DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.69k stars 578 forks source link

Vulnerability analysis cannot be performed, if the component contains “purchaser” property in SBOM file #4144

Closed buke-narlitepe-itk closed 2 weeks ago

buke-narlitepe-itk commented 1 month ago

Current Behavior

When we upload SBOM file in CycloneDX ( 1.5 version) format to the tool, we do not get any results. Instead, we receive a parse error from your API. Once we examine further: if any component contains the following section, API throws an error:

  "purchaser": {
    "organization": {
      "contact": [
        {
          "name": ""
        }
      ]
    }

When we remove the above part from the component section, the analysis can be completed as expected. Additionally, there is another component in SBOM file that has already vulnerabilities. Due to this error, its analysis is also skipped.

image image

Proposed Behavior

If there is an error or omission in SBOM file that could disrupt the analysis, it would be better, that the error message was more descriptive. At least the analysis results of the other component can be given, and the error of the faulty component can be thrown as a response in more descriptive way. We would also like to know why such an error occurred.

Checklist

nscuro commented 1 month ago

we receive a parse error from your API.

Can you share the exact error you'e getting?

nscuro commented 1 month ago

It's a parsing bug in the CycloneDX library: https://github.com/CycloneDX/cyclonedx-core-java/issues/507

buke-narlitepe-itk commented 4 weeks ago

we receive a parse error from your API.

Can you share the exact error you'e getting?

Thanks for the reply. The error I get is as follows:

2024-10-08 09:22:30,920 ERROR [BomUploadProcessingTask] Error while processing bom 2024-10-08 11:22:30 org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array 2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:72) 2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:111) 2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTaskV2.inform(BomUploadProcessingTaskV2.java:151) 2024-10-08 11:22:30 at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) 2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 2024-10-08 11:22:30 at java.base/java.lang.Thread.run(Unknown Source) 2024-10-08 11:22:30 Caused by: com.fasterxml.jackson.databind.JsonMappingException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[1]->org.cyclonedx.model.Component["licenses"]->org.cyclonedx.model.License["licensing"]->org.cyclonedx.model.Licensing["purchaser"]) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:402) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:361) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1937) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:312) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4881) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3035) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.treeToValue(ObjectMapper.java:3499) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.processLicenseNode(LicenseDeserializer.java:77) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:64) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:34) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:361) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:246) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:30) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909) 2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70) 2024-10-08 11:22:30 ... 6 common frames omitted 2024-10-08 11:22:30 Caused by: java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserializeOrganization(OrganizationalChoiceDeserializer.java:54) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:45) 2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:32) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129) 2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310) 2024-10-08 11:22:30 ... 30 common frames omitted

buke-narlitepe-itk commented 4 weeks ago

It's a parsing bug in the CycloneDX library: CycloneDX/cyclonedx-core-java#507

So that means, this bug is now resolved with Hotfix-PR? https://github.com/CycloneDX/cyclonedx-core-java/pull/508