BomUploadProcessingTask - Error while processing bom (Dependency-Track 4.6.3)

[javaface]

Current Behavior

After uploading sbom, Last BOM Import and Risk Score are not updating on the projects page. Bom files are approx. 3 to 5 MB in size.

Error in API server (backend) log:

2023-11-30 21:02:02,960 ERROR [BomUploadProcessingTask] dt.trace_sampled: true, dt.trace_id: XXXXXX, dt.span_id: XXXXXX Error while processing bom
javax.jdo.JDOUserException: One or more instances could not be deleted
at org.datanucleus.api.jdo.JDOPersistenceManager.deletePersistentAll(JDOPersistenceManager.java:819)
at org.datanucleus.api.jdo.JDOPersistenceManager.deletePersistentAll(JDOPersistenceManager.java:798)
at alpine.persistence.AbstractAlpineQueryManager.delete(AbstractAlpineQueryManager.java:473)
at org.dependencytrack.persistence.ComponentQueryManager.recursivelyDelete(ComponentQueryManager.java:422)
at org.dependencytrack.persistence.ComponentQueryManager.reconcileComponents(ComponentQueryManager.java:517)
at org.dependencytrack.persistence.QueryManager.reconcileComponents(QueryManager.java:771)
at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:138)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException: null
2023-11-30 21:02:02,961 WARN [General] dt.trace_sampled: true, dt.trace_id: XXXXXX, dt.span_id: XXXXXX ExecutionContext closed with active transaction, so rolling back the active transaction
2023-11-30 21:02:04,126 ERROR [LoggableUncaughtExceptionHandler] An unknown error occurred in an asynchronous event or notification thread
javax.jdo.JDOObjectNotFoundException: Object with id "org.dependencytrack.model.Component:0" not found !
at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:634)
at org.datanucleus.api.jdo.JDOPersistenceManager.getObjectById(JDOPersistenceManager.java:1726)
at alpine.persistence.AbstractAlpineQueryManager.getObjectById(AbstractAlpineQueryManager.java:535)
at org.dependencytrack.tasks.repositories.RepositoryMetaAnalyzerTask.inform(RepositoryMetaAnalyzerTask.java:51)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

Steps to Reproduce

1. Create bom file.
cyclonedx-npm --output-format=XML --output-file sbom.xml --ignore-npm-errors --no-validate package.json

2. Upload bom file.
curl -v "XXXXXX"
-H "Content-Type: multipart/form-data"
-H "X-Api-Key: $1"
-F "project=XXXXXX"
-F "bom=@$WORKSPACE/$APP_DIR/sbom/sbom.xml"

3. Upload is successful.

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying XX.XXX.XX.XX:443...

• Connected to XXXXXX.com (XX.XXX.XX.XX) port 443 (#0)
• ALPN: offers h2,http/1.1
  } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]
• CAfile: /etc/ssl/certs/XXXXXX.crt
• CApath: /etc/ssl/certs
  { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Server hello (2):
  { [122 bytes data]
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  { [19 bytes data]
• TLSv1.3 (IN), TLS handshake, Certificate (11):
  { [3994 bytes data]
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
  { [264 bytes data]
• TLSv1.3 (IN), TLS handshake, Finished (20):
  { [36 bytes data]
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  } [1 bytes data]
• TLSv1.3 (OUT), TLS handshake, Finished (20):
  } [36 bytes data]
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
• ALPN: server accepted h2
• Server certificate:
• subject: XXXXXX
• start date: Dec 12 00:00:00 2022 GMT
• expire date: Dec 11 23:59:59 2023 GMT
• subjectAltName: host "XXXXXX"
• issuer: XXXXXX
• SSL certificate verify ok.
  } [5 bytes data]
• using HTTP/2
• h2h3 [:method: POST]
• h2h3 [:path: /api/v1/bom]
• h2h3 [:scheme: https]
• h2h3 [:authority: XXXXXX]
• h2h3 [user-agent: curl/7.88.1]
• h2h3 [accept: /]
• h2h3 [x-api-key: ****]
• h2h3 [content-length: 5375155]
• h2h3 [content-type: multipart/form-data; boundary=------------------------2a451afa4abaadb6]
• Using Stream ID: 1 (easy handle 0x55dd6a8eac90)
  } [5 bytes data]

POST /api/v1/bom HTTP/2
Host: XXXXXX.com
user-agent: curl/7.88.1
accept: /
x-api-key: ****
content-length: 5375155
content-type: multipart/form-data; boundary=------------------------2a451afa4abaadb6

} [5 bytes data]

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  { [297 bytes data]
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  { [297 bytes data]
• old SSL session ID is stale, removing
  { [5 bytes data]

19 5249k 0 0 19 1039k 0 1496k 0:00:03 --:--:-- 0:00:03 1496k
59 5249k 0 0 59 3135k 0 1850k 0:00:02 0:00:01 0:00:01 1850k* We are completely uploaded and fine
{ [5 bytes data]

100 5249k 0 0 100 5249k 0 1942k 0:00:02 0:00:02 --:--:-- 1941k< HTTP/2 200
< date: Mon, 04 Dec 2023 18:48:52 GMT
< content-type: application/json
< x-powered-by: Dependency-Track v4.6.3
< cache-control: private, max-age=0, must-revalidate, no-cache
< access-control-allow-origin: *
< access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
< access-control-allow-headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *
< access-control-expose-headers: Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count
< access-control-allow-credentials: true
< access-control-max-age: 3600
< content-length: 48
< set-cookie: XXXXXX; path=/; HttpOnly; Secure; SameSite=None
<
{ [48 bytes data]

100 5249k 100 48 100 5249k 17 1918k 0:00:02 0:00:02 --:--:-- 1918k

• Connection #0 to host XXXXXX left intact
  {"token":"XXXXXX"}

Expected Behavior

Project details in Dependency-Track update and no errors in log.

Dependency-Track Version

4.7.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

I am optimistic that #3357 will resolve this, but without reproducer I have no way to verify. The instructions are helpful, but I am unable to reproduce this issue with the NPM projects I have at hand.

Can you share a BOM that triggers the issue?

[javaface]

As a work around I changed my BOM upload script to create a fresh Dependency-Track project (new project id) with the same name value. So I'm technically creating a new project with each upload vs. updating an existing project. I'm thinking this is not good?

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.