Validate uploaded BOMs against CycloneDX schema #3522
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds validation of uploaded BOMs against the CycloneDX schema.
Automatically detects the format and spec version of the uploaded BOM, and picks a matching schema to validate against.
Validation is enabled per default, for both BOMs and VEXs.
Users who find their uploads being rejected unexpectedly can pass the environment variable
BOM_VALIDATION_ENABLED=false
to disable validation. Because Dependency-Track did not validate BOMs before, it is possible that users are currently uploading invalid files without knowing.Addressed Issue
Closes #3218
Additional Details
To communicate errors during BOM validation back to clients, responses are returned in RFC 9457 format.
Example:
Frontend PR: DependencyTrack/frontend#762
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have added corresponding update logicThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly