Invalid SWID tag when downloading BOM from DependencyTrack

[savek-cc]

Current Behavior

Generate an SBOM of a docker image using syft: syft packages mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v.1.1.0 -o cyclonedx-json > test.json This will result in an SBOM with the following component part: syft.sbom.json { "type": "operating-system", "name": "debian", "version": "9", "description": "Distroless", "swid": { "tagId": "debian", "name": "debian", "version": "9" }, ... } When importing this SBOM into DependencyTrack, all is fine. When then exporting the list of components as BOM, this section gets reduced to 6c94b437-6286-4b0e-b665-fafaa2927fb3-inventory.cdx.json { "type" : "operating-system", "bom-ref" : "f517364f-b269-489f-8c8b-369b9638f2c1", "name" : "debian", "version" : "9", "description" : "Distroless", "swid" : { "tagId" : "debian" }, ... } Note the missing "name" and "version" in the SWID entry. This is also violating the CycloneDX specification as checked using https://cyclonedx.github.io/cyclonedx-web-tool/validate which reports: Validation failed: Required properties ["name"] were not present #/properties/components/items/$ref/properties/swid/$ref/required On instance: #/components/1/swid: { "tagId" : "debian" }

Steps to Reproduce

1.

Expected Behavior

DependencyTrack should not remove required information from SWID tags and not create invalid CycloneDX SBOMs.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

Hmmm... DT has historically only stored the SWID Tag ID, but not the name.

It does seem like name has been a required property since forever, so not sure why DT doesn't retain it. We'll need to start storing the tag name in order to fix this.