SBOM Upload via REST-API: Sporadic Missing Classifier/Type, CPE, and Dependency Graph

[eugenhoffmann]

Current Behavior

We've encountered a sporadic issue that occurs rarely during SBOM uploads using the REST-API interface. Despite the SBOM (CDX v1.6) containing all necessary information, the project exhibits missing data after upload:

• Classifier/Type: Not set
• CPE: Not set
• Dependency Graph: Not created
• The GUI displays "n/a" for the last BOM upload:
  

Re-uploading the BOM file resolves the issue.

Is this sporadic behavior known or can be explained?

Steps to Reproduce

Unfortunately, we were not able to reproduce the sporadic SBOM upload issue. The relevant logging information gives us no hints. Neither a warning nor an error is created.

Expected Behavior

SBOM upload successfully updates project with all data (Classifier, CPE, Dependency Graph) and reflects last upload timestamp in GUI

Dependency-Track Version

4.12.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.8

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported