search

pmckeown / dependency-track-maven-plugin

Maven plugin that integrates with a Dependency Track server to submit dependency manifests and optionally fail execution when vulnerable dependencies are found.
Apache License 2.0
61 stars 18 forks source link

Failure integrating with Dependency Track: 405 Not Allowed #372

Closed hohwille closed 1 year ago

hohwille commented 1 year ago

As a user of dependency-track-maven-plugin I would expect it to just work (with the current/latest version of dependency-track). However, according to my observation it does not:

[ERROR] Failure integrating with Dependency Track: 405 Not Allowed

I already reported this problem in #237 but more as a side note so maybe it did not get enough attention. Now with the latest version of the plugin (1.5.0), I still get this error and would therefore consider the plugin as useless unless this issue is fixed.

hohwille commented 1 year ago

I just analyzed the logs of my dependency-track and found this one:

dependency-track-dtrack-frontend-1   | 2023/06/01 11:29:17 [error] 35#35: *162 client intended to send too large body: 1883794 bytes, client: 172.19.0.1, server: _, request: "PUT /api/v1/bom HTTP/1.1", host: "localhost:8080"

Are you in close contact with the makers of dependency-track? Is that a bug in dependency-track itself or are you just using the API in a wrong way in your maven plugin? Is there a way to tweak the configuration of the underlying HTTP server of dependency-track to increase the body size limit?

hohwille commented 1 year ago

https://github.com/DependencyTrack/dependency-track/issues/916

hohwille commented 1 year ago

OK, documentation of dependency-track itself is rather poor. I found the problem. I was uploading the BOMs to the frontend but it has to be uploaded to the backend. Documentation is just giving me minimal information to get started and as a new user (due to Single-Origin-Policy) I do not expect that there are multiple URLs and ports involved and after browsing dependency-track in the webbrowser on 8080...

You already outlined this perfectly in your README:

IMPORTANT Dependency Track includes a front-end and an api-server component on different ports (defaulting to 8080 and 8081 respectively). You must ensure that you target the api server component (8081) and not the front-end component URL in the dependencyTrackBaseUrl property.

So I just close this issue as noting seems to be wrong with this plugin then.