DT resets some (but not all) of my updated components

[malice00]

Current Behavior

Some of the components in our projects don't have their license set, so we set those manually to fulfill our companies policies. However, after running another import, the licenses in some of our components get reset, whereas others are not. We are not sure if this happens to other fields as well, since we only set the license. We do see that if it happens, it always happens to the same components! We can also say this happens with licenses from the 'official' SPDX list (so no manual licenses, but I can't say this might not also be affected by this issue) --> in our case it's a couple of MITs and Apache-2.0s.

Steps to Reproduce

I hope the problem is actually reproducible and not happening (partially) random:

1. Upload this SBOM
2. Edit the licenses for (in our case):
   • is-invalid-path 0.1.0
   • is-valid-path 0.1.1
   • requireg 0.2.2
   • valid-url 1.0.9
3. We wait for DT to actually show these changes in the policies (we need to wait till the next day, can this be somehow forced?)
4. Check that the licenses are still there
5. Upload a the SBOM again
6. Check that the licenses are not set anymore (this runs during the night, so we are not sure if this is instantly or not -- haven't been able to test this 'live')

Expected Behavior

Our components keep the changes that are made and our policies are therefore not violated.

Dependency-Track Version

4.11.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.9

Browser

Mozilla Firefox

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported