Closed jo-so closed 6 months ago
Similar issue for BOM uploads: cf BomResource file
To go even further, there are some missing validations on both bom and vex uploads. PUT and POST on /v1/bom without a payload will respond with a 500 Internal Server Error PUT and POST on /v1/vex will also respond with a 500 Internal Server Error without a payload.
I know wanting to upload a file without providing a payload sounds strange, but the app should still better handle this edge case.
There is also a difference in validation between POST and PUT, with the PUT methods having more validation. As they are pretty similar, shouldn't the validations be more similar as well ?
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
The swagger.json says the content field for
/vex
is body, but the code in VexResource.java:175 accesses vex.There's a
!= null
check missing, which causes the request crashes with 500:Steps to Reproduce
curl -H "X-Api-Key: $DT_API_KEY" -F "projectName=$dt_project" -F "projectVersion=$dt_version" -F 'bom=@-' "$dt_host_url/api/v1/vex"
Expected Behavior
The API should return
400 Bad request
and tellfield with name 'vex' missing
.And the swagger.json should give the field name
vex
Dependency-Track Version
4.9.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Other
Checklist