The order of SBOM section affects result display functionality

[Aster-Lin]

Current Behavior

When the SBOM (Software Bill of Materials) is not ordered according to the sequence of components > dependencies > vulnerabilities, the dependency graph may not be displayed.

Steps to Reproduce

1. Give a sbom contains components, dependencies and vulnerabilities sections, each section can not be empty.
2. Change order like vulnerabilities > components > dependencies.
3. Upload the sbom.
4. See the result would be different.

If vulnerabilities are placed first, both components and dependency graph cannot be displayed. If the order is components > vulnerabilities > dependencies, only the dependency graph will be unavailable.

Expected Behavior

We should remind users of the importance of SBOM file order. Otherwise, the order should not affect the display.

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

@Aster-Lin Can you provide example SBOMs and screenshots / API responses you're getting for them?

I am not super clear what exactly the defect is yet, but if ordering of nodes in the BOM affects how the SBOM is being parsed, that could be a bug in the CycloneDX parser.

At least for XML, the order of elements is asserted in the schema. So once https://github.com/DependencyTrack/dependency-track/issues/3218 is implemented, BOMs with invalid order will be rejected.

[Aster-Lin]

Hi @nscuro, I'm using Cyclonedx 1.4's json format. These are two samples with the same content but different order. correct_sbom.txt v_first_sbom.txt

I'm not sure if it's because of the json format. Please have a look, thank you.