Problem with importing new BOMs

[j4care-christianhahn]

Current Behavior

when I build my projects on jenkins I currently use the API of Dependency Track to import the BOMs and create new projects for each version which worked great for the past months.
Now I suddenly get the following exception with 2 projects:

2024-07-09 13:15:43,664 INFO [BomUploadProcessingTask] Processing CycloneDX BOM uploaded to project: 361da822-885a-4ba3-915c-63c6280fd460
2024-07-09 13:15:45,199 ERROR [BomUploadProcessingTask] Error while processing bom
javax.jdo.JDOUserException: The query returned more than one instance BUT either unique is set to true or only aggregates are to be returned, so should have returned one result maximum
at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:698)
at org.datanucleus.api.jdo.JDOQuery.executeInternal(JDOQuery.java:456)
at org.datanucleus.api.jdo.JDOQuery.executeUnique(JDOQuery.java:360)
at org.dependencytrack.persistence.LicenseQueryManager.getLicenseByIdOrName(LicenseQueryManager.java:102)
at org.dependencytrack.persistence.QueryManager.getLicenseByIdOrName(QueryManager.java:624)
at org.dependencytrack.parser.cyclonedx.util.ModelConverter.convert(ModelConverter.java:574)
at org.dependencytrack.parser.cyclonedx.util.ModelConverter.convertComponents(ModelConverter.java:464)
at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:157)
at org.dependencytrack.tasks.BomUploadProcessingTaskV2.inform(BomUploadProcessingTaskV2.java:151)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.datanucleus.store.query.QueryNotUniqueException: The query returned more than one instance BUT either unique is set to true or only aggregates are to be returned, so should have returned one result maximum
at org.datanucleus.store.query.Query.executeQuery(Query.java:2039)
at org.datanucleus.store.query.Query.executeWithMap(Query.java:1911)
at org.datanucleus.api.jdo.JDOQuery.executeInternal(JDOQuery.java:437)
... 11 common frames omitted

Steps to Reproduce

1.build 2 of my projects to get the exception

Expected Behavior

Process the BOM

Dependency-Track Version

4.11.5

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Did you create custom licenses that have names which overlap with SPDX licenses?

[j4care-christianhahn]

not that I would be aware of - how could I check that ?

[j4care-christianhahn]

seems like there are some double entries in the DB which I didn't create:

select "NAME",count("NAME") from "LICENSE" group by "NAME";

GNU General Public License v1.0 only | 2
GNU General Public License v1.0 or later | 2
GNU General Public License v2.0 only | 2
GNU General Public License v2.0 or later | 2
GNU General Public License v3.0 only | 2
GNU General Public License v3.0 or later | 2
GNU Lesser General Public License v2.1 only | 2
GNU Lesser General Public License v2.1 or later | 2
GNU Lesser General Public License v3.0 only | 2
GNU Lesser General Public License v3.0 or later | 2
GNU Library General Public License v2 only | 2
GNU Library General Public License v2 or later | 2

[j4care-christianhahn]

Doesn't seam that there are some custom licenses declared:

dtrack=# select count(*) from "LICENSE" where "ISCUSTOMLICENSE" = true;
count

 0

How can I clean up the licenses ?

[nscuro]

seems like there are some double entries in the DB which I didn't create:

How does it look when you take LICENSE_ID into consideration? Are there still dupes?

[j4care-christianhahn]

no they are all unique.

[nscuro]

I think this needs a code change then. The query should not fail when multiple results are returned, instead it should just take the first and proceed with that.

You can try to delete the dupes, but ultimately they will likely be recreated when the API server is restarted. If the ID is different then they are legitimately different licenses.

[j4care-christianhahn]

can I somehow debug the SQL statement that gets executed to check which license id is causing the issue ?

[j4care-christianhahn]

or can I somehow just "delete" the licenses so that they get recreated somehow as I cannot continue to work with my projects for the moment ?

[nscuro]

Non-custom licenses are usually not intended to be deleted by users so neither UI nor REST API have functionality for that. You could delete them via SQL. But again, the API server will re-create all licenses from the SPDX license list upon every restart.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.