-
-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No error when BOM upload fails due to PURL address size limit exceeding #3876
Comments
I knew people were abusing PURLs, but exceeding even 786 characters is new to me 😆 Note, we might need some custom pre-flight checks after schema validation, but before dispatching the BOM for asynchronous processing, that check for DT-specific limitations like this. Another offender could be components having an empty Will need to keep in mind that uploaded BOMs can be large, so repeated parsing will cause significant overhead. Either we find a way to parse once, and re-use that across schema- and custom validation, or the custom validation needs to make use of streaming, similar to dependency-track/src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDxValidator.java Lines 126 to 135 in 44aa924
|
PURL specification is not defining any size limit and we should expect it to be arbitrary long (see package-url/purl-spec#289). |
@marob We are limited by databases offering different degrees of support for this: #2076 (comment) The limitation can be lifted in Dependency-Track v5, where we will focus entirely on PostgreSQL. I'd also argue that while the PURL spec doesn't dictate any limit, lengths above 786 are borderline abuse of PURLs, and you should really question if cramming so much data into it is really necessary.
|
Current Behavior
When uploading a BOM file containing PURL addresses that exceed the 786-characters limit, the upload fails and is logged as an error.
stack_trace: javax.jdo.JDOFatalUserException: Attempt to store value "..." in column ""PURL"" that has maximum length of 786. Please correct your data!
However, the message "BOM uploaded" can be misleading, as it suggests that the BOM upload was successful.
When using the /v1/bom REST API, a success status code (200) is returned without any error message, which can cause confusion.
Steps to Reproduce
Expected Behavior
Return an error message indicating that the PURL addresses exceed the 786-character limit
Dependency-Track Version
4.11.4
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15.5
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: