Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability analysis cannot be performed, if the component contains “purchaser” property in SBOM file #4144

Closed
2 tasks done
buke-narlitepe-itk opened this issue Sep 13, 2024 · 4 comments · Fixed by #4270
Closed
2 tasks done

Vulnerability analysis cannot be performed, if the component contains “purchaser” property in SBOM file #4144

buke-narlitepe-itk opened this issue Sep 13, 2024 · 4 comments · Fixed by #4270
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12.1

Comments

@buke-narlitepe-itk
Copy link

Current Behavior

When we upload SBOM file in CycloneDX ( 1.5 version) format to the tool, we do not get any results. Instead, we receive a parse error from your API.
Once we examine further:
if any component contains the following section, API throws an error:

  "purchaser": {
    "organization": {
      "contact": [
        {
          "name": ""
        }
      ]
    }

When we remove the above part from the component section, the analysis can be completed as expected.
Additionally, there is another component in SBOM file that has already vulnerabilities. Due to this error, its analysis is also skipped.

image
image

Proposed Behavior

If there is an error or omission in SBOM file that could disrupt the analysis, it would be better, that the error message was more descriptive.
At least the analysis results of the other component can be given, and the error of the faulty component can be thrown as a response in more descriptive way.
We would also like to know why such an error occurred.

Checklist
@buke-narlitepe-itk buke-narlitepe-itk added the enhancement New feature or request label Sep 13, 2024
@nscuro
Copy link
Member

nscuro commented Sep 13, 2024

we receive a parse error from your API.

Can you share the exact error you'e getting?

@nscuro nscuro added defect Something isn't working pending more information and removed enhancement New feature or request labels Sep 13, 2024
@nscuro
Copy link
Member

nscuro commented Sep 14, 2024

It's a parsing bug in the CycloneDX library: CycloneDX/cyclonedx-core-java#507

@nscuro nscuro added blocked p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed pending more information labels Sep 14, 2024
@buke-narlitepe-itk
Copy link
Author

we receive a parse error from your API.

Can you share the exact error you'e getting?

Thanks for the reply. The error I get is as follows:

2024-10-08 09:22:30,920 ERROR [BomUploadProcessingTask] Error while processing bom
2024-10-08 11:22:30 org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array
2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:72)
2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:111)
2024-10-08 11:22:30 at org.dependencytrack.tasks.BomUploadProcessingTaskV2.inform(BomUploadProcessingTaskV2.java:151)
2024-10-08 11:22:30 at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
2024-10-08 11:22:30 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
2024-10-08 11:22:30 at java.base/java.lang.Thread.run(Unknown Source)
2024-10-08 11:22:30 Caused by: com.fasterxml.jackson.databind.JsonMappingException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null (through reference chain: org.cyclonedx.model.Bom["components"]->java.util.ArrayList[1]->org.cyclonedx.model.Component["licenses"]->org.cyclonedx.model.License["licensing"]->org.cyclonedx.model.Licensing["purchaser"])
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:402)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:361)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1937)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:312)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4881)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3035)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.treeToValue(ObjectMapper.java:3499)
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.processLicenseNode(LicenseDeserializer.java:77)
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:64)
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.LicenseDeserializer.deserialize(LicenseDeserializer.java:34)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:361)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:246)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:30)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909)
2024-10-08 11:22:30 at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70)
2024-10-08 11:22:30 ... 6 common frames omitted
2024-10-08 11:22:30 Caused by: java.lang.NullPointerException: Cannot invoke "com.fasterxml.jackson.databind.JsonNode.asText()" because the return value of "com.fasterxml.jackson.databind.JsonNode.get(String)" is null
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserializeOrganization(OrganizationalChoiceDeserializer.java:54)
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:45)
2024-10-08 11:22:30 at org.cyclonedx.util.deserializer.OrganizationalChoiceDeserializer.deserialize(OrganizationalChoiceDeserializer.java:32)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2024-10-08 11:22:30 at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:310)
2024-10-08 11:22:30 ... 30 common frames omitted

@buke-narlitepe-itk
Copy link
Author

It's a parsing bug in the CycloneDX library: CycloneDX/cyclonedx-core-java#507

So that means, this bug is now resolved with Hotfix-PR?
CycloneDX/cyclonedx-core-java#508

@nscuro nscuro mentioned this issue Oct 17, 2024
Merged
2 tasks
@nscuro nscuro removed the blocked label Oct 17, 2024
@nscuro nscuro added this to the 4.12.1 milestone Oct 17, 2024
nscuro added a commit to nscuro/dependency-track that referenced this issue Oct 17, 2024
@nscuro
Bump cyclonedx-core-java to 9.1.0
eef1622 
Fixes DependencyTrack#4144

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue Oct 17, 2024
Merged
2 tasks
@nscuro nscuro closed this as completed in 491b854 Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12.1
Development

Successfully merging a pull request may close this issue.

Bump cyclonedx-core-java to 9.1.0 nscuro/dependency-track
2 participants
@nscuro @buke-narlitepe-itk