[Dependency-Track integration] JSON BOM upload fails with Dependency Track 4.2.2

[ghost]

Steps:

1. Generate JSON BOM with cdxgen for node project
2. Base64 encode that JSON BOM and added it into another JSON file that has the format required for upload to DT
3. Upload to DT via the REST API
4. Got an error while processing it in the DT api server

Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.lang.String` from Object value (token `JsonToken.START_OBJECT`)
dtrack-apiserver_1  |  at [Source: (byte[])"{
dtrack-apiserver_1  |   "bomFormat": "CycloneDX",
dtrack-apiserver_1  |   "specVersion": "1.2",
dtrack-apiserver_1  |   "serialNumber": "urn:uuid:f70802e7-ceac-495f-b60a-650c52199f0b",
dtrack-apiserver_1  |   "version": 1,
dtrack-apiserver_1  |   "metadata": {
dtrack-apiserver_1  |     "timestamp": "2021-05-12T06:53:34.244Z",
dtrack-apiserver_1  |     "tools": [
dtrack-apiserver_1  |       {
dtrack-apiserver_1  |         "tool": {
dtrack-apiserver_1  |           "vendor": "AppThreat",
dtrack-apiserver_1  |           "name": "cdxgen",
dtrack-apiserver_1  |           "version": "2.3.1"
dtrack-apiserver_1  |         }
dtrack-apiserver_1  |       }
dtrack-apiserver_1  |     ],
dtrack-apiserver_1  |     "authors": [
dtrack-apiserver_1  |       {
dtrack-apiserver_1  |         "author": {
dtrack-apiserver_1  |           "name": {
dtrack-apiserver_1  |             "name": "Team AppThreat"
dtrack-apiserver_1  |           },
dtrack-apiserver_1  |           "email": "cloud@appth"[truncated 618575 bytes]; line: 20, column: 19] (through reference chain: org.cyclonedx.model.Bom["metadata"]->org.cyclonedx.model.Metadata["authors"]->java.util.ArrayList[0]->org.cyclonedx.model.OrganizationalContact["name"])

I suspect that the authors field is causing the error.

I've also tried uploading the raw JSON BOM via the web UI and encountered the same issue.

When I removed the authors field from the BOM, everything seems to be working fine.

[prabhu]

@mattwongsd Thank you filing this defect. Looks like the name attribute is duplicated possibly because we are getting an object instead of a string here

https://github.com/AppThreat/cdxgen/blob/master/index.js#L94

Could you kindly send a PR so that we hardcode the name to resolve this issue?

[prabhu]

On locally the structure looks fine so I'm confused a bit. Could you share the node version used? Also, cdxgen can upload directly to dependency track. Is that something you could try as well when you get a chance?

[prabhu]

@mattwongsd any updates regarding this?

[ghost]

#54

The upload to DT does not work. I do not get any feedback when I provided the command arguments,

[prabhu]

@mattwongsd Any luck with the new version? Once this works, I might ask for your help to replace use of request package with got. It is used only for bom submission atm.

[thaarbach]

Is there any update on this issue? After generate a SBoM for a multi module gradle project with java, npm, python and some other stuff i got a SBoM containing all dependencies of the project, but if i upload the SBoM to Dependeny Track we got the following dependency server log message:

2023-08-04 10:55:24,160 ERROR [BomUploadProcessingTask] Error while processing bom
2023-08-04T10:55:24.160432944Z org.cyclonedx.exception.ParseException: Unable to parse BOM from byte array
2023-08-04T10:55:24.160438112Z 	at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:70)
2023-08-04T10:55:24.160442368Z 	at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:105)
2023-08-04T10:55:24.160446458Z 	at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
2023-08-04T10:55:24.160450728Z 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
2023-08-04T10:55:24.160454724Z 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
2023-08-04T10:55:24.160459128Z 	at java.base/java.lang.Thread.run(Unknown Source)
2023-08-04T10:55:24.160463436Z Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `java.util.ArrayList<org.cyclonedx.model.Tool>` from Object value (token `JsonToken.START_OBJECT`)
2023-08-04T10:55:24.160469276Z  at [Source: (byte[])"{
2023-08-04T10:55:24.160473124Z   "bomFormat": "CycloneDX",
2023-08-04T10:55:24.160477126Z   "specVersion": "1.5",
2023-08-04T10:55:24.160481083Z   "serialNumber": "urn:uuid:6c32c3ad-f528-4761-9ca8-6ea0f7ef10f9",
2023-08-04T10:55:24.160485421Z   "version": 1,
2023-08-04T10:55:24.160505327Z   "metadata": {
2023-08-04T10:55:24.160509769Z     "timestamp": "2023-08-04T10:38:40.503Z",
2023-08-04T10:55:24.160514209Z     "tools": {
2023-08-04T10:55:24.160518030Z       "components": [
2023-08-04T10:55:24.160521962Z         {
2023-08-04T10:55:24.160525735Z           "group": "@cyclonedx",
2023-08-04T10:55:24.160529675Z           "name": "cdxgen",
2023-08-04T10:55:24.160533726Z           "version": "9.3.1",
2023-08-04T10:55:24.160537684Z           "purl": "pkg:npm/%40cyclonedx/[email protected]",
2023-08-04T10:55:24.160541844Z           "type": "application",
2023-08-04T10:55:24.160545761Z           "bom-ref": "pkg:npm/@cyclonedx/[email protected]"
2023-08-04T10:55:24.160549771Z         }
2023-08-04T10:55:24.160553435Z       ]
2023-08-04T10:55:24.160557227Z    "[truncated 841876 bytes]; line: 8, column: 14] (through reference chain: org.cyclonedx.model.Bom["metadata"]->org.cyclonedx.model.Metadata["tools"])
2023-08-04T10:55:24.160561870Z 	at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:59)
2023-08-04T10:55:24.160566235Z 	at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1746)
2023-08-04T10:55:24.160570420Z 	at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1520)
2023-08-04T10:55:24.160574673Z 	at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1467)
2023-08-04T10:55:24.160580178Z 	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.handleNonArray(CollectionDeserializer.java:396)
2023-08-04T10:55:24.160584292Z 	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:252)
2023-08-04T10:55:24.160588432Z 	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
2023-08-04T10:55:24.160592437Z 	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2023-08-04T10:55:24.160596535Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
2023-08-04T10:55:24.160600761Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2023-08-04T10:55:24.160604812Z 	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
2023-08-04T10:55:24.160608959Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:314)
2023-08-04T10:55:24.160613014Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
2023-08-04T10:55:24.160617000Z 	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
2023-08-04T10:55:24.160625314Z 	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4730)
2023-08-04T10:55:24.160629451Z 	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3738)
2023-08-04T10:55:24.160633418Z 	at org.cyclonedx.parsers.JsonParser.parse(JsonParser.java:68)
2023-08-04T10:55:24.160637560Z 	... 5 common frames omitted

Using Dependency Track 4.8.2 and cdxgen latest docker image.

EDIT:
Got it to work after set --spec-version 1.4.

[prabhu]

@thaarbach Downstream tools like dependency-track are yet to be updated to cyclonedx 1.5. The error Cannot deserialize value of type java.util.ArrayList<org.cyclonedx.model.Tool> indicates the issue with spec compliance. cdxgen > v9.2.x would attempt to use 1.4 spec version when the server url or api key is passed. Passing the version manually is also fine.

https://github.com/CycloneDX/cdxgen/blob/master/bin/cdxgen.js#L157