Put /v1/bom overwrite fields like classifier in an existing Project

[ybelMekk]

Current Behavior

In DependencyTrack version 4.12.x and above, after initially creating a project and then updating it with an SBOM, the Project classifier set to APPLICATION in this case gets overwritten to CONTAINER. I’m wondering if this behavior is expected and possibly an undocumented change, as earlier versions of DependencyTrack didn’t overwrite the classifier in this way.

I also tried excluding the SBOM upload request and instead used the bomRef in the project creation step, but this didn’t produce/upload sbom with the same behavior as v1/bom.

Additionally, the SBOM processing neither completes successfully nor returns an error when bomRef is set.

Steps to Reproduce

1. Create a project using PUT v1/project with tags.
2. Upload the SBOM using v1/bom with autocreate set to false.

The returned project resource shows that the classifier has changed from APPLICATION to CONTAINER.

Expected Behavior

Expected the project resource to remain in the same state as before the SBOM upload to the existing project.

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[larsriehn]

We encounter the same behaviour (Version 4.12.1).
Originally we create the projects with classifier CONTAINER or LIBRARY and with a SBOM upload they get overwritten as APPLICATION.
This is not what I expect.

[nscuro]

DT does not currently track which properties were manually modified, so it can't differentiate between a value having changed legitimately as a project's BOM evolves, or due to a manual change having been performed before.

A cheap solution could be to just keep track of the names of fields that were modified manually (i.e. via a new array column).

[ybelMekk]

When you say "manually," do you mean the system or me deciding whether a project is categorized as this or that? 🤔

With the new implementation, the code respects the SBOM and overrides certain fields in the project's configuration. However, I could argue that if you create your own project and then upload the SBOM to it, I would implicitly expect the project's values to remain the same. 😊

On the other hand, if you choose to use the SBOM upload with the auto project creation feature, I wouldn’t expect anything beyond defaults or values from other sources. 🚀

[larsriehn]

I agree with @ybelMekk.
Besides that, we create the SBOM with Trivy. Trivy sets "type": "application" with some unknown magic. There is no input parameter for Trivy to set a dedicated type.
If I am not able to set the classifier at the project creation in Dependency Track, I don't see a chance to set it elsewhere.

[nscuro]

With "manual" I meant any change that is not done implicitly via BOM upload. If you set the classifier upon project creation, that field should be marked as "locked" or "overwritten" or whatever, such that processing a BOM upload won't overwrite it.

[ybelMekk]

@nscuro agree 😌