search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.57k stars 540 forks source link

Upload SBOM via API Not working #3443

Open visagansanthanam-unisys opened 7 months ago

visagansanthanam-unisys commented 7 months ago

Current Behavior

While running the API call to submit an SBOM file (XML/JSON) into a project fails with the following error

2024-02-06 14:21:07,168 ERROR [GlobalExceptionHandler] Uncaught internal server error
javax.jdo.JDODataStoreException: Insert of object "[org.dependencytrack.model.Project@2dfdfdbf](mailto:org.dependencytrack.model.Project@2dfdfdbf)" using statement "INSERT INTO "PROJECT" ("ACTIVE","AUTHOR","CLASSIFIER","CPE","DESCRIPTION","DIRECT_DEPENDENCIES","EXTERNAL_REFERENCES","GROUP","LAST_BOM_IMPORTED","LAST_BOM_IMPORTED_FORMAT","LAST_RISKSCORE","MANUFACTURER","NAME","PARENT_PROJECT_ID","PUBLISHER","PURL","SUPPLIER","SWIDTAGID","UUID","VERSION") VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)" failed : ERROR: null value in column "NAME" violates not-null constraint
  Detail: Failing row contains (170, t, null, null, null, null, null, null, null, null, null, null, 55, null, null, null, f335a2b6-cbb7-4864-867a-b51d1f54f406, 1.1.3, null, null, null).
      at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:605)
      at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:702)
      at org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:722)
      at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:427)
      at org.dependencytrack.persistence.ProjectQueryManager.createProject(ProjectQueryManager.java:472)
      at org.dependencytrack.persistence.QueryManager.createProject(QueryManager.java:427)
      at org.dependencytrack.resources.v1.BomResource.uploadBom(BomResource.java:311)
      at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
      at java.base/java.lang.reflect.Method.invoke(Unknown Source)
      at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
      at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
      at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
      at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
      at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:256)
      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
      at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
      at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
      at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
      at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
      at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
      at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
      at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
      at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
      at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1419)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
      at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
      at alpine.server.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:225)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      at alpine.server.filters.ClickjackingFilter.doFilter(ClickjackingFilter.java:93)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      at alpine.server.filters.WhitelistUrlFilter.doFilter(WhitelistUrlFilter.java:166)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:598)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
      at org.eclipse.jetty.server.Server.handle(Server.java:563)
      at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
      at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
      at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
      at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
      at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
      at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
      at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
      at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
      at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.postgresql.util.PSQLException: ERROR: null value in column "NAME" violates not-null constraint
  Detail: Failing row contains (170, t, null, null, null, null, null, null, null, null, null, null, 55, null, null, null, f335a2b6-cbb7-4864-867a-b51d1f54f406, 1.1.3, null, null, null).

Steps to Reproduce

1.Run the following API call to submit a SBOM

curl -X "POST" 'https://depcheck-1.com/api/v1/bom' \
        -H 'X-API-Key: xxxx' \
        -H 'Content-Type: multipart/form-data' \
        -F 'projectame=APITest' \
        -F 'projectVersion=1.1.3' \
        -F 'parentName=APITest' \
        -F 'autoCreate=true' \
        -F "[bom=@bom1.xml]"

SBOM File attached bom1.zip

Expected Behavior

SBOM Should be successfully uploaded to the project

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 7 months ago

The BOM contains a component where the name is either empty, or not present at all. Component names are a mandatory field according to the specification, so the BOM is not valid.

Once https://github.com/DependencyTrack/dependency-track/issues/3218 is implemented, BOMs such as this one will be rejected immediately upon upload.

visagansanthanam-unisys commented 7 months ago

@nscuro But i can upload the same SBOM file into DTrack via the webUI without any issues. image