Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metadata component CPE not recognized in BOM upload #4173

Closed
2 tasks done
eugenhoffmann opened this issue Sep 25, 2024 · 1 comment · Fixed by #4174
Closed
2 tasks done

Metadata component CPE not recognized in BOM upload #4173

eugenhoffmann opened this issue Sep 25, 2024 · 1 comment · Fixed by #4174
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12

Comments

@eugenhoffmann
Copy link

Current Behavior

The CPE value defined in metadata component not being recognized when uploading a BOM file.
However, the defined PURL address is recognized and set correctly in the project

Steps to Reproduce

  1. Upload the BOM file via "Upload BOM" button.
  2. Click on "View Details"
  3. Navigate to "Identity"

Expected Behavior

The CPE should be set in the project, just like the PURL address is correctly set when used in the metadata component

Dependency-Track Version

4.11.7

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.5

Browser

Google Chrome

Checklist
@eugenhoffmann eugenhoffmann added defect Something isn't working in triage labels Sep 25, 2024
@nscuro
Copy link
Member

nscuro commented Sep 25, 2024

Good catch, CPE is not being set here:

dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

Lines 324 to 340 in 16ef236

if (project != null) {
persistentProject.setBomRef(project.getBomRef()); // Transient
hasChanged |= applyIfChanged(persistentProject, project, Project::getAuthors, persistentProject::setAuthors);
hasChanged |= applyIfChanged(persistentProject, project, Project::getPublisher, persistentProject::setPublisher);
hasChanged |= applyIfChanged(persistentProject, project, Project::getManufacturer, persistentProject::setManufacturer);
hasChanged |= applyIfChanged(persistentProject, project, Project::getSupplier, persistentProject::setSupplier);
hasChanged |= applyIfChanged(persistentProject, project, Project::getClassifier, persistentProject::setClassifier);
// TODO: Currently these properties are "decoupled" from the BOM and managed directly by DT users.
// Perhaps there could be a flag for BOM uploads saying "use BOM properties" or something?
// changed |= applyIfChanged(project, metadataComponent, Project::getGroup, project::setGroup);
// changed |= applyIfChanged(project, metadataComponent, Project::getName, project::setName);
// changed |= applyIfChanged(project, metadataComponent, Project::getVersion, project::setVersion);
// changed |= applyIfChanged(project, metadataComponent, Project::getDescription, project::setDescription);
hasChanged |= applyIfChanged(persistentProject, project, Project::getExternalReferences, persistentProject::setExternalReferences);
hasChanged |= applyIfChanged(persistentProject, project, Project::getPurl, persistentProject::setPurl);
hasChanged |= applyIfChanged(persistentProject, project, Project::getSwidTagId, persistentProject::setSwidTagId);
}

@nscuro nscuro added this to the 4.12 milestone Sep 25, 2024
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed in triage labels Sep 25, 2024
nscuro added a commit to nscuro/dependency-track that referenced this issue Sep 25, 2024
@nscuro
Fix CPE not being imported from CycloneDX metadata.component
397dd21 
Fixes DependencyTrack#4173

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Sep 25, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12
Development

Successfully merging a pull request may close this issue.

Fix CPE not being imported from CycloneDX metadata.component nscuro/dependency-track
2 participants
@nscuro @eugenhoffmann