Removed support for SPDX tag/value and RDF formats

README.md

@@ -84,7 +84,7 @@ CI/CD environments.
 * Includes a comprehensive auditing workflow for triaging results
 * Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
 * Supports standardized SPDX license ID’s and tracks license use by component
-* Supports importing [CycloneDX] (recommended) and [SPDX] Software Bill of Materials (SBOM) formats
+* Supports importing [CycloneDX] Software Bill of Materials (SBOM)
 * Easy to read metrics for components, projects, and portfolio
 * Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
 * API-first design facilitates easy integration with other systems
@@ -230,7 +230,6 @@ the [notices] file for more information.
   [Component Analysis]: https://owasp.org/www-community/Component_Analysis
   [Software Bill of Materials]: https://owasp.org/www-community/Component_Analysis#software-bill-of-materials-sbom
   [CycloneDX]: https://cyclonedx.org
-  [SPDX]: https://spdx.org
   [license-image]: https://img.shields.io/badge/license-apache%20v2-brightgreen.svg
   [Apache License 2.0]: https://github.com/DependencyTrack/dependency-track/blob/master/LICENSE.txt
   [notices]: https://github.com/DependencyTrack/dependency-track/blob/master/NOTICES.txt

docs/_docs/best-practices.md

@@ -5,21 +5,14 @@ chapter: 9
 order: 
 ---
 
-### Importing and Using BOMs
-* For best results, always generate and import [CycloneDX](https://cyclonedx.org) BOMs
-* Do not import SPDX v2.1 (or previous) BOMs
-
 #### Summary
 BOMs are a statement of facts, and the type of facts a BOM has will greatly impact
 how effective the system will be when performing component risk analysis.
 
-SPDX BOM format v2.1 and previous do not support Package URL. When importing SPDX BOMs, 
-ensure the format is version 2.2 or higher and contains valid Package URLs for each component.
-
 ### Generating and Obtaining BOMs
 * When developing software, generate BOMs during Continuous Integration (CI)
 * If using Jenkins, use the [Dependency-Track Jenkins Plugin](https://plugins.jenkins.io/dependency-track/) with synchronous publishing mode enabled
-* Contractually require BOMs ([CycloneDX](https://cyclonedx.org) or [SPDX](https://spdx.org)) from vendors
+* Contractually require BOMs ([CycloneDX](https://cyclonedx.org) from vendors
 * Generate or acquire BOMs from commercial-off-the-shelf (COTS) software
 
 #### Summary

docs/_docs/datasources/routing.md

@@ -66,10 +66,7 @@ Refer to [Repositories]({{ site.baseurl }}{% link _docs/datasources/repositories
 
 All version of the CycloneDX BOM specification support Package URL. Users of official CycloneDX 
 implementations for various build systems will automatically have valid Package URLs for every component in the 
-resulting BOM. 
-
-For SPDX BOMs, Package URL support was added in v2.2 of the SPDX specification. When importing SPDX BOMs, ensure the 
-BOM is SPDX v2.2 or higher and that components have valid Package URLs.
+resulting BOM.
 
 ### Common Platform Enumeration (CPE)
 Like Package URL, the Common Platform Enumeration (CPE) specification is a structured naming scheme for applications, 

docs/_docs/terminology.md

@@ -18,8 +18,8 @@ for each finding.
 ### Bill of Material (BOM)
 In supply chains, a bill of material (BOM) defines and describes the contents of what is used in the manufacturing and 
 packaging of the deliverable. In software supply chains, this refers to the contents of all components bundled with the
-software including, authors, publishers, names, versions, licenses, and copyrights. Dependency-Track supports two BOM 
-formats: CycloneDX and SPDX. Bill-of-Materials specific to software components are commonly referred to as SBOMs.
+software including, authors, publishers, names, versions, licenses, and copyrights. Dependency-Track supports the 
+CycloneDX format. Bill of Materials specific to software components are commonly referred to as SBOMs.
 
 ### Component
 Dependency-Track defines a component as a standalone entity. A component may be an open source component, third-party 
@@ -84,9 +84,7 @@ A scan is method by which evidence about a component is gathered and cross-refer
 intelligence services in an effort to determine if that component has known vulnerabilities.
 
 ### SPDX
-Software Package Data Exchange (SPDX) provides two complimentary specifications, a bill-of-material specification, and
-a standardized list of open source licenses. The BOM specification relies on either 'tag' or 'rdf' files to document
-software components as bill of materials. The standardized license list is a lightweight spec that has been adopted 
+Software Package Data Exchange (SPDX) provides a standardized license list that has been adopted 
 across multiple industries and is recommended for use in all software projects. See: <https://spdx.org/>
 
 ### Swagger

docs/_docs/usage/cicd.md

@@ -6,9 +6,7 @@ order: 1
 ---
 
 Dependency-Track consumes and analyzes CycloneDX BOMs at high-velocity and is ideal for use in modern build pipelines. 
-The generation of CycloneDX BOMs often occur during CI or when the final application assembly is being generated. 
-CycloneDX is the preferred BOM format due to the availability of build-time tools and the formats focus on security 
-use cases. However, BOMs in SPDX tag and RDF formats are also supported.
+The generation of CycloneDX BOMs often occur during CI or when the final application assembly is being generated.
 
 Visit the [CycloneDX Tool Center](https://cyclonedx.org/tool-center/) for information on the available tools for 
 generating CycloneDX BOMs from various build systems.
@@ -27,8 +25,8 @@ is recommended.
 
 For other environments, cURL (or similar) can be used. 
 
-#### CycloneDX or SPDX BOM
-To publish CycloneDX or SPDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the 
+#### CycloneDX
+To publish CycloneDX BOMs, use a valid API Key and project UUID. Finally, Base64 encode the 
 bom and insert the resulting text into the 'bom' field.
 
 ```bash

docs/index.md

@@ -61,7 +61,7 @@ CI/CD environments.
 * Includes a comprehensive auditing workflow for triaging results
 * Configurable notifications supporting Slack, Microsoft Teams, Webhooks, and Email
 * Supports standardized SPDX license ID’s and tracks license use by component
-* Supports importing [CycloneDX] (recommended) and [SPDX] Software Bill of Materials (SBOM) formats
+* Supports importing [CycloneDX] Software Bill of Materials (SBOM) formats
 * Easy to read metrics for components, projects, and portfolio
 * Native support for Kenna Security, Fortify SSC, ThreadFix, and DefectDojo
 * API-first design facilitates easy integration with other systems
@@ -78,4 +78,3 @@ CI/CD environments.
 [Component Analysis]: https://owasp.org/www-community/Component_Analysis
 [Software Bill of Materials]: https://owasp.org/www-community/Component_Analysis#software-bill-of-materials-sbom
 [CycloneDX]: https://cyclonedx.org
-[SPDX]: https://spdx.org/

pom.xml

@@ -90,7 +90,6 @@
         <lib.lucene.version>8.8.2</lib.lucene.version>
         <lib.packageurl.version>1.3.0</lib.packageurl.version>
         <lib.pebble.version>3.1.5</lib.pebble.version>
-        <lib.spdx-tools.version>2.2.5</lib.spdx-tools.version>
         <lib.unirest.version>2.4.03</lib.unirest.version>
         <lib.vulndb-data-mirror.version>1.0.0</lib.vulndb-data-mirror.version>
         <!-- JDBC Drivers -->
@@ -208,40 +207,6 @@
             <artifactId>unirest-java</artifactId>
             <version>${lib.unirest.version}</version>
         </dependency>
-        <!-- SPDX -->
-        <dependency>
-            <groupId>org.spdx</groupId>
-            <artifactId>spdx-tools</artifactId>
-            <version>${lib.spdx-tools.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-slf4j-impl</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>net.sf.saxon</groupId>
-                    <artifactId>saxon</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>net.sf.saxon</groupId>
-                    <artifactId>saxon-dom</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <!-- Force the dependency version greater or equal to 0.11.0 for Jena - resolves vulnerability -->
-            <groupId>org.apache.thrift</groupId>
-            <artifactId>libthrift</artifactId>
-            <version>0.13.0</version>
-        </dependency>
         <dependency>
             <groupId>com.fasterxml.woodstox</groupId>
             <artifactId>woodstox-core</artifactId>
@@ -275,6 +240,12 @@
             <artifactId>xercesImpl</artifactId>
             <version>2.12.1</version>
         </dependency>
+        <!-- Commons Compress -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.20</version>
+        </dependency>
         <!-- Test Dependencies -->
         <dependency>
             <groupId>org.mock-server</groupId>

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -45,7 +45,6 @@ public enum ConfigPropertyConstants {
     SCANNER_VULNDB_OAUTH1_CONSUMER_KEY("scanner", "vulndb.api.oauth1.consumerKey", null, PropertyType.STRING, "The OAuth 1.0a consumer key"),
     SCANNER_VULNDB_OAUTH1_CONSUMER_SECRET("scanner", "vulndb.api.oath1.consumerSecret", null, PropertyType.ENCRYPTEDSTRING, "The OAuth 1.0a consumer secret"),
     ACCEPT_ARTIFACT_CYCLONEDX("artifact", "cyclonedx.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable the systems ability to accept CycloneDX uploads"),
-    ACCEPT_ARTIFACT_SPDX("artifact", "spdx.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable the systems ability to accept SPDX uploads"),
     FORTIFY_SSC_ENABLED("integrations", "fortify.ssc.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Fortify SSC integration"),
     FORTIFY_SSC_SYNC_CADENCE("integrations", "fortify.ssc.sync.cadence", "60", PropertyType.INTEGER, "The cadence (in minutes) to upload to Fortify SSC"),
     FORTIFY_SSC_URL("integrations", "fortify.ssc.url", null, PropertyType.URL, "Base URL to Fortify SSC"),