Add a warning or an error when the bom version is not supported

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.44k stars 530 forks source link

Closed Maxouwell closed 4 weeks ago

Maxouwell commented 4 weeks ago

If the bom version sent is not supported, the project is updated with 0 component and a CycloneDx version "CycloneDx null"

I had the problem when the cycloneDx maven plugin switched to CycloneDx 1.5, on Dtrack 4.8.2

Reject the bom or add a error/warning in the logs

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this enhancement was already requested

nscuro commented 4 weeks ago

This is fixed in v4.11 (https://github.com/DependencyTrack/dependency-track/pull/3522, https://github.com/DependencyTrack/frontend/pull/762). BOMs are now validated upon upload. If the CycloneDX version is not yet supported, the upload will fail.