Namespace and PURLs lost when importing SPDX BoM
See original GitHub issueCurrent Behavior:
When importing an SPDX BoM which contains PURLS, the given PURLs and namespaces are lost. Tried Tag and RDF, both transformed from YAML input via https://tools.spdx.org/app/convert/
Steps to Reproduce:
- Create a new project
- Import this sample BoM (.spdx)
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
DocumentNamespace: http://spdx.org/spdxdocs/spdx-document-curl
DocumentName: curl-7.70.0
SPDXID: SPDXRef-DOCUMENT
## Creation Information
Creator: Organization: Example Inc.
Creator: Person: Thomas Steenbergen
Created: 2020-07-23T18:30:22Z
LicenseListVersion: 3.9
## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-curl
## Package Information
PackageName: curl
SPDXID: SPDXRef-Package-curl
PackageVersion: 7.70.0
PackageDownloadLocation: git+https://github.com/curl/curl.git@53cdc2c963e33bc0cc1a51ad2df79396202e07f8
PackageHomePage: https://curl.haxx.se/
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: curl
PackageCopyrightText: <text>Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many contributors, see the THANKS file.</text>
PackageDescription: <text>A command line tool and library for transferring data with URL syntax, supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/curl@7.70.0
FilesAnalyzed: false
## Package Information
PackageName: junit
SPDXID: SPDXRef-Package-junit
PackageVersion: 4.12
PackageDownloadLocation: https://mvnrepository.com/artifact/junit/junit
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: <text>Copyright</text>
PackageDescription: <text>A ..</text>
ExternalRef: PACKAGE-MANAGER purl pkg:maven/junit/junit@4.12
FilesAnalyzed: false
- Update portfolio metrics
- Check the component details --> no namespace, no PURL –> no info about outdated component, no info about existing vulnerabilities
- Manually add the namespace and PURL for junit
- Update portfolio metrics
- Project shows info about outdated component, info about existing vulnerabilities
Expected Behavior:
When importig a BoM which has all coordinates (name, namespace, version), and a PURL, make sure DT updates the component details in the database.
Environment:
- Dependency-Track Version: 4.0.1
- Distribution: Bundled Executable WAR
- BOM Format & Version: SPDX 2.2
- Database Server: DT standard database
- Browser: Firefox 78.7.1esr, Chrome 89.0.4389.114
Additional Details:
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
How-To Guide for SBOM Generation
SPDX Format . ... Construct a purl identifier using Supplier Name, Component Name, ... case of a missing SBOM for upstream software, the...
Read more >Modeling FLOSS Dependencies in Products
ing feature was developed, importing SPDX documents to share reports about. FLOSS dependencies with other FOSSology instances or even other supply chain.
Read more >Release Notes - Black Duck - Synopsys
Black Duck 2022.7.0 introduced support for UTF8 with BOM character ... Enhanced source view when importing BDIO for binary scanning and Protex BOM...
Read more >Use Cases - CycloneDX
Package URL (PURL) standardizes how software package metadata is represented so that packages can universally be located regardless of what vendor, project, or ......
Read more >csaf - Common Security Advisory Framework Version 2.0
The Software Package Data Exchange (SPDX®) Specification Version 2.2, ... Of the given seven properties cpe , hashes , purl , sbom_urls ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks for reporting. SPDX support is not very well tested as it’s not widely used with Dependency-Track today. I have found and resolved the issue. The fix will be available in v4.3. There is likely many other SPDX related issues. Pull requests are highly encouraged.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.