Update Frontend SBOM to Support CycloneDX 1.5 or 1.6 - Githubissues

DependencyTrack / frontend

Frontend UI for Dependency-Track

https://dependencytrack.org/

Apache License 2.0

93 stars 140 forks source link

Update Frontend SBOM to Support CycloneDX 1.5 or 1.6 #911

Open msymons opened 1 month ago

msymons commented 1 month ago

Current Behavior

The latest release of DT Frontend is v4.11.3 and the BOM is published as a release asset and also available from DT itself via /.well-known/sbom

The BOM is generated using CycloneDX Webpack Plugin v2.0.2 which only supports CDX 1.3.

Proposed Behavior

Upgrade plugin from 2.0.2 to 3.12.0 (or later)
Ensure that specVersion = 1.5 or 1.6. The latest version of the webpack-plugin does support CDX 1.6

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this enhancement was already requested

nscuro commented 1 month ago

There is a Dependabot PR to bump the plugin version, but the build is failing: https://github.com/DependencyTrack/frontend/pull/912

Needs investigation. Perhaps we can't go directly to the latest plugin version due to other dependencies we need to upgrade first...