"...project/{name}/{version}" API Fails to Retrieve Badge When Project Name Includes "/" #3898

Open we684123 opened 4 months ago

Current Behavior

When integrating DependencyTrack with GitLab CI, I encounter an issue with retrieving the vulnerability badge via API when the project name contains a slash ("/"). This problem does not occur when using UUID for the project.

I use the following curl command to post a BOM:

curl -X "POST" "${DEPENDENCY_TRACK_URL}" \
     -H 'Content-Type: multipart/form-data' \
     -H "X-Api-Key: ${DEPENDENCY_TRACK_API_KEY}" \
     -F "projectName=${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}" \
     -F "projectVersion=${CI_COMMIT_REF_NAME}" \
     -F "autoCreate=true" \
     -F "bom=@bom.json"

Where: ${CI_PROJECT_NAMESPACE} is the GitLab group path (e.g., "it/iot"). ${CI_PROJECT_NAME} is the GitLab project name (e.g., "any-test"). ${CI_COMMIT_REF_NAME} is the branch name (e.g., "develop").

After posting the BOM, the DependencyTrack project name appears as "it/iot/any-test" with version "develop".

The badge retrieval API URL: https://{DEPENDENCY_TRACK_URL}/api/v1/badge/vulns/project/it/iot/any-test/develop responds with a 404 error, indicating that it cannot handle project names with slashes.

However, using the UUID version of the URL works as expected: https://{DEPENDENCY_TRACK_URL}/api/v1/badge/vulns/project/91c63ff0-0ff2-493b-8d9f-4abb5c6caf14

Error Logs

The following errors are logged when attempting to retrieve the badge:

2024-07-01 02:20:04,559 ERROR [WriterInterceptorExecutor] MessageBodyWriter not found for media type=image/svg+xml, type=class java.util.ArrayList, genericType=class java.util.ArrayList.
2024-07-01 02:20:04,561 ERROR [ServerRuntime$Responder] Error occurred when processing a response created from an already mapped exception.

Steps to Reproduce

put ${DEPENDENCY_TRACK_URL}、${DEPENDENCY_TRACK_API_KEY} , then use any BOM to post

  curl -X "POST" "${DEPENDENCY_TRACK_URL}" \
    -H 'Content-Type: multipart/form-data' \
    -H "X-Api-Key: ${DEPENDENCY_TRACK_API_KEY}" \
    -F "projectName=it/iot/any-test" \
    -F "projectVersion=develop" \
    -F "autoCreate=true" \
    -F "bom=@bom.json"

try get this url https://{DEPENDENCY_TRACK_URL}/api/v1/badge/vulns/project/it/iot/any-test/develop
fail, 404

Expected Behavior

ues https://{DEPENDENCY_TRACK_URL}/api/v1/badge/vulns/project/it/iot/any-test/develop can return badge

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image, Executable WAR

Database Server

N/A

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this defect was already reported

Does it help if you urlencode the name?

Does it help if you urlencode the name?

@valentijnscholten ！ Very helpful~ Now is work , thank you (*^∀ﾟ)ъ

URL: https://{DEPENDENCY_TRACK_URL}/api/v1/badge/vulns/project/it%2Fiot%2Fany-test/develop

2024-07-02 09_03_17-Mozilla Firefox

I'm not planning to close the issue yet. I attempted to update the integration badges documentation to inform others about the workaround involving URL encoding. However, I was unable to locate the necessary documentation in the official repositories. Therefore, I'll have to await a response from the official team to proceed with this documentation update.

@we684123 The documentation lives here: https://github.com/DependencyTrack/dependency-track/tree/master/docs

Instructions to work with it are here: https://github.com/DependencyTrack/dependency-track/blob/master/DEVELOPING.md#documentation

DependencyTrack / dependency-track