search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.58k stars 542 forks source link

Licenses not visible after SBOM upload #2226

Open vasba opened 1 year ago

vasba commented 1 year ago

Current Behavior

If the attached SBOM is loaded into Dependency Track the licenses are not visible.

bom.txt

Steps to Reproduce

1.Load the file

  1. Check the project and no licenses are shown

Expected Behavior

The licenses should be visible in the project for each component.

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

syalioune commented 1 year ago

Was able to reproduce it. It really is an issue with cyclonedx-core-java LicenceDeserializer (and maybe DT) which does not handle well nodes like 

{
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0"
            }
          }
        },
        {
          "expression": "GPL-2.0"
        }
      ]
}

licenses[*].license.id is ignored when encountering licenses[*].expression where as Dependency Track only manages licenses[*].license.id.

The cyclonedx-core-java license deserializer should surely be fixed. I'm not sure about Dependency Track handling license expressions.

stevespringett commented 1 year ago

I'm not sure about Dependency Track handling license expressions.

Yes, ideally it should. One of the early tickets that nobody has had a chance to work on yet.#170

syalioune commented 1 year ago

OK, i'll try to work on it (deserializer part and DT handling of license expressions)

vasba commented 1 year ago

Hi!

Great that you found this issue. I will try again when this will be fixed.

Thanks!

JoshuaAtEriks commented 1 year ago

encountered the same issue while uploading a SBOM generated by Aqua Trivy. The license info in SBOM json is of below format "licenses": [ { "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" } ]

strowi commented 1 year ago

Looking forward to a fix, would love to use trivy for the sbom-generation.

LesSyner commented 1 year ago

@syalioune Do you have any news about fixing this issue? I've tried few tools for SBOM generation along with license info and have found trivy to be the best tool for my needs. Sadly due to this bug I cannot use trivy-generated SBOM files in dependency-track for licenses management :(

LesSyner commented 1 year ago

I've verified things on trivy side and have found issues there regarding invalidity of generated SBOM files according to CycloneDX-JSON schema. Here is issue I've created for trivy: https://github.com/aquasecurity/trivy/issues/4900 It looks like issue is in trivy. I've tried SBOM files generated by other tools like syft. They are valid according to schema and when imported to Dependency-track they show properly licenses.