Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Namespace and PURLs lost when importing SPDX BoM

See original GitHub issue

Current Behavior:

When importing an SPDX BoM which contains PURLS, the given PURLs and namespaces are lost. Tried Tag and RDF, both transformed from YAML input via https://tools.spdx.org/app/convert/

Steps to Reproduce:

Create a new project
Import this sample BoM (.spdx)

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
DocumentNamespace: http://spdx.org/spdxdocs/spdx-document-curl
DocumentName: curl-7.70.0
SPDXID: SPDXRef-DOCUMENT

## Creation Information
Creator: Organization: Example Inc.
Creator: Person: Thomas Steenbergen
Created: 2020-07-23T18:30:22Z
LicenseListVersion: 3.9
## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-curl

## Package Information
PackageName: curl
SPDXID: SPDXRef-Package-curl
PackageVersion: 7.70.0
PackageDownloadLocation: git+https://github.com/curl/curl.git@53cdc2c963e33bc0cc1a51ad2df79396202e07f8
PackageHomePage: https://curl.haxx.se/
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: curl
PackageCopyrightText: <text>Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many contributors, see the THANKS file.</text>
PackageDescription: <text>A command line tool and library for transferring data with URL syntax, supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/curl@7.70.0
FilesAnalyzed: false

## Package Information
PackageName: junit
SPDXID: SPDXRef-Package-junit
PackageVersion: 4.12
PackageDownloadLocation: https://mvnrepository.com/artifact/junit/junit
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: <text>Copyright</text>
PackageDescription: <text>A ..</text>
ExternalRef: PACKAGE-MANAGER purl pkg:maven/junit/junit@4.12
FilesAnalyzed: false

Update portfolio metrics
Check the component details --> no namespace, no PURL –> no info about outdated component, no info about existing vulnerabilities
Manually add the namespace and PURL for junit
Update portfolio metrics
Project shows info about outdated component, info about existing vulnerabilities

Expected Behavior:

When importig a BoM which has all coordinates (name, namespace, version), and a PURL, make sure DT updates the component details in the database.

Environment:

Dependency-Track Version: 4.0.1
Distribution: Bundled Executable WAR
BOM Format & Version: SPDX 2.2
Database Server: DT standard database
Browser: Firefox 78.7.1esr, Chrome 89.0.4389.114

Additional Details:

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

stevespringettcommented, Apr 16, 2021

Thanks for reporting. SPDX support is not very well tested as it’s not widely used with Dependency-Track today. I have found and resolved the issue. The fix will be available in v4.3. There is likely many other SPDX related issues. Pull requests are highly encouraged.

0reactions

github-actions[bot]commented, Aug 26, 2021

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Top Results From Across the Web

How-To Guide for SBOM Generation

SPDX Format . ... Construct a purl identifier using Supplier Name, Component Name, ... case of a missing SBOM for upstream software, the...

Modeling FLOSS Dependencies in Products

ing feature was developed, importing SPDX documents to share reports about. FLOSS dependencies with other FOSSology instances or even other supply chain.

Release Notes - Black Duck - Synopsys

Black Duck 2022.7.0 introduced support for UTF8 with BOM character ... Enhanced source view when importing BDIO for binary scanning and Protex BOM...

Use Cases - CycloneDX

Package URL (PURL) standardizes how software package metadata is represented so that packages can universally be located regardless of what vendor, project, or ......

csaf - Common Security Advisory Framework Version 2.0

The Software Package Data Exchange (SPDX®) Specification Version 2.2, ... Of the given seven properties cpe , hashes , purl , sbom_urls ...