search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.72k stars 580 forks source link

NULL not allowed for column "NAME" #2799

Open esnible opened 1 year ago

esnible commented 1 year ago

Current Behavior

If I upload a CycloneDX SBOM with an invalid name (and/or?) purl DependencyTrack is unable to analyze the rest of the SBOM.

For example, I had an SBOM that included the component:

    {
      "type": "library",
      "bom-ref": "pkg:cran/",
      "name": "",
      "version": "",
      "licenses": [
        {
          "license": {
            "name": "NOASSERTION"
          }
        }
      ],
      "purl": "pkg:cran/"
    },

The UI couldn't see it at all and the API could see 12698 components but 0 vulnerabilities.

Removing this component allowed 1435 vulnerabilities to be identified.

The logs show

2023-06-01 10:35:17,253 WARN [ModelConverter] Unable to parse PackageURL: pkg:cran/
2023-06-01 10:35:39,877 WARN [Persist] Insert of object "org.dependencytrack.model.Component@7dd0659b" using statement "INSERT INTO COMPONENT (AUTHOR,BLAKE2B_256,BLAKE2B_384,BLAKE2B_512,BLAKE3,CLASSIFIER,COPYRIGHT,CPE,DESCRIPTION,DIRECT_DEPENDENCIES,EXTENSION,EXTERNAL_REFERENCES,FILENAME,"GROUP",INTERNAL,LAST_RISKSCORE,LICENSE,LICENSE_URL,MD5,"NAME",TEXT,PARENT_COMPONENT_ID,PROJECT_ID,PUBLISHER,PURL,PURLCOORDINATES,LICENSE_ID,SHA1,SHA_256,SHA_384,SHA3_256,SHA3_384,SHA3_512,SHA_512,SWIDTAGID,UUID,VERSION) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)" failed : NULL not allowed for column "NAME"; SQL statement:
...
    at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:605)
    at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:702)
    at org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:722)
    at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:427)
    at org.dependencytrack.persistence.ComponentQueryManager.createComponent(ComponentQueryManager.java:306)

Steps to Reproduce

  1. Add
    {
      "type": "library",
      "bom-ref": "pkg:cran/",
      "name": "",
      "version": "",
      "licenses": [
        {
          "license": {
            "name": "NOASSERTION"
          }
        }
      ],
      "purl": "pkg:cran/"
    },

... to any SBOM with >0 vulnerabilities.

Expected Behavior

I'd like to see DependencyTrack complain about the invalid Component metadata but I am not sure where it should surface that complaint in the UI.

I'd like SBOM processing to continue when such a component is part of the SBOM

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

Google Chrome

Checklist

stefansundin commented 9 months ago

I came across this problem too. While waiting for it to be fixed, I managed to work around it for now by filtering the SBOM with this jq command:

jq '.components |= map(select(.name != ""))' sbom.json > sbom-filtered.json