Open savek-cc opened 4 days ago
Hmmm... DT has historically only stored the SWID Tag ID, but not the name.
It does seem like name
has been a required property since forever, so not sure why DT doesn't retain it. We'll need to start storing the tag name in order to fix this.
Current Behavior
Generate an SBOM of a docker image using syft:
syft packages mcr.microsoft.com/oss/kubernetes-csi/csi-resizer:v.1.1.0 -o cyclonedx-json > test.json
This will result in an SBOM with the following component part: syft.sbom.json{ "type": "operating-system", "name": "debian", "version": "9", "description": "Distroless", "swid": { "tagId": "debian", "name": "debian", "version": "9" }, ... }
When importing this SBOM into DependencyTrack, all is fine. When then exporting the list of components as BOM, this section gets reduced to 6c94b437-6286-4b0e-b665-fafaa2927fb3-inventory.cdx.json{ "type" : "operating-system", "bom-ref" : "f517364f-b269-489f-8c8b-369b9638f2c1", "name" : "debian", "version" : "9", "description" : "Distroless", "swid" : { "tagId" : "debian" }, ... }
Note the missing "name" and "version" in the SWID entry. This is also violating the CycloneDX specification as checked using https://cyclonedx.github.io/cyclonedx-web-tool/validate which reports:Validation failed: Required properties ["name"] were not present #/properties/components/items/$ref/properties/swid/$ref/required On instance: #/components/1/swid: { "tagId" : "debian" }
Steps to Reproduce
1.
Expected Behavior
DependencyTrack should not remove required information from SWID tags and not create invalid CycloneDX SBOMs.
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist