Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Import of CycloneDX 1.6 BOMs #3584

Closed
2 tasks done
msymons opened this issue Mar 27, 2024 · 4 comments · Fixed by #3710
Closed
2 tasks done

Support Import of CycloneDX 1.6 BOMs #3584

msymons opened this issue Mar 27, 2024 · 4 comments · Fixed by #3710
Assignees
@nscuro
Labels
cdx-1.6 Related to CycloneDX specification v1.6 enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12

Comments

@msymons
Copy link
Member

msymons commented Mar 27, 2024

Current Behavior

Dependency-Track v4.9 implemented support for the import of BOMs that are CycloneDX 1.5 or below. See #2850

CycloneDX 1.6 will be released before the end of March 2024, or in the first week of April. We will start to see tooling producing 1.6 BOMs shortly thereafter (most certainly from the cdxgen project). An attempt to import any such BOM to DT v4.10.1 would throw an error.

Proposed Behavior

Dependency-Track must be updated so that CycloneDX v1.6 BOMs can be imported without error.

The implementation of support for new functionality offered by 1.6 (CBOM. etc) is expected to be covered by other issues. This enhancement is to ensure that existing CycloneDX functionality is preserved... no errors and dependency graphs (etc) still work.

Note: We have a dependency on cyclonedx-core-java and so implementation of this enhancement is blocked until core-java is updated to support spec v1.6.

Checklist
@msymons msymons added enhancement New feature or request blocked labels Mar 27, 2024
@nscuro nscuro added the cdx-1.6 Related to CycloneDX specification v1.6 label Mar 27, 2024
@nscuro
Copy link
Member

nscuro commented Mar 28, 2024

Note that as of v4.11, uploads of BOMs with unsupported spec versions will no longer fail silently in the background. Instead, they will fail schema validation and users will get immediate feedback about it.

@nscuro nscuro added the p2 Non-critical bugs, and features that help organizations to identify and reduce risk label Mar 29, 2024
@nscuro nscuro added the size/S Small effort label May 9, 2024
@nscuro nscuro added this to the 4.12 milestone May 9, 2024
@nscuro
Copy link
Member

nscuro commented May 9, 2024

Assigning to 4.12 as I am expecting the Java library to be published during the 4.12 release cycle.

@nscuro nscuro added the good first issue Good for newcomers label May 9, 2024
@msymons msymons removed the blocked label May 15, 2024
@msymons
Copy link
Member Author

msymons commented May 15, 2024

Block is removed due to release of cyclonedx-core-java v9.0.0

@nscuro nscuro removed the good first issue Good for newcomers label May 15, 2024
@nscuro nscuro self-assigned this May 15, 2024
nscuro added a commit to nscuro/dependency-track that referenced this issue May 15, 2024
@nscuro
Support ingestion of CycloneDX v1.6 BOMs
a440546 
* Updates `cyclonedx-core-java` to version `9.0.0`
* Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java`
* Resolve various compilation errors due to refactoring in `cyclonedx-core-java`
* Add validator tests for all CycloneDX versions

Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6.

Closes DependencyTrack#3584

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue May 15, 2024
Merged
2 tasks
@nscuro
Copy link
Member

nscuro commented May 15, 2024

Had some code laying around from my initial tests with this library version. So went ahead and committed that. Raised PR #3710.

nscuro added a commit to nscuro/dependency-track that referenced this issue May 15, 2024
@nscuro
Support ingestion of CycloneDX v1.6 BOMs
c97bb54 
* Updates `cyclonedx-core-java` to version `9.0.0`
* Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java`
* Resolve various compilation errors due to refactoring in `cyclonedx-core-java`
* Add validator tests for all CycloneDX versions

Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6.

Closes DependencyTrack#3584

Signed-off-by: nscuro <nscuro@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nscuro nscuro

Labels
cdx-1.6 Related to CycloneDX specification v1.6 enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12
Development

Successfully merging a pull request may close this issue.

Support ingestion of CycloneDX v1.6 BOMs nscuro/dependency-track
2 participants
@msymons @nscuro