search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.48k stars 536 forks source link

Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl. #3643

Open savek-cc opened 3 months ago

savek-cc commented 3 months ago

Current Behavior

When importing an SBOM that defines a CPE and/or PURL for the metadata.component, these fields are not populated for the project created. Other properties of the metadata.component have been fixed in the past, see e.g. https://github.com/DependencyTrack/dependency-track/pull/3179

Steps to Reproduce

  1. Import an SBOM with a metadata.component.cpe entry
  2. Review the project information - it's missing the data for the CPE field.

Expected Behavior

Imported project also populates CPE and PURL fields if present in the metadata.component.cpe/purl

Dependency-Track Version

4.10.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 3 months ago

Already addressed in BomUploadProcessingTaskV2 which ships with DT v4.11:

https://github.com/DependencyTrack/dependency-track/blob/3efdd24570f16fc6bfb168795e66227cb8fece78/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java#L339-L355

But not in the legacy BomUploadProcessingTask:

https://github.com/DependencyTrack/dependency-track/blob/3efdd24570f16fc6bfb168795e66227cb8fece78/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java#L115-L155