Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Detect and avoid infinite recursion during second upload of SBOM with nested duplicate #2746

Closed
wants to merge 1 commit into from
Closed

Fix: Detect and avoid infinite recursion during second upload of SBOM with nested duplicate #2746

wants to merge 1 commit into from

Conversation

syalioune
Copy link
Contributor

Description

When a SBOM contains component with nested duplicate (componentA contains itself as a children), the second SBOM upload causes an infinite recursion.

Addressed Issue

See #1905 for details

Additional Details

N/A

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • [ ] This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • [ ] This PR introduces changes to the database model, and I have added corresponding update logic
  • [ ] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@syalioune
Fix: Detect and avoid infinite recursion during second upload of SBOM…
674e85c 
… with nested duplicate

See DependencyTrack#1905 for details

Signed-off-by: syalioune <sy_alioune@yahoo.fr>
@valentijnscholten
Copy link
Contributor

It sounds like a nice find, but I was curious to see the cause of the problem. And I don't understand how it could cause an infinite recursion. When convert is called on the child cdx component, it should stop processing there because the child doesn't have any children so cycloneDxComponent.getComponents() for the child component would be null or empty?
(Probably not, but I'm not seeing it :-))

I am also wondering what will happen, with the fix in place, if there is ComponentA having ComponentB as child which has ComponentA as child. So the "recursive" dependency is one level deeper.

@syalioune
Copy link
Contributor Author

It sounds like a nice find, but I was curious to see the cause of the problem. And I don't understand how it could cause an infinite recursion. When convert is called on the child cdx component, it should stop processing there because the child doesn't have any children so cycloneDxComponent.getComponents() for the child component would be null or empty?
(Probably not, but I'm not seeing it :-))

Please check my comment here #1905 (comment), the scenario is described. Important thing is that the recursion problem is not on the ModelConverter.convert method but on BomUploadProcessingTask.processComponent.

I am also wondering what will happen, with the fix in place, if there is ComponentA having ComponentB as child which has ComponentA as child. So the "recursive" dependency is one level deeper.

In that case we're doomed 😄 . More seriously, the fix should be updated to maintain ancestors component identities instead of just the nearest parent identity.

@valentijnscholten
Copy link
Contributor

Just use Neo4J ;-)

@melba-lopez melba-lopez added the defect Something isn't working label Jul 28, 2023
@nscuro
Copy link
Member

nscuro commented Jan 7, 2024

This PR is superseded by #3357.

Still, thanks a lot @syalioune for proposing a fix!

@nscuro nscuro closed this Jan 7, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@syalioune @valentijnscholten @nscuro @melba-lopez