Uploading a BOM doesn't update the license of any existing components

[mykter]

Current Behavior

When a BOM is uploaded that has different license information for a component than previously, that information is ignored.

A BOM upload can add license information to a component that has no license, but it can't remove a license or otherwise change one that is already present. Component licenses can be manually modified in the UI - it's just uploading a BOM that doesn't change them.

There is no relevant information in the logs that I can see at TRACE level. Reproduced with postgres and H2.

Steps to Reproduce

1. Upload a BOM to a project, with a component that has a license.
2. Change the license in the BOM to a different license (or remove it)
3. Upload the revised BOM

Expected Behavior

The license in the component reflects what is in the BOM that has been uploaded, regardless of what license information was originally present.

This is what happens when using BOM_PROCESSING_TASK_V2_ENABLED=true on the #3357 branch, so it looks like this has been incidentally fixed by that refactor.

Dependency-Track Version

4.10.1, also present in today's (2024-02-26) snapshot image without V2 processing enabled.

We didn't notice this in 4.9, so think this is a regression from around then, but haven't verified that.

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[aravindparappil46]

Hi!
I have created a PR to address this issue: #3556

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.