Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External References are removed whne uploading SBOM (from both UI and/or API) #4743

Open
2 tasks done
theartusz opened this issue Mar 10, 2025 · 4 comments
Open
2 tasks done

External References are removed whne uploading SBOM (from both UI and/or API) #4743

theartusz opened this issue Mar 10, 2025 · 4 comments
Labels
defect Something isn't working in triage

Comments

@theartusz
Copy link

Current Behavior

External References are removed from the project when sbom is uploaded to that project. The external references are removed no matter if one uploads the sbom through UI or with API.

When uploading the sbom by calling the API, I am calling the /v1/bom endpoint with PUT so I am surprised that it edits the properties of the project itself.

Steps to Reproduce

  1. Create a project in Dependency Track
  2. Add external references by calling the API endpoint with PATCH /v1/project/{uuid}. Add the external references in the payload e.g.
  "externalReferences": [
    {
      "type": "vcs",
      "url": "<source code url>",
      "comment": "<This is the link to the source code>"
    }
  1. Verify the external references by visiting project -> view details -> external references
  2. Upload SBOM (UI) project -> components -> Upload BOM
  3. Confirm that external references are removed by visiting again project -> view details -> external references

Expected Behavior

The external references persist when SBOM is uploaded.

Dependency-Track Version

4.12.6

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist
@theartusz theartusz added defect Something isn't working in triage labels Mar 10, 2025
@stohrendorf
Copy link
Contributor

I tried to follow and understand the code, but I can't see any error (but please don't rely on me, I'm not that familiar with the code yet). This is a moonshot, but does a restart of DT suddenly show up the references? If that's the case, setting the ALPINE_DATANUCLEUS_CACHE_LEVEL2_TYPE=none env var will resolve your issue. That would be a temporary resolution, since this will become the default with 4.13.

@theartusz
Copy link
Author

@stohrendorf we run DT in Kubernetes. I restarted the frontend and backend workloads but the external references did not show up.

@stohrendorf
Copy link
Contributor

stohrendorf commented Mar 11, 2025
edited
Loading

Then this is a valid bug, but it's beyond my area of expertise within this project. It needs to be triaged by the maintainers.

@stohrendorf
Copy link
Contributor

It seems external references are not persisted at all. So this is not really a bug, but rather a missing feature, although I understand how this can be seen as a bug from the outside.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working in triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stohrendorf @theartusz