You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure I get exactly how Dependency-Track expects BOMs to look, but I found it strange that if I have a project and then upload a BOM with "metadata":{"component":{"name":"MyCoolName","version":"1.2.3","purl":"pkg:example/mycoolthing@1.2.3",...} none of that information seems to go anywhere.
I would expect, for instance, the PURL field to be updated. I could see that Dependency-Track has its own conception1 of how projects and versions should be used and would prefer not to blindly incorporate a version (although that was the behaviour I initially expected), but I would think it should have value.
To be clear, I tried this out via the web-ui and via the API (with PUT /api/v1/bom where you pass a base64-encoded BOM2) and found that none of the information from "metadata.component" gets used.
However, it is not that it is completely irrelevant or disregarded by Dependency-Track, because it does make a difference for the dependency-tree whether I have a root component as "metadata.component" which depends on the other components.
I wanted to refrain from posting an issue for now, because I am not sure whether there is something about Dependency-Track that I am not quite grokking here, but I think I am leaning towards requesting a feature that allows incorporating this information like I have described, e.g. via a modal in the web-ui or via an extra JSON key like "update-project-metadata":true in the JSON payload?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm not sure I get exactly how Dependency-Track expects BOMs to look, but I found it strange that if I have a project and then upload a BOM with
"metadata":{"component":{"name":"MyCoolName","version":"1.2.3","purl":"pkg:example/mycoolthing@1.2.3",...}none of that information seems to go anywhere.I would expect, for instance, the PURL field to be updated. I could see that Dependency-Track has its own conception1 of how projects and versions should be used and would prefer not to blindly incorporate a version (although that was the behaviour I initially expected), but I would think it should have value.
To be clear, I tried this out via the web-ui and via the API (with
PUT /api/v1/bomwhere you pass a base64-encoded BOM2) and found that none of the information from"metadata.component"gets used.However, it is not that it is completely irrelevant or disregarded by Dependency-Track, because it does make a difference for the dependency-tree whether I have a root component as
"metadata.component"which depends on the other components.I wanted to refrain from posting an issue for now, because I am not sure whether there is something about Dependency-Track that I am not quite grokking here, but I think I am leaning towards requesting a feature that allows incorporating this information like I have described, e.g. via a modal in the web-ui or via an extra JSON key like
"update-project-metadata":truein the JSON payload?Any and all thoughts on this appreciated.
Footnotes
https://github.com/DependencyTrack/dependency-track/issues/695 ↩
Mostly to have it documented (it's not very relevant for this discussion entry) what I did with the API was basically this:
↩Beta Was this translation helpful? Give feedback.
All reactions