Closed philippn closed 2 months ago
The reason is in https://github.com/DependencyTrack/dependency-track/blob/ccacd1da754ab74cc94ea79bc8e39e1c74a54f50/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java#L184 the for loop should probably break once the first hit was found.
I could provide a pull-request, I'm not sure how this sign-off stuff works though.
Thanks in advance for looking into it!
Good catch @philippn!
I could provide a pull-request, I'm not sure how this sign-off stuff works though.
That would be great, and I'd like you to get the appropriate credit for finding and fixing this! The DCO sign-off is just a git
flag, really. There is a good guide here: https://cert-manager.io/docs/contributing/sign-off/
Just pay attention that the username and email of your commit matches their counterparts on GitHub, see https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address
Thanks for your feedback. I have created a PR, including a test case. Hope that helps!
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
Hi there,
first if all, thanks for this great tool.
We are using it with merged SBOMs (the merging is done using the CycloneDX CLI). There we noticed that the BOMs couln't be imported. There error you get is: "Unable to determine schema version from XML namespaces:"
Steps to Reproduce
Expected Behavior
The import works
Dependency-Track Version
4.11.5
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist