search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
312 stars 61 forks source link

Dependency-Graph in Dependency-Track not working after MERGE - Docker image - Kali Linux #230

Open almitte opened 2 years ago

almitte commented 2 years ago

Hello,

after merging SBoMs with the CLI the Dependency-Graph in Dtrack for that SBoM is only showing the first hierarchy level (the primary-components of the merged SBoMs), but not any of the components that make up these components. The Dependency-Graphs are working for each individual SBoM just fine. The "component"-metadata is set in each individual sbom and the bom-refs of these first hierarchy level components are also showing up in "Dependencies" in the final SBoM.

Here is the code I have used: docker run -v /home/kalimitteuser/Downloads:/work cyclonedx/cyclonedx-cli merge \ --input-files /work/2.json /work/1.json /work/3.json --version 1.139.16 \ --name application --hierarchical --output-file /work/sbom_all.json

It results in this output: Processing input file /work/2.json Contains 168 components Processing input file /work/1.json Contains 292 components Processing input file /work/3.json Contains 156 components Writing output file... Total 3 components

I think the problem is with the last line "Total 3 components". Can I insert an option like "--hierarchical all" or something like that? Maybe this is even a Dtrack problem as there are something around 350 components inside that SBoM?

Thanks in advance.

andreas-hilti commented 1 year ago

@almitte It is a DependencyTrack issue, see: https://github.com/DependencyTrack/dependency-track/issues/2411 DependencyTrack does not recursively handle components in components. A fix was merged, and DependencyTrack version 4.8 (once it is released) should handle it correctly.

sebastienDelcoigne commented 1 year ago

@almitte : did you get a chance to test version 4.8 of DT to check if it fixes your issue ?

john-funk commented 1 year ago

I am still seeing the described behavior in 4.8.2

roadSurfer commented 1 year ago

I tested DT 4.8.0 using the foobar BOM included in issue 2411 and they worked as expected. I then upgraded to 4.8.2 API/4.8.1 UI and checked on the project, things still looked OK. I deleted the project, created a new one and re-uploaded the BOM again, it still worked.

@Jay-Funk, I suggest attaching your sample BOM as there is a small chance the merge went wrong somehow. Without being able to inspect the BOM, no one can say for sure. People may also need the command(s) you ran to perform the merge. If you are absolutely certain the BOM is fine (or it is determined here that they are), and the foobar BOM included in 2411 works for you; please open an Dependency-Track issue providing your failing BOMs and referencing 2411. Maybe there is an edge case my patch doesn't cover, or there has been a regression I am simply not seeing.

Edit: This comment in DT issue 1385 shows how to validate the BOM with CycloneDx. The foobar BOM validates correctly.

roadSurfer commented 1 year ago

@almitte - if this is still failing for you, then please consider opening a Dependency-Track issue (or adding your BOM to Jay's).