Support Import of CycloneDX 1.6 BOMs

[msymons]

Current Behavior

Dependency-Track v4.9 implemented support for the import of BOMs that are CycloneDX 1.5 or below. See #2850

CycloneDX 1.6 will be released before the end of March 2024, or in the first week of April. We will start to see tooling producing 1.6 BOMs shortly thereafter (most certainly from the cdxgen project). An attempt to import any such BOM to DT v4.10.1 would throw an error.

Proposed Behavior

Dependency-Track must be updated so that CycloneDX v1.6 BOMs can be imported without error.

The implementation of support for new functionality offered by 1.6 (CBOM. etc) is expected to be covered by other issues. This enhancement is to ensure that existing CycloneDX functionality is preserved... no errors and dependency graphs (etc) still work.

Note: We have a dependency on cyclonedx-core-java and so implementation of this enhancement is blocked until core-java is updated to support spec v1.6.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Note that as of v4.11, uploads of BOMs with unsupported spec versions will no longer fail silently in the background. Instead, they will fail schema validation and users will get immediate feedback about it.

[nscuro]

Assigning to 4.12 as I am expecting the Java library to be published during the 4.12 release cycle.

[msymons]

Block is removed due to release of cyclonedx-core-java v9.0.0

[nscuro]

Had some code laying around from my initial tests with this library version. So went ahead and committed that. Raised PR #3710.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.