SBOM Upload Ignores projectVersion Parameter – Empty in Project and Null in Logs #5157
Description
Current Behavior
When uploading an SBOM to Dependency-Track using either curl or the Swagger UI, the projectVersion parameter is ignored. The SBOM is accepted and processed successfully, but the resulting project version is empty in the UI and projectVersion=null in the logs, despite the parameter being explicitly set in the request and the request being successful.
Steps to Reproduce
- Use
curlto upload an SBOM:
curl -X POST "https://<your-dependency-track-url>/api/v1/bom" \
-H "X-Api-Key: <your-api-key>" \
-F "[email protected]" \
-F "project=projectID" \
-F "projectVersion=foo"- Confirm that the upload is successful (HTTP 200 OK)
- Open the Dependencytrack UI, go to your project -> View Details or query the project via the API
- Observe that the SBOM was uploaded successfully, but the projects version is empty. Also the INFO [BomUploadProcessingTask] log shows projectVersion=null.
- Repeat the test using the Swagger UI for https://[your-dependencytrack-url]/api/openapi.json, using the /v1/bom POST endpoint with the same parameters.
- Observe that the same behavior occurs. Upload is successful, but the projects version is still empty.
Expected Behavior
When the projectVersion parameter is provided as part of the SBOM upload (via either curl or Swagger UI), Dependency-Track should:
- Correctly associate the specified version with the created project.
- Reflect the projectVersion in the UI and API responses.
- Log the correct version value during processing.
Let me know if additional details, logs, or test data would be helpful.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
Microsoft SQL Server
Database Server Version
15.00.4435
Browser
Microsoft Edge
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported