Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component properties not present in downloaded BOM #2991

Closed
2 tasks done
muxmuse opened this issue Aug 28, 2023 · 4 comments · Fixed by #3499
Closed
2 tasks done

Component properties not present in downloaded BOM #2991

muxmuse opened this issue Aug 28, 2023 · 4 comments · Fixed by #3499
Labels
defect Something isn't working
Milestone
4.11

Comments

@muxmuse
Copy link

muxmuse commented Aug 28, 2023

Current Behavior

The downloaded BOM (file) doesn't include component properties that were present in a former upload.

Steps to Reproduce

  1. Create a new project
  2. In the components tab, upload a CycloneDX file with at least one component with properties
  3. Download the BOM and search for the properties

mve

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "serialNumber": "urn:uuid:5dd1cf22-47a8-4c0c-ac0e-f58eb356dbcb",
  "components": [
    {
      "type": "library",
      "name": "build-angular",
      "group": "@angular-devkit",
      "version": "16.1.0",
      "bom-ref": "@angular-devkit/[email protected]",
      "purl": "pkg:npm/%40angular-devkit/[email protected]",
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": "node_modules/@angular-devkit/build-angular"
        },
        {
          "name": "cdx:npm:package:development",
          "value": "true"
        }
      ]
    }
  ]
}

Expected Behavior

Uploaded component properties exist in downloaded BOM file.

Dependency-Track Version

4.8.2

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Mozilla Firefox

Checklist
@muxmuse muxmuse added defect Something isn't working in triage labels Aug 28, 2023
@angegar
Copy link

angegar commented Oct 11, 2023

The author information are not there too.

@setchy
Copy link
Contributor

setchy commented Apr 1, 2024

We observed the same issue last week.

It looks like a subset of the component specification model is converted and persisted in

dependency-track/src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java

Line 157 in 9ad07b5

public static Component convertComponent(final org.cyclonedx.model.Component cdxComponent) {

Items that are currently omitted include component properties, component evidence, etc

@nscuro
Copy link
Member

nscuro commented Apr 1, 2024

The properties part is being worked on here: #3499

As for the evidence, it is not imported because there is not a clear story yet as to what to actually do with it. Importing data for the sake of importing it is not something we want to do. The way how that information is stored has to work well with how it's going to be queried / used.

@nscuro nscuro mentioned this issue Apr 1, 2024
Merged
2 tasks
@nscuro nscuro removed the in triage label Apr 9, 2024
@nscuro nscuro added this to the 4.11 milestone Apr 9, 2024
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
4.11
Development

Successfully merging a pull request may close this issue.

Add support for component properties nscuro/dependency-track
4 participants
@setchy @angegar @nscuro @muxmuse