:3.19.0
import logs:
Steps to Reproduce
alpine:3.19.0
:alpine.json
BOM.I attached the output file that I've indented: alpine.json
Expected Behavior
I expect the dependency graph to show in the
Dependency Graph
tab of the project I import the BOM toDependency-Track Version
4.10.0
Dependency-Track Distribution
Container Image
Database Server
N/A
Database Server Version
No response
Browser
N/A
Checklist
The text was updated successfully, but these errors were encountered: