Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Patch Project endpoint silently ignore purl value in object form #3509

Closed
2 tasks done
Maxouwell opened this issue Feb 28, 2024 · 6 comments · Fixed by #3512
Closed
2 tasks done

API Patch Project endpoint silently ignore purl value in object form #3509

Maxouwell opened this issue Feb 28, 2024 · 6 comments · Fixed by #3512
Labels
api docs defect Something isn't working size/S Small effort
Milestone
4.11

Comments

@Maxouwell
Copy link

Maxouwell commented Feb 28, 2024
edited
Loading

Current Behavior

When using the PATCH Project endpoint, if the purl is in object format, it ignores the purl value.
If it is in string format, it is processed.
I suspect the object deserialization of PackageURL is failling and just use null instead.

It may affect other API using the PackageURL object.

Steps to Reproduce

  1. Do a curl to /api/v1/project/$UUID with this payload :
{
	"uuid": "$UUID",
	"group": "my.group",
	"purl": {
		"scheme": "pkg",
		"type": "npm",
		"namespace": "my.namespace",
		"name": "my-project",
		"version": "VERSION"
	}
}
  1. Request is accepted, group is updated, purl is not
  2. Do a curl to /api/v1/project/$UUID with this payload :
{
	"uuid": "$UUID",
	"group": "my.group",
	"purl": "pkg:npm/my.namespace/my-project@VERSION"
}
  1. Request is accepted, group and purl are updated

Expected Behavior

Object purl should be accepted, or the swagger should use a string for PackageURL.

Dependency-Track Version

4.8.x

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist
@Maxouwell Maxouwell added defect Something isn't working in triage labels Feb 28, 2024
@Maxouwell Maxouwell changed the title API Patch Project silently ignore purl value in object form API Patch Project endpoint silently ignore purl value in object form Feb 28, 2024
@sebD
Copy link
Contributor

sebD commented Feb 29, 2024

Other affected API endpoints:
PUT /api/v1/project/
POST /api/v1/project/
PUT /api/v1/component/project/{uuid}
POST /api/v1/component/

sebD added a commit to sebD/dependency-track that referenced this issue Feb 29, 2024
@sebD
Fixes DependencyTrack#3509 Allows definition of pURL in component or …
f8563f9 
…projects either as string or object to conform to swagger api defintion

Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
@sebD sebD mentioned this issue Feb 29, 2024
Merged
5 tasks
sebD added a commit to sebD/dependency-track that referenced this issue Feb 29, 2024
@sebD
Fixes DependencyTrack#3509 Allows definition of pURL in component or …
ab2c87a 
…projects either as string or object to conform to swagger api defintion

Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
@valentijnscholten
Copy link
Contributor

I'm interested to know why the json format for purl is useful? It's more common to communicate it in string form?

@nscuro
Copy link
Member

nscuro commented Mar 3, 2024

Yeah, TBH this seems to be more of an issue with Swagger indicating that purl is an object when in fact it is not.

I don't think there is value in specifying PURLs as object.

Resolving this merely requires adding a @ApiModelProperty(dataType = "string") annotation here:

dependency-track/src/main/java/org/dependencytrack/model/Project.java

Lines 377 to 384 in 8b23434

@JsonSerialize(using = CustomPackageURLSerializer.class)
public PackageURL getPurl() {
try {
return new PackageURL(purl);
} catch (MalformedPackageURLException e) {
return null;
}
}

@nscuro nscuro added api docs size/S Small effort and removed in triage labels Mar 3, 2024
@sebD
Copy link
Contributor

sebD commented Mar 3, 2024

Sure no problems.
I was curious to see how it could be implemented, but if it doesn't serve a useful purpose, I'm happy to remove it and make a more useful change instead.

@sebD
Copy link
Contributor

sebD commented Mar 3, 2024

Here's the result
image

@nscuro nscuro added this to the 4.11 milestone Mar 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 4, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api docs defect Something isn't working size/S Small effort
Projects
None yet
Milestone
4.11
Development

Successfully merging a pull request may close this issue.

Fix type of purl fields in Swagger docs sebD/dependency-track
4 participants
@sebD @valentijnscholten @nscuro @Maxouwell