sbom merged with cyclonedx-cli does not get imported

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.7k stars 578 forks source link

sbom merged with cyclonedx-cli does not get imported #1385

Open lazyw0lf opened 2 years ago

lazyw0lf commented 2 years ago

Current Behavior:

After merging several bom.xml into a sbom.xml with cyclonedx-cli, Dependency Track seems to not process it. I get no errors when uploading it and nothing really happens. If instead I upload separately the bom.xml that I merged they get processed.

Steps to Reproduce:

Merge the bom.xml files into one: docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli merge --input-format xml --input-files /tmp/bom_1.xml /tmp/bom_2.xml --output-file /tmp/bom_merged.xml

Upload the file into Dependecy Track project.

Expected Behavior:

Components and dependecies to be recognized.

Environment:

Dependency-Track Version: v4.3.6
Distribution: Docker
BOM Format & Version: XML format, CycloneDX Maven plugin v2.5.3
Database Server: PostgreSQL
Browser: Firefox

Additional Details:

None

stevespringett commented 2 years ago

Can you provide the merged file please?

lazyw0lf commented 2 years ago

Hi, thanks for answering, unfortunately I would have to redact parts of the merged file and it is quite long. I can share with you the xml structure that it has.

stevespringett commented 2 years ago

Please validate the merged file against the JSON or XML schema for the version of CycloneDX it is. You can use the CLI for this, but I'm looking to ensure the resulting file is a valid CycloneDX BOM.

You may want to take a look at the DT log. Any errors on BOM import should be logged.

If its valid, then the next thing I'll want to look at is where in the BOM it's failing. For this, I'll need the BOM to reproduce. If that's not possible, then I'd recommend setting up a DT development environment and setting some breakpoints in BomResource and BomUploadProcessingTask and trace the execution to determine where its failing.

lazyw0lf commented 2 years ago

I did the validation/analyze with CycloneDX CLI and this is the result: # docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli analyze --input-file /tmp/bom_merged.xml Analysis results: BOM Version: 1

# docker run -v /home/all_bom_files:/tmp cyclonedx/cyclonedx-cli validate --input-file /tmp/bom_merged.xml Validating XML BOM... BOM validated successfully.

I will try checking the logs or if nothing shows up I will try to set up a dev env for testing.

Thanks

nil4 commented 2 years ago

You may be running into https://github.com/DependencyTrack/dependency-track/issues/1214, due to recent cyclonedx-cli versions writing merged output with a UTF-8 BOM (byte-order-mark), which DT v4.3.6 rejects as invalid on upload.

Due to this mismatch, validating the file with cyclonedx-cli may not flag the issue, but the upload will not be accepted.