Current Behavior When importing an SBOM that defines a CPE and/or

Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl. about dependency-track HOT 1 OPEN

savek-cc commented on September 22, 2024

Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl.

from dependency-track.

Comments (1)

nscuro commented on September 22, 2024

Already addressed in BomUploadProcessingTaskV2 which ships with DT v4.11:

dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTaskV2.java

Lines 339 to 355 in 3efdd24

 if (project != null) { 

 persistentProject.setBomRef(project.getBomRef()); // Transient 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getAuthor, persistentProject::setAuthor); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getPublisher, persistentProject::setPublisher); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getManufacturer, persistentProject::setManufacturer); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getSupplier, persistentProject::setSupplier); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getClassifier, persistentProject::setClassifier); 

 // TODO: Currently these properties are "decoupled" from the BOM and managed directly by DT users. 

 // Perhaps there could be a flag for BOM uploads saying "use BOM properties" or something? 

 // changed |= applyIfChanged(project, metadataComponent, Project::getGroup, project::setGroup); 

 // changed |= applyIfChanged(project, metadataComponent, Project::getName, project::setName); 

 // changed |= applyIfChanged(project, metadataComponent, Project::getVersion, project::setVersion); 

 // changed |= applyIfChanged(project, metadataComponent, Project::getDescription, project::setDescription); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getExternalReferences, persistentProject::setExternalReferences); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getPurl, persistentProject::setPurl); 

 hasChanged |= applyIfChanged(persistentProject, project, Project::getSwidTagId, persistentProject::setSwidTagId); 

 }

But not in the legacy BomUploadProcessingTask:

dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

Lines 115 to 155 in 3efdd24

 if (cycloneDxBom.getMetadata() != null) { 

 project.setManufacturer(ModelConverter.convert(cycloneDxBom.getMetadata().getManufacture())); 

 final var projectMetadata = new ProjectMetadata(); 

 projectMetadata.setSupplier(ModelConverter.convert(cycloneDxBom.getMetadata().getSupplier())); 

 projectMetadata.setAuthors(cycloneDxBom.getMetadata().getAuthors() != null 

 ? new ArrayList<>(ModelConverter.convertCdxContacts(cycloneDxBom.getMetadata().getAuthors())) 

 : null); 

 if (project.getMetadata() != null) { 

 qm.runInTransaction(() -> { 

 project.getMetadata().setSupplier(projectMetadata.getSupplier()); 

 project.getMetadata().setAuthors(projectMetadata.getAuthors()); 

 }); 

 } else { 

 qm.runInTransaction(() -> { 

 projectMetadata.setProject(project); 

 qm.getPersistenceManager().makePersistent(projectMetadata); 

 }); 

 } 

 if (cycloneDxBom.getMetadata().getComponent() != null) { 

 final org.cyclonedx.model.Component cdxMetadataComponent = cycloneDxBom.getMetadata().getComponent(); 

 if (cdxMetadataComponent.getType() != null && project.getClassifier() == null) { 

 try { 

 project.setClassifier(Classifier.valueOf(cdxMetadataComponent.getType().name())); 

 } catch (IllegalArgumentException ex) { 

 LOGGER.warn(""" 

  The metadata.component element of the BOM is of unknown type %s. \ 

  Known types are %s.""".formatted(cdxMetadataComponent.getType(), 

 Arrays.stream(Classifier.values()).map(Enum::name).collect(Collectors.joining(", ")))); 

 } 

 } 

 if (cdxMetadataComponent.getSupplier() != null) { 

 project.setSupplier(ModelConverter.convert(cdxMetadataComponent.getSupplier())); 

 } 

 } 

 } 

 if (project.getClassifier() == null) { 

 project.setClassifier(Classifier.APPLICATION); 

 } 

 project.setExternalReferences(ModelConverter.convertBomMetadataExternalReferences(cycloneDxBom));

from dependency-track.

Use cpe and/or purl from cyclonedx metadata.component to set project cpe and/or purl. about dependency-track HOT 1 OPEN

Comments (1)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	if (project != null) {
	persistentProject.setBomRef(project.getBomRef()); // Transient
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getAuthor, persistentProject::setAuthor);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getPublisher, persistentProject::setPublisher);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getManufacturer, persistentProject::setManufacturer);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getSupplier, persistentProject::setSupplier);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getClassifier, persistentProject::setClassifier);
	// TODO: Currently these properties are "decoupled" from the BOM and managed directly by DT users.
	// Perhaps there could be a flag for BOM uploads saying "use BOM properties" or something?
	// changed \|= applyIfChanged(project, metadataComponent, Project::getGroup, project::setGroup);
	// changed \|= applyIfChanged(project, metadataComponent, Project::getName, project::setName);
	// changed \|= applyIfChanged(project, metadataComponent, Project::getVersion, project::setVersion);
	// changed \|= applyIfChanged(project, metadataComponent, Project::getDescription, project::setDescription);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getExternalReferences, persistentProject::setExternalReferences);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getPurl, persistentProject::setPurl);
	hasChanged \|= applyIfChanged(persistentProject, project, Project::getSwidTagId, persistentProject::setSwidTagId);
	}

	if (cycloneDxBom.getMetadata() != null) {
	project.setManufacturer(ModelConverter.convert(cycloneDxBom.getMetadata().getManufacture()));

	final var projectMetadata = new ProjectMetadata();
	projectMetadata.setSupplier(ModelConverter.convert(cycloneDxBom.getMetadata().getSupplier()));
	projectMetadata.setAuthors(cycloneDxBom.getMetadata().getAuthors() != null
	? new ArrayList<>(ModelConverter.convertCdxContacts(cycloneDxBom.getMetadata().getAuthors()))
	: null);
	if (project.getMetadata() != null) {
	qm.runInTransaction(() -> {
	project.getMetadata().setSupplier(projectMetadata.getSupplier());
	project.getMetadata().setAuthors(projectMetadata.getAuthors());
	});
	} else {
	qm.runInTransaction(() -> {
	projectMetadata.setProject(project);
	qm.getPersistenceManager().makePersistent(projectMetadata);
	});
	}

	if (cycloneDxBom.getMetadata().getComponent() != null) {
	final org.cyclonedx.model.Component cdxMetadataComponent = cycloneDxBom.getMetadata().getComponent();
	if (cdxMetadataComponent.getType() != null && project.getClassifier() == null) {
	try {
	project.setClassifier(Classifier.valueOf(cdxMetadataComponent.getType().name()));
	} catch (IllegalArgumentException ex) {
	LOGGER.warn("""
	The metadata.component element of the BOM is of unknown type %s. \
	Known types are %s.""".formatted(cdxMetadataComponent.getType(),
	Arrays.stream(Classifier.values()).map(Enum::name).collect(Collectors.joining(", "))));
	}
	}
	if (cdxMetadataComponent.getSupplier() != null) {
	project.setSupplier(ModelConverter.convert(cdxMetadataComponent.getSupplier()));
	}
	}
	}
	if (project.getClassifier() == null) {
	project.setClassifier(Classifier.APPLICATION);
	}
	project.setExternalReferences(ModelConverter.convertBomMetadataExternalReferences(cycloneDxBom));