Open malice00 opened 2 days ago
nscuro
commented
2 days ago Can you share the error messages you're getting for the upload requests? The response body will list the things it found to be wrong.
Our tests of the export functionality do validate the generated BOMs, but of course it all comes down to the data being exported. Knowing what failed would help to reproduce and fix.
malice00
commented
2 days ago There is nothing in the logs (at least not the ones I have access to), but I was able to get the response by manually executing a POST. Hope this helps...
nscuro
commented
2 days ago That does help, it all seems to be license related. Thanks for providing the sample!
malice00
commented
2 days ago I figured it out! We have added some licenses and set those on components. The export does add these in the SBOM, but the import apparently only validates against the official licenses, which causes this exception!
nscuro
commented
2 days ago Yeah I think we need to populate the license.name field rather than license.id for custom licenses. Since the CycloneDX schema strictly requires valid SPDX license IDs in the license.id field.
We already match license.name against custom licenses when importing BOMs, so everything should just continue to work if we make this small change.
Current Behavior
When exporting an SBOM for a project and then trying to import it again, DT gives an exception that the Schema validation failed.
Steps to Reproduce
Expected Behavior
The BOM should be imported without problems.
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
14.9
Browser
Mozilla Firefox
Checklist