Dependency graph does not show when importing syft BOMs

[tesence]

Current Behavior

Hello,

I'm currently trying to make the dependency graph feature to work. The BOM I want to analyse will be a little complex but I apparently cannot make the dependency graph to work even with a really simple container image BOM.

I'm using syft in its latest version (0.98 when I created the issue) to generate container images BOMs (cyclonedx 1.4, I've tried with every version from 1.2 to1.5).

Dependency Track (4.10) correctly detects the components and the BOM does include a dependencies field but it seems to be ignored.

E.g with alpine:3.19.0

import logs:

2023-12-17 10:09:39,019 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,467 INFO [BomUploadProcessingTask] Identified 16 new components
2023-12-17 10:09:39,467 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,475 INFO [BomUploadProcessingTask] Processed 16 components and 0 services uploaded to project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:39,488 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 16 components
2023-12-17 10:09:39,505 INFO [InternalAnalysisTask] Starting internal analysis task
2023-12-17 10:09:39,505 INFO [InternalAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:09:39,523 INFO [RepositoryMetaAnalyzerTask] Completed component repository metadata analysis against 16 components
2023-12-17 10:09:39,523 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:09:39,547 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:09:39,548 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:09:53,406 INFO [InternalAnalysisTask] Internal analysis complete
2023-12-17 10:09:53,407 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
2023-12-17 10:09:53,407 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
2023-12-17 10:09:54,054 INFO [OssIndexAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:09:54,054 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-12-17 10:09:54,063 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:09:54,087 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:09:54,087 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,177 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,279 INFO [BomUploadProcessingTask] Identified 0 new components
2023-12-17 10:15:07,279 INFO [BomUploadProcessingTask] Processing CycloneDX dependency graph for project: 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,291 INFO [BomUploadProcessingTask] Processed 16 components and 0 services uploaded to project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:07,292 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 16 components
2023-12-17 10:15:07,294 INFO [InternalAnalysisTask] Starting internal analysis task
2023-12-17 10:15:07,303 INFO [InternalAnalysisTask] Analyzing 15 component(s)
2023-12-17 10:15:07,305 INFO [RepositoryMetaAnalyzerTask] Completed component repository metadata analysis against 16 components
2023-12-17 10:15:07,306 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:15:07,346 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:15:07,346 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5
2023-12-17 10:15:20,748 INFO [InternalAnalysisTask] Internal analysis complete
2023-12-17 10:15:20,749 WARN [OssIndexAnalysisTask] An API username or token has not been specified for use with OSS Index. Using anonymous access
2023-12-17 10:15:20,749 INFO [OssIndexAnalysisTask] Starting Sonatype OSS Index analysis task
2023-12-17 10:15:20,751 INFO [OssIndexAnalysisTask] Sonatype OSS Index analysis complete
2023-12-17 10:15:20,752 INFO [PolicyEngine] Evaluating 16 component(s) against applicable policies
2023-12-17 10:15:20,770 INFO [PolicyEngine] Policy analysis complete
2023-12-17 10:15:20,771 INFO [ProjectMetricsUpdateTask] Executing metrics update for project 32711511-3db2-414d-b576-7d25b6e9a5e5

Steps to Reproduce

1. Run syft for the image alpine:3.19.0:

syft -o cyclonedx-json@1.4=alpine.json alpine:3.19.0

2. Create a projet in Dependency Track and import the alpine.json BOM.

I attached the output file that I've indented: alpine.json

Expected Behavior

I expect the dependency graph to show in the Dependency Graph tab of the project I import the BOM to

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

The dependency graph in alpine.json is missing a root node. There should be an entry in dependencies referring to metadata.component ("bom-ref": "0569ac1ef202d3b3"), but there is none. Without a root node, Dependency-Track cannot correctly interpret the graph. Refer to https://cyclonedx.org/use-cases/#dependency-graph for an example of a complete graph.

[tesence]

Ah. too bad, thanks for the help, closing the issue now

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.