search

pmckeown / dependency-track-maven-plugin

Maven plugin that integrates with a Dependency Track server to submit dependency manifests and optionally fail execution when vulnerable dependencies are found.
Apache License 2.0
62 stars 19 forks source link

Project not created under given parent project #395

Open skasten opened 1 year ago

skasten commented 1 year ago

Hi,

I am using plugin version 1.6.0. I want the plugin to create a "subproject" under a given "parent project" in DTrack. I added the parent project manually in DTrack and also gave it a version.

I set the following variables on BOM upload.

  <plugin>
      <groupId>io.github.pmckeown</groupId>
      <artifactId>dependency-track-maven-plugin</artifactId>
      <version>1.6.0</version>
      <configuration>
          <dependencyTrackBaseUrl>https://dtrack.example.com</dependencyTrackBaseUrl>
          <apiKey>${env.CI_DTRACK_API_KEY}</apiKey>
          <projectVersion>${env.CI_COMMIT_REF_SLUG}</projectVersion>
          <updateProjectInfo>true</updateProjectInfo>
          <updateParent>true</updateParent>
          <parentName>MY Parent</parentName>
          <parentVersion>ALL</parentVersion>
          <pollingConfig>
              <enabled>true</enabled>
              <pause>500</pause>
              <attempts>40</attempts>
              <timeUnit>MILLIS</timeUnit>
          </pollingConfig>
      </configuration>
  </plugin>

My expectation is, that running the BOM upload the first time, the project gets created under the given parent project "MY Parent" "ALL".

But it does not work. The project will be created but in the "root" of DTrack, not under the parent. Is my expectation wrong and the "parentName"/"parentVersion" + updateParent setting is for something else?

Thanks for the help in advance.

Best Regards, Sven

pmckeown commented 1 year ago

The plugin finds existing projects using the Project Name and Project Version. Same for parent projects when using the feature a sub module to a parent.

Given the configuration above, the plugin should have found an existing project with name 'MY Parent' and version 'ALL'.

Is this still an issue?

If so could you please provide more details including a screen grab of the dependency track UI and the build log and configuration?

in-fke commented 1 year ago

The project will be created but in the "root" of DTrack

I also have the problem, specifically: "it used to work"

EDIT maybe it helps to know that I have pollingConfig disabled. I only want to publish BOM.

in-fke commented 9 months ago

I got it to work (again) by adding

                                    <updateParent>true</updateParent>

yet, removing this setting I am unable to reproduce it (again) (some cache mechanism?).

I will keep the above setting and if it ever happens again.

Relevant code probably!? https://github.com/pmckeown/dependency-track-maven-plugin/blob/main/src/main/java/io/github/pmckeown/dependencytrack/upload/UploadBomMojo.java#L86

I guess this setting won't hurt, see: https://docs.dependencytrack.org/usage/cicd/#alternative-parameters