Uploading a CycloneDX bom with an extension at the end fails with a stacktrace
See original GitHub issueThe defect may already be reported! Please search for the defect before creating one.
Current Behavior:
Uploading a CycloneDX file with an extension at the end results in a stacktrace.
Steps to Reproduce:
Upload a CycloneDX Bom that has the following extension at the end:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" xmlns:bd="http://cyclonedx.org/schema/ext/bom-descriptor/1.0" version="1" serialNumber="urn:uuid:68e4a7c5-dc89-482d-9fd3-223bd8002b2e">
<components>
...
</components>
<bd:metadata>
<bd:timestamp>2020-11-18T10:11:12+01:00</bd:timestamp>
<bd:tool>
<bd:vendor>anchore</bd:vendor>
<bd:name>syft</bd:name>
<bd:version>0.8.0</bd:version>
</bd:tool>
<bd:component type="container">
<name>image-xyz</name>
<version>sha256:cbdee75f57018631712246e91054b89fc6ec3f13215cf00a749256e80bd67ddd</version>
</bd:component>
</bd:metadata>
</bom>
Expected Behavior:
The file should be correctly uploaded and processed by Dependency Track.
Environment:
- Dependency-Track Version: 4.0.0-SNAPSHOT
- Distribution: Docker
- BOM Format & Version: CycloneDX 1.2 generated by syft
- Database Server: H2
- Browser: Chrome
Additional Details:
The stacktrace:
dtrack_1 | 09:14:37.983 ERROR [BomUploadProcessingTask] Error while processing bom
dtrack_1 | org.cyclonedx.exception.ParseException: com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter$UnknownFieldException: No such field org.cyclonedx.model.Metadata.tool
dtrack_1 | ---- Debugging information ----
dtrack_1 | message : No such field org.cyclonedx.model.Metadata.tool
dtrack_1 | field : tool
dtrack_1 | class : org.cyclonedx.model.Metadata
dtrack_1 | required-type : org.cyclonedx.model.Metadata
dtrack_1 | converter-type : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
dtrack_1 | path : /bom/metadata/tool
dtrack_1 | line number : 13026
dtrack_1 | class[1] : org.cyclonedx.model.Bom
dtrack_1 | required-type[1] : org.cyclonedx.model.Bom
dtrack_1 | version : not available
dtrack_1 | -------------------------------
dtrack_1 | at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:110)
dtrack_1 | at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:84)
dtrack_1 | at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:99)
dtrack_1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
dtrack_1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
dtrack_1 | at java.lang.Thread.run(Thread.java:748)
dtrack_1 | Caused by: com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter$UnknownFieldException: No such field org.cyclonedx.model.Metadata.tool
dtrack_1 | ---- Debugging information ----
dtrack_1 | message : No such field org.cyclonedx.model.Metadata.tool
dtrack_1 | field : tool
dtrack_1 | class : org.cyclonedx.model.Metadata
dtrack_1 | required-type : org.cyclonedx.model.Metadata
dtrack_1 | converter-type : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
dtrack_1 | path : /bom/metadata/tool
dtrack_1 | line number : 13026
dtrack_1 | class[1] : org.cyclonedx.model.Bom
dtrack_1 | required-type[1] : org.cyclonedx.model.Bom
dtrack_1 | version : not available
dtrack_1 | -------------------------------
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.handleUnknownField(AbstractReflectionConverter.java:520)
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:371)
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
dtrack_1 | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)
dtrack_1 | at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
dtrack_1 | at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
dtrack_1 | at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
dtrack_1 | at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
dtrack_1 | at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)
dtrack_1 | at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)
dtrack_1 | at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1347)
dtrack_1 | at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:107)
dtrack_1 | ... 5 common frames omitted
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
CycloneDX Tool Center
A tool that compares two Software Bill of Materials (SBOM) files and reports the differences. It supports SBOMs created in both SPDX and...
Read more >org.xml.sax.SAXParseException: Content is not allowed in ...
This is often caused by a white space before the XML declaration, but it could be any text, like a dash or any...
Read more >Search Results - CVE
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read more >Tanzu Application Platform v1.1 | VMware Docs
Failure to accept an End User License Agreement error ... Generate a CycloneDX file ... Configure the Tanzu Developer Tools extension.
Read more >Release Notes - Black Duck - Synopsys
End of support for Desktop Scanner on RHEL 7 and CentOS 7. ... Fixed an issue where the uploaded source window in Snippet...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks for reporting. BOMs with extensions should ideally work, but will need to investigate.
Also note, that using
bd:metadata
with a CycloneDX v1.2 BOM creates a conflict as CycloneDX v1.2 incorporates a modified version of that extension into the base schema. In other words, use of thebd:metadata
could simply be replaced with<metadata>
since it’s part of the specification. The BOM Descriptor extension is only compatible with CycloneDX v1.1, not v1.2.This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.