When querying /v1/component/hash/{hash}, an Uncaught internal server error is being thrown if the ACCESS_MANAGEMENT permission is missing for the team and Portfolio Access Control is enabled.
2023-08-14 15:15:20,880 ERROR [GlobalExceptionHandler] Uncaught internal server error
java.lang.UnsupportedOperationException: null
at java.base/java.util.ImmutableCollections.uoe(Unknown Source)
at java.base/java.util.ImmutableCollections$AbstractImmutableMap.put(Unknown Source)
at org.dependencytrack.persistence.ComponentQueryManager.preprocessACLs(ComponentQueryManager.java:539)
at org.dependencytrack.persistence.ComponentQueryManager.getComponentByHash(ComponentQueryManager.java:191)
at org.dependencytrack.persistence.QueryManager.getComponentByHash(QueryManager.java:500)
at org.dependencytrack.resources.v1.ComponentResource.getComponentByHash(ComponentResource.java:220)
at jdk.internal.reflect.GeneratedMethodAccessor856.invoke(Unknown Source)
...
Steps to Reproduce
1.
Expected Behavior
Fetching components by hash should not fail when Portfolio Access Control is enabled.
Current Behavior
Originally reported via Slack: https://owasp.slack.com/archives/C6R3R32H4/p1692026242844699
When querying
/v1/component/hash/{hash}
, anUncaught internal server error
is being thrown if theACCESS_MANAGEMENT
permission is missing for the team and Portfolio Access Control is enabled.Steps to Reproduce
1.
Expected Behavior
Fetching components by hash should not fail when Portfolio Access Control is enabled.
Dependency-Track Version
4.8.2
Dependency-Track Distribution
Container Image, Executable WAR
Database Server
N/A
Database Server Version
No response
Browser
N/A
Checklist