Some of the components in our projects don't have their license set, so we set those manually to fulfill our companies policies. However, after running another import, the licenses in some of our components get reset, whereas others are not. We are not sure if this happens to other fields as well, since we only set the license. We do see that if it happens, it always happens to the same components!
We can also say this happens with licenses from the 'official' SPDX list (so no manual licenses, but I can't say this might not also be affected by this issue) --> in our case it's a couple of MITs and Apache-2.0s.
Steps to Reproduce
I hope the problem is actually reproducible and not happening (partially) random:
We wait for DT to actually show these changes in the policies (we need to wait till the next day, can this be somehow forced?)
Check that the licenses are still there
Upload a the SBOM again
Check that the licenses are not set anymore (this runs during the night, so we are not sure if this is instantly or not -- haven't been able to test this 'live')
Expected Behavior
Our components keep the changes that are made and our policies are therefore not violated.
Current Behavior
Some of the components in our projects don't have their license set, so we set those manually to fulfill our companies policies. However, after running another import, the licenses in some of our components get reset, whereas others are not. We are not sure if this happens to other fields as well, since we only set the license. We do see that if it happens, it always happens to the same components! We can also say this happens with licenses from the 'official' SPDX list (so no manual licenses, but I can't say this might not also be affected by this issue) --> in our case it's a couple of MITs and Apache-2.0s.![Screenshot 2024-07-05 at 13-01-13 Dependency-Track - is](https://github.com/DependencyTrack/dependency-track/assets/12972577/09eaba3c-3361-47d7-a171-256da7269dea)
Steps to Reproduce
I hope the problem is actually reproducible and not happening (partially) random:
Expected Behavior
Our components keep the changes that are made and our policies are therefore not violated.
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
14.9
Browser
Mozilla Firefox
Checklist