search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.45k stars 532 forks source link

err 400 when upload SBOM file through /v1/bom #3757

Closed jxdv closed 1 month ago

jxdv commented 1 month ago

Current Behavior

Uploading an sbom file through the rest API has stopped working and it is returning: {"status":400,"title":"The uploaded BOM is invalid","detail":"Unable to determine schema version from JSON"}.

We've verified through multiple sources that the SBOM file is valid. Trying to upload it directly through the UI gives the exact same error (pic).

image

What is really interesting though that when json properties: serialNumber, version, $schema, bomFormat, specVersion are moved to the top of the sbom file, then everything works smoothly. (files available in Steps to Reproduce section)

The SBOM file is generated using cyclonedx-python and we've never encountered such issue.

Steps to Reproduce

  1. Upload sbom_original.json using rest api / UI
  2. Get error: Unable to determine schema version from JSON

OR

  1. Upload sbom_properties_moved.json using rest api / UI
  2. Sbom file is succesfully uploaded and we see components, services, dependency graph etc.

sbom_properties_moved.json sbom_original.json

Expected Behavior

The sbom file is uploaded without us having to move the json properties to the top of the file.

Dependency-Track Version

4.11.0

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

jxdv commented 1 month ago

Ah, see that this was fixed in newer version. Closing

github-actions[bot] commented 1 week ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.