BOM Validation against the CycloneDX schema was a feature introduced in v4.11.0 and can be enabled or disabled by an administrator.
It is "all or nothing". Either every BOM upload gets validated or nothing gets validated.
It was known before v4.11.0 release that this could cause problems if users' tooling was producing invalid BOMs.
However, real-world experience has shown that more tools are generating invalid BOMs than might have been hoped for. Thus, we need to improve functionality:
Cautious roll-out: User X does not trust their tools (or Dependency-Track) and wants to try BOM Validation on a small subset of projects
User Y really values BOM Validation but has problems with a small subset of projects and wants to to exclude these from Validation.
User X and User Y do not want to continually have to tweak configuration at an admin level
Proposed Behavior
Implement the ability to filter Validation based on tag. Configuration based on tag means that the administrator can set things up once and then users with lower privileges can easily control behavior at the project level.
Once BOM Validation is enabled then select whether to run in one of two modes (suggest using a radio button here)
Include: specify a tag to only apply BOM Validation to projects with this tag.
Exclude: specify a tag that will be used to exclude projects with the tag from BOM validation
If the admin does not provide any tag then behavior should be as in v4.11.0 (everything gets validated)
If the admin switches from "Include" mode to "Exclude" mode (or vice versa) then the system should still remember the tag that was used in the option that is now inactive.... they might want to switch back again later.
I suggest that the default should be "Exclude" This would allow the admin to configure it with a tag and have BOMs upload before the tag is added to any project and behavior would still be "everything gets validated".
Current Behavior
BOM Validation against the CycloneDX schema was a feature introduced in v4.11.0 and can be enabled or disabled by an administrator.
It is "all or nothing". Either every BOM upload gets validated or nothing gets validated.
It was known before v4.11.0 release that this could cause problems if users' tooling was producing invalid BOMs.
However, real-world experience has shown that more tools are generating invalid BOMs than might have been hoped for. Thus, we need to improve functionality:
Proposed Behavior
Implement the ability to filter Validation based on tag. Configuration based on tag means that the administrator can set things up once and then users with lower privileges can easily control behavior at the project level.
Once BOM Validation is enabled then select whether to run in one of two modes (suggest using a radio button here)
If the admin does not provide any tag then behavior should be as in v4.11.0 (everything gets validated)
If the admin switches from "Include" mode to "Exclude" mode (or vice versa) then the system should still remember the tag that was used in the option that is now inactive.... they might want to switch back again later.
I suggest that the default should be "Exclude" This would allow the admin to configure it with a tag and have BOMs upload before the tag is added to any project and behavior would still be "everything gets validated".
Checklist