search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 553 forks source link

Setting BOM_VALIDATION_ENABLED environment variable to false not disabling BOM validation #3740

Closed mattdunn-eh closed 4 months ago

mattdunn-eh commented 4 months ago

Current Behavior

https://github.com/DependencyTrack/dependency-track/pull/3522 refers to the ability to disable BOM validation by setting the environment variable BOM_VALIDATION_ENABLED=false, this has been set (what we think is correctly) but BOM validation is still applied (receiving BOM validation failure for BOM containing validation issues)

Steps to Reproduce

  1. Set BOM_VALIDATION_ENABLED=false in containerised environment for dependency track server
  2. Post a BOM that will fail validation to /api/v1/bom 
    HTTP_RESPONSE=$(curl -w "HTTPSTATUS:%{http_code}" -s \
      -X "POST" "${{ inputs.dtServerName }}/api/v1/bom" \
      -H 'Content-Type: multipart/form-data' \
      -H "X-Api-Key: ${{ inputs.apiKey }}" \
      -F "autoCreate=true" \
      -F "projectName=${{ inputs.projectName }}" \
      -F "projectVersion=${{ inputs.projectVersion }}" \
      -F "parentName=${{ inputs.parentName }}" \
      -F "parentVersion=${{ inputs.parentVersion }}" \
      -F "bom=@${{ inputs.bomTarget }}"
    )
  3. HTTP_RESPONSE includes BOM validation error

Expected Behavior

Post to /api/v1/bom succeeds when provided invalid BOM with BOM_VALIDATION_ENABLED=false

Dependency-Track Version

4.11.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

nscuro commented 4 months ago

Disabling via environment variable did not make it into the 4.11 release. Instead, there is a toggle in the admin panel. Refer to the changelog for v4.11:

Validation may be turned off in the administration panel under Configuration -> BOM Formats.

The upgrade notes also explicitly state:

Validation of uploaded BOMs and VEXs is enabled per default, but can be disabled in the administration panel under Configuration -> BOM Formats -> BOM Validation

github-actions[bot] commented 3 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.