Add API to lookup project by its name and version

wlfshmn commented 5 years ago

Issue Type:

[x ] defect report
[ ] enhancement request

Current Behavior:

Invoking the plugin from a pipeline as follows:

script {
    pom = readMavenPom file: 'pom.xml'
   dependencyTrackPublisher artifact: 'target/bom.xml', artifactType: 'bom', projectName: 
 ${pom.artifactId}", projectVersion: "${pom.version}", synchronous: true
    }

Results in a correct upload of a BOM to Dependency-Track, but the synchronous polling fails as it expects a projectUuid and has none, as the invocation didn't supply one.

settings synchronous to false allows the step to complete, but without the benefits of synchronous mode.

Build logs show the following:

08:34:07 [DependencyTrack] Publishing artifact to Dependency-Track
08:34:07 [DependencyTrack] The artifact was successfully published
08:34:17 [DependencyTrack] Polling Dependency-Track for BoM processing status
08:34:27 [DependencyTrack] Polling Dependency-Track for BoM processing status
08:34:27 [DependencyTrack] Processing findings
08:34:27 [DependencyTrack] An error occurred while retrieving findings - HTTP response code: 500 Request failed.

Dependency-track server logs contains the following:

javax.servlet.ServletException: java.lang.IllegalArgumentException: Invalid UUID string: null
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:432)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
        at alpine.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:223)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at alpine.filters.ClickjackingFilter.doFilter(ClickjackingFilter.java:91)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at alpine.filters.WhitelistUrlFilter.doFilter(WhitelistUrlFilter.java:113)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:502)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: Invalid UUID string: null
        at java.util.UUID.fromString(UUID.java:194)
        at alpine.persistence.AbstractAlpineQueryManager.getObjectByUuid(AbstractAlpineQueryManager.java:526)
        at org.dependencytrack.resources.v1.FindingResource.getFindingsByProject(FindingResource.java:68)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)

Steps to Reproduce (if defect):

See above

Expected Behavior:

Ideally, findings should be retrievable with name/version as well as uuid. Alternativly, the plugin should check for a missing uuid and logs this functional limitation.

Environment:

Dependency-Track Version: 3.4.0, Jenksins plugin 2.0.2
Distribution: Both dependency-track and jenins run in docker.
BOM Format & Version: CycloneDX (upload works fine)
Database Server: PostgreSQL
Browser: N/A

Other Details:

(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)

stevespringett commented 5 years ago

@wlfshmn An API to resolve a project via it's name and version doesn't exist. So currently, the use-case you're looking to achieve isn't supported.

I'll add a resolution API to the next feature release and add that functionality to the Jenkins plugin once available.

msymons commented 5 years ago

@stevespringett, I ran into the same issue last week. No problem... we can wait for the next feature release.

However, I am thinking... with a "resolve" API available, could one perhaps use this to have pipeline multibranch jobs automatically delete the matching project in Dependency-Track when the branch is deleted in the Jenkins job? Maybe using curl? Or perhaps by an extension to Dependency-Track plugin functionality?

stevespringett commented 5 years ago

The API for looking up a project by its name and version is complete. The defect reported in this ticket is specific to the Jenkins plugin, not Dependency-Track itself. The changes to the Jenkins plugin is being tracked in jenkinsci/dependency-track-plugin/pull/5

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

DependencyTrack / dependency-track