Skip to content

BOM component API Incompatibility with application/vnd.cyclonedx+json Media Type #4408

New issue
New issue
Closed
#4409
Closed
BOM component API Incompatibility with application/vnd.cyclonedx+json Media Type#4408
#4409
Labels
defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.12.2
@wratner

Description

@wratner
wratner
opened on Nov 25, 2024

Current Behavior

When calling the /v1/bom/cyclonedx/component/{uuid} endpoint with a header as Accept: application/vnd.cyclonedx+json the API returns a 406.

curl --request GET \
  --url http://localhost:8081/api/v1/bom/cyclonedx/component/5dda3c72-c7d8-49d6-823d-3b9f05c1ade4 \
  --header 'Accept: application/vnd.cyclonedx+json' \
  --header 'X-Api-Key: <>' -v

* Host localhost:8081 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8081...
* Connected to localhost (::1) port 8081
> GET /api/v1/bom/cyclonedx/component/5dda3c72-c7d8-49d6-823d-3b9f05c1ade4 HTTP/1.1
> Host: localhost:8081
> Accept: application/vnd.cyclonedx+json
> X-Api-Key: <>
> 
* Request completely sent off
< HTTP/1.1 406 Not Acceptable
< Date: Mon, 25 Nov 2024 20:28:01 GMT
< Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self';connect-src 'self';font-src 'self';object-src 'self';media-src 'self';frame-src 'self';child-src 'self';form-action 'self';frame-ancestors 'none';
< X-Frame-Options: DENY
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

This API will work if you do not set an Accept header or set the header to Accept: */*. It will also work if you set the header to Accept: application/vnd.cyclonedx+xml and the format parameter to XML.

curl --request GET \
  --url 'http://localhost:8081/api/v1/bom/cyclonedx/component/5dda3c72-c7d8-49d6-823d-3b9f05c1ade4?format=XML' \
  --header 'Accept: application/vnd.cyclonedx+xml' \
  --header 'User-Agent: insomnia/10.1.1' \
  --header 'X-Api-Key: <>' -v

* Host localhost:8081 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8081...
* Connected to localhost (::1) port 8081
> GET /api/v1/bom/cyclonedx/component/5dda3c72-c7d8-49d6-823d-3b9f05c1ade4?format=XML HTTP/1.1
> Host: localhost:8081
> Accept: application/vnd.cyclonedx+xml
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Mon, 25 Nov 2024 20:30:49 GMT
< Content-Type: application/vnd.cyclonedx+xml
< X-Powered-By: Dependency-Track v4.12.1
< Cache-Control: private, max-age=0, must-revalidate, no-cache
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *
< Access-Control-Expose-Headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count
< Access-Control-Allow-Credentials: true
< Access-Control-Max-Age: 3600
< X-Request-Id: 2539a437-9875-4571-88b9-f290b157d551
< Content-Length: 923
< 
<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:b33e6fdb-d10a-4e9d-b5d7-e820aad1afa7" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
  <metadata>
    <timestamp>2024-11-25T20:30:49Z</timestamp>
    <tools>
      <tool>
        <vendor>OWASP</vendor>
        <name>Dependency-Track</name>
        <version>4.12.1</version>
      </tool>
    </tools>
  </metadata>
  <components>
    <component type="library" bom-ref="5dda3c72-c7d8-49d6-823d-3b9f05c1ade4">
      <supplier>
        <name>Organization: pypi</name>
      </supplier>
      <name>discover</name>
      <version>0.4.0</version>
   ....
</bom>
* Connection #0 to host localhost left intact

This makes trying to use the Go client difficult as it is setting this header by default (which it should; however, it's not supported by the API server).

Looking at the code, this seems like a straightforward one line fix which I will have a PR for shortly.

Steps to Reproduce

  1. Run depdency-track container or executable.
  2. Create a project
  3. Upload a BOM or add a component to the project.
  4. Invoke the /v1/bom/cyclonedx/component/{uuid} endpoint with a header as Accept: application/vnd.cyclonedx+json

Expected Behavior

Setting the media type as application/vnd.cyclonedx+json with no format query parameter (JSON is the default) or format=JSON should return a 200 with a valid component uuid.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions